Pro-Russia Hackers Accused of Targeting Taiwan’s Computer Systems
TSUI-CHUAN HSIEH, DIRECTOR-GENERAL OF ADMINISTRATION FOR CYBER SECURITY, MODA
Bayo Akinloye in Taipei, Taiwan
The Administration for Cyber Security at Taiwan’s Ministry of Digital Affairs (MODA) has accused pro-Russia hackers NoName057 and RipperSec9 of launching malicious attacks against the country.
Its Director-General, Tsui-Chuan Hseih, said it was not immediately clear if the attacks were not unconnected with the Taiwan Strait crisis.
In a Monday press parley with THISDAY and other media outlets, Hseih revealed that the recent onslaughts included more than 50 DDoS attacks targeting Taiwan’s tax, aviation and other agencies.
However, she claimed that there was no major breach of their computer systems.
Last month, a cybersecurity firm, Radware, reported that pro-Russian threat actors NoName057(16), RipperSec and Cyber Army of Russia (aka People’s Cyber Army) launched DDoS attacks on Taiwanese targets.
It said the attack campaign started on September 9 and continued against over 50 targets, including government sites, airports, financial services and the Taipei Stock Exchange.
According to Radware, NoName057(16) is notorious for its cyberattacks on Ukrainian, American and European websites of government agencies, media and private companies.
“It is regarded as a well-organised pro-Russian hacktivist group with over 2.5 years of experience targeting countries that support Ukraine or speak badly about Russia,” Radware stated.
The cybersecurity firm stated that RipperSec “is a pro-Muslim hacktivist group operating from Malaysia,” with politically motivated operations “and are often coordinated through Telegram channels.”
“The group has been involved in several high-profile DDoS attacks, including disruptions during significant geopolitical events,” noted Radware.
Radware also cited another group, Cyber Army of Russia, a “decentralised pro-Russian hacktivist group that mainly targeted Ukraine” at first, but more recently, the group “has started to align its targets more closely with NoName057(16).”
An August report by Taiwan’s ACS disclosed that 90,510 pieces of government agency cybersecurity joint defence intelligence were collected this month (an increase of 13,938 from the previous month). It was said this was mainly due to the recent increase in malware detected (more than 9,000 pieces). However, the current information security mechanism has successfully blocked most malicious behaviours.
Analysing the types of identifiable threats, the top identifiable threat was information collection (38%), i.e., mainly obtaining information through scanning, detection, and social engineering attacks. This was followed by intrusion attacks (23%), most of them involving unauthorized access to systems or acquisition of system/user privileges and malware (17%), which were mainly detected when the hosts appeared to be connecting to or downloading malware.
After further compilation and analysis of joint defence information, it was discovered that hackers had recently sent social engineering e-mails in order to attack government agencies. These e-mails contained fake content informing Outlook service updates and phishing links, requesting the recipients to click on the link in the e-mail to log in and complete the service updates.
Hackers deceive recipients through the subject and content of e-mails, attempting to trick recipients into providing sensitive information after clicking on the phishing links. Relevant intelligence has provided government agencies with recommendations on joint defence and monitoring.
The number of cybersecurity incident reports totalled 175 this month (a decrease of 101 from the previous month), a 0.36-fold increase compared to the same period last year. This is mainly due to the relatively high number of successful attacks related to military exercises.
Recently, vulnerability checks on government agency websites have been carried out by adopting Google search operators. Multiple government agency websites were found redirected to gambling websites, the agencies were thereby determined to be subjected to “redirect hacking” that involves tampering with the body and meta tags in the HTML source code of the webpage, modifying the configuration settings in .htaccess files, and embedding multiple redirect HTML files.
The agencies whose websites have been tampered with or have redirected files implanted choose to rebuild the environment and conduct vulnerability scanning to repair and strengthen the website security, noted ASC.
“Redirect Hacking is a type of cyberattack where an attacker controls or hijacks a user’s network traffic,” said ACS. “The attacker usually takes advantage of website security vulnerabilities to modify website parameters or insert links, and thereby leads users browsing legitimate websites to other malicious websites.”
The agency added, “Agencies are recommended to establish information system management principles, such as conducting security testing before launching the system, reviewing the security of the service system through regular testing mechanisms such as vulnerability scanning and penetration testing, and tracking website changes with monitoring tools to immediately detect unusual changes.”
