14 DAY TRIAL // The Ministry of Natural Resources and Environment (MONRE) in Vietnam says that the cyber-attack that occurred two weeks ago did not result in stealing confidential information from the employees' systems.
The greatest concern was the potential unauthorized access to the database regarding the China South Sea area (called East Sea by the Vietnamese), where uninhabited islands under Japanese control are also claimed by China.
In an interview for VietnamNet Bridge, the director of the Information Technology Agency, Nguyen Huu Chinh, confirmed that the MONRE computer systems were attacked, but denied any leak of confidential information.
“We did not lose the East Sea database as reported by some online newspapers, which quoted some security experts,” said Chinh to the online publication.
According to the official, the cybercriminals could not have accessed sensitive data because the affected systems were used for daily information exchange and are separate from the computers holding important data.
Furthermore, the infected machines lacked the authorization to connect to the computers with info relevant for the cybercriminals.
IT experts analyzed the malicious file and managed to determine that it communicated with a command and control server located in the U.S., despite initial speculation basing it in China.
However, Chinh does not believe that the attackers came from the U.S. because domain names and servers can be leased anywhere in the world and used for malicious activities, specifically to make tracing of the individuals behind the operation more difficult.
The attackers used malware specifically created for MONRE systems because it included circumvention features for the security software protecting the computers of the Ministry's employees.
The malware distribution technique consisted in sending phishing emails to personal accounts with an infected Microsoft Word document in the attachment.
This could have helped contain the infection because webmail solutions provide document preview in the browser. Downloading it on the computer would have triggered the Word exploit.
Among the capabilities discovered by security researchers, there was scanning for the presence of BKAV (Bach Khoa Anti-Virus), a Vietnamese security tool.
If the antivirus is detected, the Trojan proceeds to unload the “BkavFirewallEngine.dll” file from memory using the FreeLibrary functions, and thus bypassing its protection.
The Vietnamese official noted that the forensics team found only one server to be infected with spyware, and that it has since been cleaned.
About VND100 billion/$4,7 million/€3,4 million are spent every year by the Ministry on the development of the technology system and the security measures necessary to protect government systems from cyber-attacks.