Malware snoops in Thai systems
Thailand is one of 17 countries snared by Operation GhostSecret, a global data reconnaissance campaign attacking critical infrastructure.
ThaiCERT, the state cybersecurity team under the Electronic Transactions Development Agency (ETDA), reported a warning by cybersecurity firm McAfee that Thailand was one of 17 countries dealing with Operation GhostSecret, with hackers stealing data on critical infrastructure by implanting malware for data gathering.
Forty-five systems in Thailand were affected by the threat.
On April 25, McAfee Advanced Threat Research analysts uncovered a global data reconnaissance campaign assaulting a wide number of sectors, including critical infrastructure, entertainment, finance, healthcare and telecommunications.
This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools and malware variants associated with the North Korea-linked cybergroup Hidden Cobra.
McAfee said its investigation into the campaign revealed that the actor used multiple malware implants.
From March 18 to 26, McAfee observed the malware operating in multiple areas of the world. The new variant resembles parts of the Destover malware, which was used in the 2014 Sony Pictures attack.
Further investigation into the control server infrastructure revealed the SSL certificate d0cb9b2d4809575e1bc1f4657e0eb56f307c7a76, which is tied to the control server 203.131.222.83 used by the February 2018 implant.
This server resides at Thammasat University in Bangkok. The same entity hosted the control server for the Sony Pictures implants.
Chaichana Mitrpant, assistant executive director of the ETDA, said ThaiCERT received a report about the threat from Thammasat, which said it had already removed the IP address that caused the problem.