MANILA, Philippines – The Philippine Statistics Authority’s (PSA) data protection officer, Eliezer Ambatali, on Thursday, October 12, said they already have leads as to who conducted the cyberattacks that hit the agency’s community-based monitoring system (CBMS) but didn’t reveal specific details yet, with investigations ongoing. 

Ambatali’s statements come from an interview on ANC’s Headstart.

He said the entity responsible isn’t likely the Medusa ransomware gang, which had claimed responsibility for the earlier PhilHealth cyberattacks, noting the difference in malicious files used to access the systems. 

The agency also hasn’t received ransom demands from the hackers, unlike the Medusa group which asked for $300,000, which PhilHealth chose not to pay. Ambatali said that the PSA hacker’s motivation was likely just to brag that they are able to do this kind of cyberattack. 

He also reiterated that systems for the National ID, PhilSys, and the civil registry are unaffected. 

The CMBS holds data from surveys regularly collected by the PSA on indicators of dimensions of poverty such as health, nutrition, water, sanitation, shelter, education, income, employment, and security. It is unclear, as of writing, what specific data was stolen. 

Must Read

EXPLAINER: How PSA breach may have exposed data of the poor

Ambatali has described the “demographic data” in the stolen database to be confidential, but says the financial information contained within the database is not as extensive.

There is no disruption to requests for information such as birth certificates, death certificates from the PSA. 

Less sophisticated than Medusa

The DICT’s cybersecurity Undersecretary Jeffrey Dy, in a separate interview on Radyo 5 on the same day, confirmed some of what Ambatali had said. 

The department believes that the entity responsible isn’t Medusa, noting “malayo ‘yung attack vector sa Medusa” and “malayo ‘yung galing.”

(The attack vector is far different from Medusa, as well as the level of skill.) 

Dy said the DICT believes the suspect is likely local, and there’s a chance it is someone who has access to internal systems, meaning the possibility of an inside job is being considered. 

Dy said that according to the PSA, the CBMS is not a system that is accessible to the public, and only accessible via their regional offices. Hence, the department’s working theory is the perpetrator could be someone who has knowledge of the CBMS in the said offices. 

Dy also noted that the PSA has a better “cybersecurity posture” than PhilHealth, noting the presence of systems to protect their critical infrastructure. 

Dy warned that malware has been found in files related to the PSA breach, as a way for the hacker to attack more individuals, especially curious ones looking to peer at the stolen files. The stolen PhilHealth files were found to have malware too that could lead to individuals being infected. 

With the PSA hack, phishing remains the biggest threat to individuals. 

The undersecretary touched on the topic of confidential funds as well, echoing earlier statements from DICT Secretary Ivan Uy at the launch of their Cybersecurity Month, Monday, October 9. 

Dy described volunteer hackers in hacker groups on Telegram, providing them valuable information, and the need to keep certain tools secret. He said that the said volunteers can be categorized as “confidential informants,” whom they haven’t been able to give monetary allowance for their help. 

Uy had said earlier that some tools or equipment need to be kept under wraps, because if threat actors were to know what tools were being used, they would lessen the effectiveness of those tools in combatting or preventing attacks.

The DICT’s request for confidential funds was denied on Tuesday, October 10. – Rappler.com