Home & Office

Report: M'sia group hacked S'pore NParks site

update H3x4 Crew identified by business consultancy firm, The Black Wilder Group, as hackers that illegally accessed Singapore's government Web site two weeks ago, according to report.
Written by Tyler Thia, Contributor

update The Malaysian hacking group H3x4 Crew has been identified as the ones responsible for breaching Singapore's National Parks Board (NParks) Web site two weeks ago, according to a report.

According to a report Tuesday by local daily The Straits Times, Malaysian employees from business consultancy firm, The Black Wilder Group (TBWG), stumbled on what H3x4 Crew had done while monitoring the group for an "unrelated case". They saw screenshots of the hacked NParks sited posted on a temporary Web site, which was subsequently removed and uploaded again on kenahack.com, a site that reveals hacking exploits, the article stated.

TBWG said it contacted Singapore's Ministry of Home Affairs after its discovery as it believed confidential data had been leaked.

When contacted, NParks confirmed the intrusion happened on Jun. 12, affecting information linked to the photo gallery under the "Visitors' Guide" section of the Web site.

"Only those who registered online to use this photo gallery were affected," said NParks CIO Yong Fook Chyi. "Their user IDs, e-mail addresses, names and encrypted passwords access to the photo gallery were affected. There was no further damage to the Web site."

It is understood that while the photo gallery was already "obsolete" when the intrusion happened, NParks advised those who registered for access to change their login usernames and passwords.

The government agency lodged a police report on Jun. 13 and investigations are ongoing. NParks revealed that when notified of the hack, it shut the site on Jun. 12 and 13 to "remove the affected information from the Web site".

While two scans the agency conducted in January and April this year did not detect any vulnerability, Yong admitted that the incident has shown there are gaps in the system. "[The agency is] working to address them by patching up the security gaps and undertaking further penetration tests," he added.

So far, there have been no reports of the compromised data being released to the public.

Besides NParks, TBWG said H3x4 Crew is believed to have also attacked more than 140 sites, including Nepalese bank, the Agricultural Development Bank, and Malaysia's Universiti Technologi Mara.

Responding to the incident, security vendor Symantec urged government agencies to adopt proactive measures to secure all levels of their information infrastructure--whether on personal computers, mobile devices, or the networks.

Ronnie Ng, senior manager of systems engineering at Symantec Singapore, told ZDNet Asia in an e-mail: "Government environments online should be subject to regulations, guidelines and monitoring through means like scorecards, and continually enhance their threat intelligence and security response capabilities."

No malicious intent
TBWG spokesperson Alicia Yong told ZDNet Asia in an e-mail late-Tuesday that the NParks site was the only government Web site in Singapore that was hacked, adding that the company's local agents scanned all other official government sites in the island-state and found no vulnerabilities. Yong also revealed that more than 70 percent of H3x4 Crew's attack targets were Malaysian government schools and private forums.

She explained that targets were picked at random as the hacker group had "no malicious intentions in respect of monetary gains". As such, its motive was "purely bragging rights".

Yong said: "It is to our knowledge that the H3x4 crew seeks popularity over other hacking groups in Malaysia where the more sensitive the Web site is, the better."

While the group may not have malicious intent on the breached data, security expertHenry Ong, Asean regional director of security engineering at SourceFire, suggested that it may crack the account passwords and try them on other sites as "most people reuse usernames and passwords".

Editorial standards