A test subsite related to the ICT Literacy and Competency Development Bureau (ILCDB), the division of the Department of Information and Communications Technology (DICT) that develops, promotes, and implements ICT literacy and competency in the country, was detected to have been defaced by hackers in the early hours of Tuesday, Oct. 24.
Visiting the subdomain of the DICT website at displayed “pwned by 3musketeerz”, as shown by a Web snapshot at the Internet Web Archive, indicating that the same group that defaced the website of the House of Representatives may be behind it.
As of the time of publication, the URL is no longer accessible to the public.
According to the DICT, the subsite was a security sandbox or test environment isolated from other systems that was being used for Vulnerability Assessment and Penetration Testing (VAPT) exercises and scanning by the DICT, similar to a cyber range.
A cyber range is a controlled virtual environment used to simulate actual IT systems to train in, test, and practice cybersecurity methodologies — similar to shooting ranges used for weapons training by security professionals.
Thus, they are loaded with pre-determined vulnerabilities and are really meant to be hacked as an exercise.
What happened, according to DICT spokesperson Renato Paraiso, was that “nakisabay lang siguro yung mga hackers” (the hackers probably just rode on the) sandbox server with their defacement.
No sensitive information was compromised during the infiltration by the hackers, as the information placed by DICT in the sandbox server was put there for simulation testing.
In the wake of the hackings that have plagued the Philippine government in the past month, advocates are calling for greater government support and focus on cybersecurity through:
- Better ICT governance and policies
- Increased budget for the DICT
- Raising of salaries and hiring of additional cyber professionals
- Investing more in security infrastructure and software
- Promoting a culture of cyber-awareness across all agencies and to the public
- Implementing cyber disaster risk recovery plans
- Conducting cyber-drills
