A series of suspicious coincidences significantly hampered the investigation of the incident.
The Ministry of Finance of Palau, a small island nation in the Philippine Sea, was recently confronted with a ransomware attack carried out by the DragonForce group. During the compromise, hackers managed to encrypt the agency's computers, as well as allegedly steal confidential data.
The attack became known on March 14. It is noteworthy that security experts found two separate ransom notes "at the crime scene": one on a piece of paper in the printer from the LockBit ransomware gang and one in a README text file placed next to encrypted documents from the DragonForce ransomware gang.
The security team was very puzzled by this development, as it was not completely clear who was responsible for the attack. Or maybe there were two attacks at once? However, the most likely scenario is the banal use by DragonForce hackers of ransomware developed by LockBit, in which they forgot to remove a couple of lines of code.
Even more obscure was the fact that in both notes, Tor links for communicating with hackers were not working. This, coupled with the fact that the attack coincided with the signing ceremony of the Free Association Agreement between Palau and the US government, led some to believe that the attack was politically motivated, but simply disguised as a ransomware operation.
However, last Sunday, April 7, DragonForce hackers publicly denied suggestions that the attack on Palau had a motive other than financial gain. The group stated: "We have nothing to do with politics. Within three days, all data from Palau will be available on our blog. You can find some very interesting information there." In addition, the attackers added that they stole a total of more than 21 GB of data from Palau.
According to the local government, data from the Ministry of Finance of Palau was indeed stolen, but it did not contain anything sensitive or important. In extreme cases, hackers will be able to use them for targeted phishing, but the government is not too worried about this, considering that such attacks can be easily protected by raising awareness.
Overall, the island nation has barely experienced the effects of the cyber incident, although some government workers have had to collect their wages in the form of a bank check, rather than the usual transfer or cash. It took only 5 days for the local security team to fully restore the encrypted computers.
The Palau incident shows that even ordinary organizations in tiny states must always be prepared for a variety of cyber threats. Rapid response and system recovery allowed the country to quickly return to normal operation, but who knows, this attack may have some additional consequences in the future.
Continuous improvement of cybersecurity measures, including raising staff awareness, will help any organization avoid such incidents, preserving important information, human resources and precious reputation.
The Ministry of Finance of Palau, a small island nation in the Philippine Sea, was recently confronted with a ransomware attack carried out by the DragonForce group. During the compromise, hackers managed to encrypt the agency's computers, as well as allegedly steal confidential data.
The attack became known on March 14. It is noteworthy that security experts found two separate ransom notes "at the crime scene": one on a piece of paper in the printer from the LockBit ransomware gang and one in a README text file placed next to encrypted documents from the DragonForce ransomware gang.
The security team was very puzzled by this development, as it was not completely clear who was responsible for the attack. Or maybe there were two attacks at once? However, the most likely scenario is the banal use by DragonForce hackers of ransomware developed by LockBit, in which they forgot to remove a couple of lines of code.
Even more obscure was the fact that in both notes, Tor links for communicating with hackers were not working. This, coupled with the fact that the attack coincided with the signing ceremony of the Free Association Agreement between Palau and the US government, led some to believe that the attack was politically motivated, but simply disguised as a ransomware operation.
However, last Sunday, April 7, DragonForce hackers publicly denied suggestions that the attack on Palau had a motive other than financial gain. The group stated: "We have nothing to do with politics. Within three days, all data from Palau will be available on our blog. You can find some very interesting information there." In addition, the attackers added that they stole a total of more than 21 GB of data from Palau.
According to the local government, data from the Ministry of Finance of Palau was indeed stolen, but it did not contain anything sensitive or important. In extreme cases, hackers will be able to use them for targeted phishing, but the government is not too worried about this, considering that such attacks can be easily protected by raising awareness.
Overall, the island nation has barely experienced the effects of the cyber incident, although some government workers have had to collect their wages in the form of a bank check, rather than the usual transfer or cash. It took only 5 days for the local security team to fully restore the encrypted computers.
The Palau incident shows that even ordinary organizations in tiny states must always be prepared for a variety of cyber threats. Rapid response and system recovery allowed the country to quickly return to normal operation, but who knows, this attack may have some additional consequences in the future.
Continuous improvement of cybersecurity measures, including raising staff awareness, will help any organization avoid such incidents, preserving important information, human resources and precious reputation.
