Overseas cyberattack shuts down 5 Macau government websites for 45 minutes
- Cybersecurity expert warns Hong Kong could be ‘wide open to being attacked at any given time’ as many organisations and companies do not have sufficient protection
An overseas cyberattack took five Macau government websites offline for 45 minutes and blocked a local internet service provider’s access to them for more than three hours, local authorities said on Thursday.
The Office of the Secretary for Security in Macau said its website, the Public Security Police Force, the Fire Services Bureau, the Public Security Forces Affairs Bureau of Macau and the Academy of Public Security Forces were shut down because of a “distributed denial-of-service attacks from overseas”.
Officials said the websites were hit at 8pm on Wednesday.
The security office said a criminal investigation had been launched to trace the source of the attack.
It took the departments and the city’s internet service providers 45 minutes to restore access to the affected websites.
But users of CTM, one of four internet service providers in Macau, were unable to access the sites until after 11pm, more than three hours after the attack was detected.
Authorities said other providers had been able to gain access to the websites as normal.
Macau authorities did not disclose how many people were affected by the attack.
They said they had asked for a report and improvement plan to prevent similar incidents from happening again.
Michael Gazeley, founder of Hong Kong cybersecurity firm Network Box, explained distributed denial of service attacks that aimed to bring down websites or applications came from thousands or even hundreds of thousands of locations.
“Hackers would take control of thousands of devices and then use those devices to attack a target. And then if the authorities turn up, they’re looking at the devices’ IP, not the hackers’ ones,” he said.
The cybersecurity expert warned that Hong Kong could be “wide open to being attacked at any given time” as many government organisations and companies, small and large, had not been equipped with enough protection.
According to police, there were 37 reports of cyberattacks on businesses last year, a 54 per cent rise from the 24 cases in 2022. Reported losses tripled to HK$2.1 million (US$268,400) from HK$700,000 in 2022.
Several statutory bodies also fell victim to hackers. A ransomware attack last September stole more than 400GB of data, including bank account information and identity card copies of staff, from Cyberport, the city’s showcase technology hub.
The hackers demanded US$300,000 as ransom, threatening to release the information on the dark web, where criminals buy and sell data to use for scams and other illegal purposes. The ransom was not paid.
A week after that attack, hackers targeted the Consumer Council, stealing the personal data of 477 people. The hackers demanded a US$500,000 ransom, which the consumer watchdog did not pay.
Government departments also suffered a string of data security incidents, with a recent one concerning the fire service, which reported a potential data leak related to an unauthorised change of access rights to personal information of more than 5,000 residents and staff in May.
In a written reply to the Post, the Office of the Government Chief Information Officer said government websites and systems had adopted multiple layers of security measures, including data encryption, firewalls, content delivery networks, scrubbing function, intrusion detection and prevention systems against distributed denial of service.
The office also required all bureaus and departments to strictly follow its policy and guidelines to ensure data and information security, while setting up an emergency response team to handle incidents.
