A new player, Union of Hacktivists
Until April 2015, all hacking activities are mainly connected to the “Union of Underground Myanmar Hackers (UGMH)” and Blink Hacker Group (BHG). The first group formed by a collation of smaller hacking groups including Myanmar Hacker Unite4m (MHU) had a main focus on Bangladeshi and Indonesian Muslim sites while Blink Hacker Group remained compulsively obsessed with defacing online Myanmar media including Irrawaddy, Mizzima, DVB, Eleven Media, etc.
To our surprise, the scene changed months before the Elections of November 2015. A totally unknown group with the name “The Union of Hacktivists” became notorious after the defacement of the Burmese media site Elevenmyanmar.com in April 2015 and their operation “#Op Fucking Media” that specifically targeted independent online media in Burma.
The Union of Hacktivists became increasingly active during October 2015, just one month before the General elections in Burma of the 8th November 2015. During one week, the group defaced half a dozen Burmese media sites.
During the days before and after the November elections we discovered the Union of Hacktivists is in fact an undercover organization operating from military premises that has adopted the aesthetics of other hacker groups active in Myanmar to run operations to undermine the work of online media in the country.
Attacks against the sites during before and during the elections were not effective but malicious activity continued and the 19th of November 2015, the Union of Hacktivists (ဟက္ကာမ်ားသမဂၢ) targeted the 7Day Daily company Information Matrix and the 25th of November 2015, the IELTS in Myanmar.
After weeks monitoring malicious activities in both the Democratic Voices of Burma and the Irrawaddy’s websites, we tracked the attack to a military operated network. In the same network and behind two different proxy-firewalls (BlueCoat ProxySG devices), runs traffic from the Defense Services Computer Directorate (DSCD), the Defense Services Command and General Staff College (DSCGSC), the Defense Services Science and Technological Research Center (DSSRTC) and the National Defense College (NDC).
New intrusions attempts took place against the sites during the weeks after the elections. After fine tuning the monitoring, during the first week of December of 2015 we could fully attribute the attacks to someone behind the proxy of the Defense Services Computer Directorate (DSCD).
A detailed look into the network infrastructure of the Military shows that several institutions, while physically located in Kalaw, Nay Pyi Daw or Pyin U Lwin, share a common public IP address but are operating behind different BlueCoat devices and Proxies that we managed to fingerprint.
သင့္အား ျမန္မာႏိုင္ငံလုံးဆိုင္ရာ ဟက္ကာမ်ားသမဂၢမွ အလိုရွိသည္။ ဟက္ကာမ်ား သမဂၢဆိုတာ နည္းပညာကို ခ်စ္ျမတ္ႏိုးၿပီး ႏိုင္ငံ့တာ၀န္ကို တစ္ဖက္တစ္လမ္းကေန အုပ္တစ္ခ်ပ္သဲတစ္ပြင့္အျဖစ္ ထမ္းေဆာင္မယ္ဆိုတဲ့ ရည္ရြယ္ခ်က္တူ၊ မူ၀ါဒတူ၊ လမ္းစဥ္တူတဲ့ သူမ်ား စုေပါင္းထားတဲ့ အဖြဲ႔အစည္းတစ္ရပ္ျဖစ္ပါတယ္။ ဒါ့ေၾကာင့္ သင့္အေနနဲ႔ ခံယူခ်က္ျခင္း၊ သေဘာထားျခင္း တိုက္ဆိုင္တယ္ဆိုရင္ ယခု Status ကို သင့္ရဲ့ Facebook စာမ်က္ႏွာမွာ ရွဲလုပ္ျခင္းအားျဖင့္ ကြ်ႏု္ပ္တို႔ ဟက္ကာမ်ားသမဂၢမွာ ပူးေပါင္းပါ၀င္ေဆာင္ရြက္ႏိုင္ပါတယ္။ သမဂၢ၏ေဆာင္ပုဒ္ - အမွန္တရားဘက္က ဟက္ကာမ်ားသမဂၢ။ သမဂၢ၏မူ၀ါဒ - အကယ္၍ကမၻာႀကီးကသာ အမွန္တရားကို ဆန္႔က်င္ခဲ့မည္ဆိုလွ်င္ ကၽြႏု္ပ္တို႔ ျမန္မာႏိုင္ငံလုံးဆိုင္ရာ ဟက္ကာမ်ားသမဂၢက ကမၻာႀကီးကို ဆန္႔က်င္လိမ့္မည္။ ဆက္သြယ္ရန္ အီးေမးလ္ - firstname.lastname@example.org
Using Anonymous as a cover channel
The modus operandi of the Union of Hacktivists reassembles the same methods and type of messages in other forums from Gtone, messages trying to recruit new talents from communities of young hackers.
Gtone will later steer the hacking operations towards local online media.
Gtone also hides his operations behind several Facebook groups including the Anonymous Myanmar. He copies the aesthetics of Anonymous and runs the Official Anonymous Myanmar Hacker page in Facebook.
In December 2014, a new group with the name “Myanmar Black Hats” has emerged and it is the latest attempt to recruit more actors. The domain was registered the 26th of November 2014 by Creatigon.
Fake defacements and war fare
Another interesting finding was to spot how some websites defacements are designed to serve a very concrete political agenda.
In December 2012, a set of websites including: http://mysuboo.com, http://www.commercejournal.com.mm and http://www.news-eleven.com were defaced in the name of the Kachin Cyber Army. The defacements included the text:
Fuck the Fucking All Burmese Media Bourgeois! We are Everywhere! We are watching you! We Hacked You, to Know the Power of Kachin Country & Kachin Cyber Army. Do not you support to establish Kachin country? We 'll Fight all of you .. Again .. Again .. Again & Again!
Very soon after the defacements, the Myanmar Times published the 10th of December 2012 advertising that Eleven Media was hacked by the Kachin Cyber Army. After studying all the documented attacks associated to the KCA, we have reasons to believe that those defacements are fake and have been constructed to serve the government political agenda of conflict escalation.