- What are the motivations of your research team by releasing this work?
During the past week we have read all type of statements, from those that believe that we are part of a religious movement or part of a largest conspiracy to spread rumors against the Military of Myanmar. We stand for free press and the right of different opinions to co-exist peacefully. We oppose to those that dictate which media should be available in Myanmar. We want to see a constructive debate in this area and the skills of (young) hackers focused on building a plural media in the country.
- Have the leaders of the Blink Hacker Group (BHG) and Myanmar Hacker University confirmed their membership?
After exposing their role in both groups and providing clear evidence that connects them with several domain names, both Min Ko Ko and Yan Naing Mynt keep claiming that they are not performing any hacking activities, and that they just donated the domains to organizations that they respect.
Their role has been confirmed in different interviews, and in the latest statement of the Blink Hacker Group.
- Were the last Thai defacements performed by BHG?
While the Thai Police denies that the attacks were carried out by the Blink Hacker Group, we have good reasons to believe that the Blink Hacker Group is directly connected to the events. We have monitored every document posted in pastebin, and monitored who that first published the announcement in Facebook about the defacements. In all public statements regarding the Thai attacks, we have seen one member of BHG announcing in Facebook before anyone else.
- What has the reaction to this report been from the members?
Several BHG members that were mentioned in this report, have decided to take the forward-looking escape route. Proud of their actions, and their self-proclaimed right to silence other voices, they are “once again” making this report a part of their racist crusade.
- Are you concerned about local media and journalists being subjected to cyber attacks for reporting on this issue?
We understand the challenge that local media has to deal with, but we are more concerned about the level of impunity that these groups seem to have. Self-censorship is the worse form of cyber attack.
- Since people begun investigating this case in recent weeks, have you observed any changes in back-dooring of local media sites and DDoS attacks?
After monitoring the intrusions during the elections in November 2015, we saw how these groups shifted focus entirely to cases that could help them to regain popularity. The cyberwar against Thailand is a part of this logic. Since early December 2015, when we recorded a pen testing attack from the military network, we have not seen other clear attempts.
- Will there be additional information in the coming days?
Yes, we plan to disclose forensic evidence from some of the attacks we have seen, and disclose the methods we used to track the attack locations.
- Are you surprised by the reaction of those accused so far?
When the Thai police announced an investigation in early January 2016, we saw how members of the Blink Hacker Group started to remove possible personal linkages including taking down the site bhg-myanmar.org. However, as we have seen several times before, after a few weeks they feel comfortable again and start to show off in social media and brag about their cyber attacks.
We are surprised though, to see how quickly they jumped to point fingers to Muslim groups and independent media for any statements included in this report reproducing the very same logic that we denounce in our research.
- Yesterday, the domain names associated to dvb.com.mm and dvb.net.mm were pointing to other sites? How is that possible?
As soon as we saw the domain redirection, we knew that it was not a technical error. We verified that the tampering was taking place directly by the domain name servers at mtalk.net.mm, and it was not an active injection in the network. We also received reports that members of Blink Hacker Group were posting the content of the redirection on Facebook and celebrating.
In Myanmar, all websites are forced to use local DNS servers when operating under the .mm (TLD of Myanmar) domain.
- What kind of attacks has the Unleashed site received?
Soon after the release of the material on the website, we could monitor several attempts to find vulnerabilities on this website. Automatic scans were performed using tools from the Kali Linux Distribution, a known distribution that bundles security tools. Attackers have used both IP addresses from inside Myanmar and VPN services, such as Cyber Ghost VPN.
- Have the authorities of Thailand or Myanmar reached out for clarifications after the release of the report?
No, we have not received any inquiry from any governmental authorities to refute any of our statements. Since we released the report, only journalists and IT security researchers have reached out to learn more about our research methodology and information sources.
One of persons mentioned in this report contacted us to ensure that it was clear in our findings that he was not directly involved in any cyber attack.
- The first public statements on the online media talk about lack of evidence? Want to comment on that?
As far as we know, only a few of the people mentioned in the report have agreed to give interviews so far. Those who did, have already stated that they did provide technical support to the hacking groups in one form of another, but have denied to be “hackers”. There are several websites on the Internet that specialize in collecting mirror copies of defacements. We have been studying these mirror sites for three years now, and many defacements show their nick names.
Regarding providing stronger evidence of military involvement, we are discussing internally what is the best way to release the further information if needed.
- Have you received any attacks after the release of the report?
Within less than 24h after the release of the report, the domain name dvb.com.mm and dvb.net.mm were hijacked. The main sites using those domains were redirected, and a new site entry in the DNS zone was created: donate.dvb.com.mm. Since yesterday, we are in contact with the company in Myanmar that runs the domain name registration (registrar), Myanmar Technology Gateway (MTG), so they can help us to clarify how the redirection took place.
We have also received a report that “Anonymous Myanmar Hacker” Facebook group was one of the first sources to announce the DNS redirection. This group is normally used by members that support the Blink Hacker Group to make their announcements.
A few of the sites that we are monitoring have received vulnerability scannings. Friday night was surprisingly quiet. Something that we are not used to for years.
- Have you looked into other hacking groups active in Myanmar, such as Myanmar Muslim Cyber Force (MMCF)?
Our research has focused on groups in Myanmar that targeted online media in July 2012. Howwver, we have started to look into MMCF as well, which has core members in Indonesia.
- Did the targeted websites ask for this investigation?
The media sites that we have been assisting the last years have always been more interested in keeping their websites functional and operative than anything else. This work was initiated by a group of system administrators and security specialists when we were building better tools and technologies to protect websites during key events. In the past, during events like the 20th anniversary of the 8888 uprising, the Saffron Revolution, or the Rakhine riots, we were very reactive to security incidents. Not until 2015, we had the time and motivation to plan ahead and track down the attackers.
- Can you explain for a person without strong technical background how you found out that some of the attacks came from a military network?
During a technical troubleshooting, we looked into how we could differentiate the traffic from different devices coming from the same Internet connection. We learned that some firewalls add a very specific piece of information to the requests that we could use in our systems to block infected machines. During the implementation of such a system, we discovered that a very specific brand of firewalls known to be used by the military in Myanmar was logged in our system. A few weeks after, a reporter reached out to us saying that someone has logged into his Gmail account from a strange location. We checked in our systems and verified that the very same location was blocked by our system several times in the past. Only then, we decided to look specifically into all traffic coming from this network.
- Blink Hacker Group claims that they do not launch Denial of Service attacks due to the lack of bandwidth in Myanmar. Can you comment on that?
The main method used during 2012’s denial of service attacks was to call participants to join a “portal” and launch coordinated attacks using each others bandwidth.
During 2012 and 2013, we discovered several of these portals and mapped the addresses of the attackers while watching them launching the attacks. It was common to see IP addresses from the Moscow State Technical University (NE Bouwman) participating in the attacks. It was also common to see how groups from Bangladesh and Myanmar would hijack each others portals.
Coordinated denial of service attacks
Below we have reproduced one of their conversations:
24 Jun 12, 11:25 AM **** me bangladesh ,,,: **** your assholes bangladesh 24 Jun 12, 11:27 AM **** me bangladesh ,,,: suck my dick bangladesh 24 Jun 12, 11:27 AM **** me bangladesh ,,,: sex for all bangladesh virgin gairl 24 Jun 12, 11:27 AM **** me bangladesh ,,,: har har har har har har har 24 Jun 12, 01:16 PM naymin: good day 24 Jun 12, 01:16 PM naymin: lee bal 24 Jun 12, 11:03 PM white prince: http://radio2fun.com/news/ 24 Jun 12, 11:56 PM jarjar: hi 25 Jun 12, 03:21 AM hi: hi 25 Jun 12, 03:21 AM Cyyber sinner: hello 26 Jun 12, 12:07 PM Robin: sobai ki valo asen ??? 26 Jun 12, 12:10 PM Robin: fb hack pro ar serial key ta amar dorkar karo kase ki ase ???? 26 Jun 12, 05:32 PM M3nt@l-Gh0st: keu ki asen????? 26 Jun 12, 05:54 PM zawlin: ဘယ္သူေတြရွိလဲ 26 Jun 12, 05:54 PM zawlin: ဘယ္2ေယာက္ကစ္ေနလယ္ 26 Jun 12, 05:54 PM b.demon: ရွိတယ္ 26 Jun 12, 05:56 PM ငါ: သိ၀ူး 26 Jun 12, 05:57 PM b.demon: hay ko zaw lin 26 Jun 12, 05:59 PM b.demon: ဟီး ဟီး 26 Jun 12, 06:04 PM kwm: အဆင္ေျပရင္လက္ခုတ္သံေလးေတြၾကားခ်င္တယ္ 26 Jun 12, 06:05 PM b.demon: ေတြ.ၾကဘူးလား 26 Jun 12, 06:05 PM http://myanmarinternetjou: http://myanmarinternetjournal.com/ plz ddos 26 Jun 12, 06:05 PM dreamer: ကစ္ေနပါတယ္. 26 Jun 12, 06:05 PM anonymous: http://myanmarinternetjournal.com/ plz ddos that site 26 Jun 12, 06:05 PM dreamer: အင္တာနက္ဂ်ာနယ္ကို 26 Jun 12, 06:12 PM b.demon: က်သြားၿပီတဲ. 26 Jun 12, 06:17 PM nn: stay active 26 Jun 12, 06:18 PM nn: 4 online only 26 Jun 12, 06:21 PM ေနမ်ိဳးသူရိယ: က်ေသးဘူးလားဗ် 26 Jun 12, 06:22 PM nn: က်ေတးဘုး 26 Jun 12, 06:29 PM ေနမ်ိဳးသူရိယ: ဆက္ဆြဲထား 26 Jun 12, 06:34 PM ငါ: မက်နိုင္ပါလားဟ 26 Jun 12, 06:39 PM ေနမ်ိဳးသူရိယ: 26 Jun 12, 06:40 PM ေနမ်ိဳးသူရိယ: ေတာင့္ထားတုန္းပဲ 26 Jun 12, 06:41 PM BD hacker: http://myanmarinternetjournal.com plz ddos 26 Jun 12, 06:42 PM ျဖဴေလး: ့hi 26 Jun 12, 06:47 PM ေနမ်ိဳးသူရိယ: hi hi 26 Jun 12, 06:58 PM ေနမ်ိဳး: ဘယ္သူေတြ ရွိၾကတုန္းလဲဗ် 26 Jun 12, 07:00 PM ျဖဴေလး: i 26 Jun 12, 07:01 PM nn: i have,requestis over 10000 ,but this stay acctive 26 Jun 12, 07:02 PM ေနမ်ိဳး: 26 Jun 12, 07:02 PM alin: hi 26 Jun 12, 07:03 PM ေနမ်ိဳး: hi hi 26 Jun 12, 07:10 PM ျဖဴေလး: ဘာလုပ္ေနႀကလဲ 26 Jun 12, 07:33 PM nn: 26 Jun 12, 07:46 PM ေဇာလင္း: က်ေသးဘူးကစ္ထားၾကအံုးဟ 26 Jun 12, 08:08 PM thesea: ဘူမွရွီေတာ့ဘူးလား 27 Jun 12, 04:12 AM ငါ: ၂၀၀၀၀ေက်ာ္ျပီမက်ပါလားဟ 27 Jun 12, 08:48 AM Bhoot_Muster: hi 27 Jun 12, 09:35 AM kkl: mangalabar 27 Jun 12, 07:14 PM စက္ုဖီး: အမ္ 27 Jun 12, 07:17 PM ဘဂ်မ္းၾကီး: ကစ္ေနျပီေနာ္ 27 Jun 12, 07:25 PM ဘဂ်မ္းၾကီး: www.news.mms.info/ ဒီဟာကိုတိုက္ၾကမယ္ 27 Jun 12, 07:29 PM ခ်မ္းေလေျပ: ငါလာျပီကြ 27 Jun 12, 07:31 PM ခ်မ္းေလေျပ: ဘယ္သူမွမရွိေတာ့ဘူးလား 27 Jun 12, 07:39 PM ခ်မ္းေလေျပ: တုိက္ေနၾကတုန္းလား 28 Jun 12, 03:43 PM M3nt@l-Gh0st: 29 Jun 12, 01:37 PM Dr-N3tP16: www.bcic.gov.bd/ We attack this 29 Jun 12, 01:38 PM Dr-N3tP16: Pleas together attack with our 29 Jun 12, 02:14 PM **** in bangladesh: shi ja lar bor dar toe 29 Jun 12, 09:50 PM ဟဟ: လုပ္ေနပါတယ္ဗွ် 29 Jun 12, 09:50 PM ဟဟ: 29 Jun 12, 09:51 PM cyberjunior: ဟဟ တိုက္ၿပီ 29 Jun 12, 09:52 PM ဟဟ: ေဝၚ 29 Jun 12, 10:11 PM ဟထဇ: လုပ္ေနပီေနာ္ 29 Jun 12, 10:22 PM ဟဟ: 29 Jun 12, 10:40 PM လ: 29 Jun 12, 10:56 PM ဘဂ်မ္းၾကီး: ကစ္ျပီေဟ့ 29 Jun 12, 11:05 PM မင္း: ရွိသမွ် ေၾဘာင္ဆာေတြ အကုန္ဖြင့္ျပီး ကစ္ေနတယ္ဟ 29 Jun 12, 11:35 PM မင္း: http://www.news.mms.info/ ဒီဟာက်သြားပီ 29 Jun 12, 11:37 PM မင္း: http://www.bcic.gov.bd/ ဒါ ရေတးဘူး 29 Jun 12, 11:37 PM မင္း: www.dvb.no ဒီဟာၾကီးေကာ 29 Jun 12, 11:38 PM မင္း: opera ေၾဘာက္ဆာ အျမန္ဆံုးပဲ 30 Jun 12, 12:11 AM Lynn: attacking now 30 Jun 12, 12:14 AM ဟဟ: 30 Jun 12, 12:18 AM ဗ်ည္းခက္: ခ်ၾကေဟ႔ ခ်ၾကဟ 30 Jun 12, 12:52 AM MOE: AR PAE TA 30 Jun 12, 01:07 AM MyanmarBoy: လုပ္သာလုပ္ၾကပါ 30 Jun 12, 01:08 AM MyanmarBoy: အားေပးပါတယ္ 30 Jun 12, 09:35 AM ႊtun win: ခု ဘယ္သူရွိေနလည္း 30 Jun 12, 11:19 AM me: kothuyaa 30 Jun 12, 11:21 AM kothuyaa: ရွီၾကေသးလား 30 Jun 12, 11:54 AM လူေလ: ရွိေနတယ္ 30 Jun 12, 11:55 AM လူေလ: ဘယ္သူေတြခ်ေနလဲေဟ့ 30 Jun 12, 05:54 PMဲ j gyi: Dvb.no ကိုတုိက္ေနတဲ့သူရိွလား 30 Jun 12, 06:15 PM Tun Lay: က်ေတာ္ခ်ေနပါတယ္ 30 Jun 12, 06:15 PM Tun Lay: ရွိပါတယ္