Police urged critical infrastructure operators to reinforce security following hotel cyber attack

The Judiciary Police (PJ) has confirmed to Macau News Agency that is still currently following up on the hacking case targeting 17 local hotels last year.

As reported by MNA last month, cybersecurity company Trellix stated that a South Korean hacking group carried out a campaign of ‘phishing’ cyberattacks starting in November, 2021 and targeting 17 ‘luxury’ hotels in Macau.

The cyberscurity company revealed that the attack started with a ‘spear phishing’ email directed to the hotel’s management staff in roles like the vice president of HR, assistant manager and front office manager.

‘Phishing’ attacks are the practice of sending fraudulent communications that appear to come from a reputable source, usually email, sometimes with the goal of stealing sensitive data like credit card and login information, or installing malware on the victim’s machine.

“PJ has begun investigation on the case concerned, with the Cyber Security Division conducting the necessary examination of evidence, hence, the investigation is still ongoing,” the police department told MNA.

“Our Cyber Security Division has issued a warning to all critical infrastructure operators, urging them to reinforce their preventive and monitoring work for a secure network environment.

The Macao Government Tourism Office (MGTO) informed also informed MNA that at the end of last year, it received a report from one local hotel about a suspicious email sent from the department’s office.

Following an investigation, the MGTO found out that one of his emails usually used communicate with hotels had been appropriated to send emails out automatically, and immediately stopped using the email address.

“The MGTO informed local hotels to be aware of spear-phishing emails, as well as reported the case to the Macau Cybersecurity Incident Alert and Response Centre (CARIC).

The department has also not received a report from local hotels about any damage resulting from this case.

Macau Cybersecurity Incident Alert and Response Centre (CARIC)

Although the name so the targetted hotels had not been revealed, Trellix indicated one of the hotels was hosting an International Environment Forum and an International Trade & Investment Fair at the time, events set to be held at The Venetian, a Sands China integrated resort.

Trellix also noted that the server used to spread this campaign was trying to impersonate a legitimate government website domain for the Federated States of Micronesia (fsmgov.org) so as to mislead the receiver into believing it was actually a mail sent by the Public Security Forces Affairs Bureau of Macau domain (fsm-gov.com).

In December 2021, the Public Security Forces Affairs Bureau issued a public announcement stating only that ‘unlawful elements’ were believed to be using its email to send fraudulent emails to commit illegal acts.

The SAR Office of the Secretary for Security previously warned that Macau recorded an increase in ‘online crime’ in 2021 with authorities reporting a growing increase in cybercrime in the last two years.

According to the data from CARIC, a significant proportion of cyber threats in Macau consisting of phishing attacks (37 per cent) and active attacks (32 per cent).

Under the Macau Cybersecurity Law introduced in 2019, public and private critical infrastructure operators have to maintain adequate management and security levels for their information networks and computer systems, adopt cybersecurity systems and establish reporting mechanisms.

CARIC also started operating in December, 2019 and is coordinated by the Judiciary Police, the Public Administration and Civil Service Bureau (SAFP) and the Macau Post and Telecommunications Bureau (CTT).

The centre is primarily responsible for cybersecurity risk alert, cybersecurity incident response and coordination, and the relevant administrative and technical support, with critical infrastructure entities having to report any cybersecurity issues to the centre.