Suspected international hacker group breaches Cyberport systems, steals tenant data


7th September 2023 – (Hong Kong) A notorious international hacker group is suspected of infiltrating the network systems of Hong Kong’s Cyberport digital hub, stealing a trove of confidential data on startup tenants and sensitive internal documents. The hackers are auctioning off the 400GB cache of files on the dark web for a base price of US$300,000 (HK$2.34 million).

Hong Kong Wen Wei Po reporters obtained one of the leaked files, which exposes the identities of Cyberport personnel, including ID cards, bank statements and even Octopus card numbers, brazenly made public online. Cybersecurity experts suspect the breach could be linked to compromised staff computers, and urge urgent checks for malware infections of internal systems, backups and encryption of important data, and fixes for security vulnerabilities.

The Cyberport business park in Southern District, considered a mecca for the city’s IT sector, appears to have had its defences penetrated by hackers who recently put up for auction on the “dark web” a trove of confidential data treated as merchandise.

A seller going by the name Trigona posted on the dark web offering the cache of Cyberport’s compromised data, with graphic illustrations of the information. Although some files are redacted, they clearly contain what appears to be staff IDs and resumes. The seller tantalisingly dangles more details, claiming the records include not just HR files but financial, fintech, leasing and development project data, totalling 400GB in size.

Touting a “highest bidder wins” approach, the seller Trigona does not reveal how the confidential files were obtained, but brags they will go to the top dollar offer.

Through investigative reporting, Hong Kong Wen Wei Po has discovered the auctioned files include what appears to be Cyberport HR internal records such as staff photos, ID cards, phone numbers, job application resumes, bank statements, MPF contribution records, and even spousal ID cards and marriage certificates, representing a severe breach of employee privacy.

More troubling is that beyond just HR data, the auction seems to include tenant files, raising alarms that Cyberport’s administration computer systems may have already been infiltrated by hackers. Cyberport is urged to urgently investigate and remedy the situation.

Just who is the seller Trigona? How did they manage to obtain Cyberport’s confidential data? Reporting reveals Trigona to be an internationally notorious professional hacking group that has repeatedly attacked major global corporations and engaged in extortion, threatening to publish stolen data if ransom goes unpaid. As of February 2022, at least 17 potential Trigona victims were uncovered in the United States, France, Italy, Germany, Australia and New Zealand.

For Trigona, stealing confidential corporate data is a pathway to illicit riches. They brazenly flaunt on the web the names of successfully breached companies as intimidation. From their rogue’s gallery of targets, Cyberport may be the first known Hong Kong firm to fall prey. Many online citizens are aghast at such showboating criminality, however, Trigona’s elusive tactics and hacking sophistication leave some major corporations unaware of data theft until they discover internal files being auctioned, forcing them to pay “ransom” to avoid reputation damage.

Cybersecurity expert Ronald Pong says Trigona’s history of ransoming hacked company data means any Hong Kong firm victimized was likely extorted, but refusing payment is wise. “Past cases show even companies paying ransom continued to be blackmailed, indicating insatiable greed. Plugging vulnerabilities is the best solution.”

With massive data leakage, Pong advises Cyberport to quickly check internal systems for infection by Trigona’s ransomware and purge any found. Concurrently, all important data and files should be backed up and encrypted, with security tests and evaluations of internal systems.

Legco member Elizabeth Quat of DAB believes Cyberport has alerted police and the privacy commissioner’s office, and urges affected staff to change bank account passwords. She says the breach shows firms need to strengthen employee awareness on cybersecurity and avoid questionable websites or links.

Cyberport admits to discovering a cybersecurity incident involving unauthorized third-party access to some of its computer systems. The company takes the event very seriously and has taken immediate actions, including alerting police, isolating affected equipment and promptly launching a detailed investigation with independent cybersecurity experts. Cyberport has also notified relevant authorities including Hong Kong’s privacy commissioner.

Spokespersons say Cyberport noticed during IT security checks yesterday that some online data was suspected to be related to the incident. Cyberport condemns outright any form of cybercrime and will fully cooperate with law enforcement authorities, committing to provide all appropriate assistance to affected parties, enhancing protective systems and setting up a dedicated email ([email protected]) to handle and follow up the incident.

Cyberport stresses it will further strengthen data management and cybersecurity measures to improve system defences and adopt all necessary safeguards to ensure data integrity.