A threat actor named Devman has claimed responsibility for a cyberattack on Thailand Ministry of Labour, compromising over 300 gigabytes of sensitive data and severely disrupting government operations.
The Thailand Ministry of Labour cyberattack was not a hit-and-run incident.
According to a post on Devman’s dark web blog, the hackers had access to the Ministry’s systems for over 43 days before executing their attack. They claim to have infiltrated both Active Directory and multiple Linux servers, methodically collecting data and preparing for their strike.
The breach came to public attention when the Ministry’s official website was defaced, with the homepage replaced by a message: “THIS IS NOT JUST THE WEBSITE. WHAT YOU WITNESS HERE IS PART OF OUR COORDINATED ATTACK, AIMED AT CRIPPLING THIS MINISTRY.”
However, at the time of writing this, the message was deleted.
In addition to the website defacement, the group alleges that they have encrypted approximately 2,000 laptops, over 98 Linux servers, and more than 50 Windows servers. Perhaps most disturbingly, Devman claims to have completely wiped the Active Directory environment and destroyed all tape backups, potentially crippling restoration efforts.
Details of the Thailand Ministry of Labour Cyberattack
According to Devman, the stolen data includes:
- Over 600 classified government documents
- Large portions of the citizen and foreign visitor datasets
- Confidential government communications and personal details
A ransom of $15 million has been demanded in exchange for not publishing or selling the data.
Technical Analysis: How Was This Possible?
In response to the cyberattack on the Thailand Ministry of Labour, The Cyber Express conducted a preliminary investigation using PentestTools’ Light Website Vulnerability Scanner. While this was a limited scan and did not check for critical issues such as SQL Injection or Remote Code Execution, several vulnerabilities were discovered.
Medium-Risk Vulnerabilities Identified:
- Insecure Cookie Settings: Missing Secure and HttpOnly flags on session cookies (PHPSESSID), which increases the risk of session hijacking.
- Outdated jQuery UI Library: The site was using jQuery UI 1.11.4, known to have multiple CVEs, including XSS vulnerabilities and unsafe parameter use that could allow arbitrary code execution.
- Weak Content Security Policy (CSP): The use of unsafe-inline, unsafe-eval, and open object-src policies could allow attackers to execute malicious JavaScript.
- Exposed Email Addresses: Addresses like [email protected] and [email protected] were publicly available, increasing phishing risks.
- Server Technology Fingerprinting: The scan identified the use of PHP, Apache, MySQL, WordPress, Bootstrap, and other technologies, giving attackers a blueprint for targeted exploits.
- Misconfigured robots.txt: The file revealed potentially sensitive or admin paths that should not have been publicly accessible.
The combination of these vulnerabilities suggests that the cyberattack on Thailand may have involved a client-side XSS exploit, leveraged through outdated libraries and weak session security, allowing the attackers to escalate access and infiltrate deeper systems.
To Wrap Up
As of now, no official response has been issued by the Ministry of Labour. The Cyber Express has reached out for comment, but the Ministry has not responded yet. If Devman’s claims are confirmed, this cyberattack on Thailand would rank among the most severe data breaches in Southeast Asia’s recent history, not just in terms of data volume, but also due to the long-term systemic damage inflicted on a critical government institution.
Given the reported destruction of backup infrastructure and the scale of encrypted systems, recovery may be slow and complex. This story is developing.
The Cyber Express will continue to monitor updates on the Thailand Ministry of Labour cyberattack, including any official responses, confirmations, or public statements from affected agencies.
