logo Mon, 23 Dec 2024 00:08:50 GMT

Subjected to hacker attack

Early on Sunday, March 24th, hackers activated ransomware to attack a securities brokerage company, causing the collapse of the system serving investors. I was in Hanoi. Being connected, I arrived at the scene out of curiosity, only to find myself staying for over a week. Ransomware is a type of computer malware that, when activated, encrypts all data.
The encryption algorithm makes it possible to decrypt only with the secret key. Such an incident requires addressing two main tasks: urgent restoration of business operations and ensuring security to prevent further attacks. Like wings, these two tasks require balance; the system cannot be restored if it's not secure, but it also needs to be reopened as soon as possible. We joked, saying we had to be "urgently patient." As I was about to leave Vietnam, my team didn't have enough time to handle the entire incident. I proposed hiring another domestic cybersecurity company to investigate and review security. I called upon two energetic engineers from Saigon to fly over and collaborate with the team in Hanoi. Immediately, all of us started working on restoring the system. The process consisted of three steps: Isolation, elimination, and restoration. Isolating the suspected compromised systems by controlling network traffic, ensuring no external communication. 
Next, reviewing to eliminate, minimize risks, ensuring a clean and secure system. Finally, rebuilding the application software system for recovery. Having been a cryptography engineer at Google, decryption is my favorite task, but this time it was unexpectedly challenging. The large amount of data made decryption time-consuming and error-prone. We found some small improvements, but it wasn't as fast as expected. Moreover, our initial enthusiasm was hindered by lack of sleep; there were moments of confusion. Instead of sleeping, the team tried to come up with solutions in a state of being "half awake, half dreaming." As a result, the decryption process was slow, with many errors, some cases being inexplicable. Decryption wasn't something to be taken lightly, but the lack of explanation worried me tenfold. The "engineer" in me felt very uneasy; even if we couldn't do it, we had to understand why. The solution I chose was to return to the basics. If decryption was sometimes successful and sometimes not, we first had to understand how the malware operates. The team had started analyzing the malware from day one but got distracted and couldn't focus. This time, we gathered the most experienced engineers, determined to finish the job. From Hanoi, connecting with Saigon, Houston, and with malware expert Chương Đồng in Atlanta, the Vietnamese-American engineer team finally understood how the malware operates, when encryption fails, and how to fix it.
As a result, what previously took hours or even days now only took minutes. The team also discovered some unique decryption methods and even deployed automated decryption. This valuable information is useful to many, and we will soon share it with the community. With decryption done, the next step was to rebuild the application software system. Vietnamese cybersecurity investigators, in collaboration with the affected unit's engineering force, worked tirelessly day and night. The 17-year-old software system was restored in 7 days. The security team built a new clean network zone, completely isolated from the existing network system. Following the announced recovery roadmap, the team identified each server, each piece of software needing restoration in priority order. Each server was meticulously reviewed by experts to ensure no malware remained. Each software was security assessed to minimize security vulnerabilities, only after ensuring the utmost safety would it be transferred to the clean network zone. This process was repeated until each service resumed. The entire clean network zone was additionally monitored by experts 24/7. Nothing can be 100% guaranteed, but I found this security process very systematic and detailed, adhering closely to global standards. Watching everyone work, I learned a lot, not only professionally but also from their dedication to the profession. What struck me the most was the unity, the concerted effort for the common good. Many of the support forces were former employees of the brokerage firm. They also worked day and night, eating and sleeping on-site. Many units were competitors in the market, but they worked together. I haven't seen anywhere else where people readily lend each other equipment worth hundreds of thousands of USD to support incident handling. After all the seemingly impossible efforts, the company has reconnected with the entire market. It's not smooth yet, but things are gradually improving. The new software system has overcome the first challenge. From an obscure idea, ransomware has become a global Internet disaster, causing billions of USD in damages annually. According to a White House report, just the NotPetya malware in 2017 caused over 10 billion USD in damages. The securities brokerage company is slowly recovering from the incident, but what worries me is the rest of the market. Since 2021, when I started directly assessing Vietnam's critical infrastructure security, I've seen cyberattacks as an economic threat. I left Google partly to focus on solving this issue in Vietnam. Rapid economic development and geopolitical position have made Vietnam a target for many international hacker groups. It's not difficult to hack; after hacking, money laundering is easy. Foreign hackers see Vietnam as a fat prey. Instead of just targeting banks, this attack shows that anyone can be a victim. 
The battle will continue to be arduous, unbalanced because Vietnam severely lacks high-quality cybersecurity personnel. This incident raises questions about the supply. The economy cannot overnight train experienced experts to combat international hackers. In 2009, Google was hacked. That incident triggered a revolution in the corporation's awareness. Since then, they haven't been invaded, but they've turned cybersecurity into a competitive advantage. I have just witnessed the beginning of a similar revolution. Cybersecurity is a global issue, and this incident is a rare opportunity for Vietnam to participate in solving the world's big questions. Information in the article is used with permission from the relevant parties.