Cyber Incident Victim: CGSEC
Date:
Dec 2020
Location:
Thailand
Summary
A Thai securities trading firm suffered a cyberattack by the ALTDOS group, resulting in the theft of unencrypted financial and customer data alongside file encryption. The attackers demanded 170 BTC, criticizing the company's inadequate security measures, including unencrypted employee credentials and failure to detect suspicious IP access. Despite multiple attempts to contact the firm's directors, the company reportedly ignored communications and blocked the attackers' emails, leading to further unauthorized access. The firm subsequently took its servers offline in response to the breach, which exposed sensitive personal and financial information of clients and employees. ALTDOS emphasized their focus on financial sector targets and avoidance of traditional ransomware due to decryption risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 4, 2020, threat actors identifying as ALTDOS breached Country Group Securities (CGSEC), a Thailand Stock Exchange-listed securities trading firm. The attackers exfiltrated sensitive financial records, customer databases, and employee information, later disclosing that the data was stored unencrypted across CGSEC’s systems. ALTDOS claimed to have avoided ransomware deployment, instead encrypting local backup copies with AES-256 while retaining stolen data for extortion. They emphasized exploiting weak server protections, including unencrypted employee workstation credentials stored in a database and failure to detect unauthorized access from blacklisted IP addresses. After receiving no response to initial communications, ALTDOS emailed CGSEC directors on December 5 demanding 170 BTC (~$3 million USD) and subsequently published proof-of-hack data on file-sharing sites when the firm blocked their emails. The group maintained persistent access to CGSEC systems through at least December 6 despite the extortion attempt.
CGSEC took its public-facing systems offline by December 4–5, coinciding with DataBreaches.net’s outreach and ALTDOS’s data leaks. The breach exposed customer financial details, employee credentials, and operational records, with attackers highlighting systemic security deficiencies. No public acknowledgment or negotiation occurred from CGSEC management, who allegedly sought to contain disclosure. Operational disruption ensued from the takedown of web servers and possible internal systems. ALTDOS framed the attack as part of a pattern targeting financial sector entities with inadequate data protection measures, asserting that typical ransomware tactics were avoided to prevent file corruption. The incident remained unresolved in public reporting, with no confirmation of data recovery, financial losses, or remediation efforts beyond the observed server shutdowns.