Cyber Incident Victim: ALTDOS hackers
Date:
Nov 2020
Location:
Thailand
Summary
ALTDOS hackers breached a Thai media conglomerate, exfiltrating hundreds of gigabytes of data from its subsidiaries through methods including brute force and code injections. The group demanded payment to prevent public data leaks but negotiations failed, reportedly due to communication barriers, prompting them to release customer information including names and ages. The company confirmed unauthorized access to some employee and customer data but asserted financial records and IDs remained secure, attributing the incident to financially motivated cybercrime targeting ASEAN entities. While the organization claimed preexisting security measures and announced enhancements, ALTDOS emphasized their non-political agenda and broader regional targeting beyond Thailand.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The ALTDOS hacking group targeted Thai media conglomerate Mono Next Public Company Limited in a multi-stage cyberattack campaign beginning in November 2020. According to their claims, attackers first compromised mono.co.th on December 25, followed by mono29.com on January 3, 2021, and 29shopping.com on January 6, with additional network intrusions occurring throughout this period. The group exfiltrated hundreds of gigabytes of data from Mono's diversified business operations, which included digital television (MONO29), video-on-demand services (MONOMAX), online platforms (MONOCyber), content distribution, and home shopping (29Shopping). ALTDOS representatives disclosed using multiple intrusion methods including network sniffing, brute force attacks, and code injections to gain initial access. After unsuccessful ransom negotiations with Mono, which the hackers attributed to communication difficulties and the company's resistance, ALTDOS began publicly leaking stolen data starting with a 1,448-row customer database from 29shopping.com spanning 2018 to January 2021. The group provided DataBreaches.net with .csv files and system access screenshots as evidence, while emphasizing their strictly financial motives focused on ASEAN-region targets across Thailand, Malaysia, Philippines, and Bangladesh.
Mono Next confirmed the breach in an official statement, acknowledging unauthorized access to employee personal information (names, surnames, ages) and partial online customer data. The company asserted that critical financial information including credit card details, identification card copies, and publicly disclosed financial reports remained uncompromised. Mono described its security infrastructure as combining on-premises data center protections with cloud server safeguards, all maintained through regular monitoring under personal data protection regulations. The organization characterized the incident as extortion-driven cybercrime designed to damage corporate reputation, noting attackers threatened further data exposure unless paid and warned of targeting other Stock Exchange of Thailand-listed companies. In response, Mono implemented enhanced security measures though specific technical controls weren't detailed. The company did not address whether breach notifications were being sent to affected individuals, while the attackers' communication channel became nonfunctional during the investigation. With $71.24 million in 2019 revenue according to Dun & Bradstreet, the conglomerate faced operational disruptions across multiple digital service divisions during the three-month intrusion period.