Cyber Incident Victim: Sunway Berhad
Date:
Sep 2021
Location:
Malaysia
Summary
ALTDOS threat actors claimed responsibility for a cyberattack on Sunway Group, a major Malaysian conglomerate, threatening to leak student data after alleging no response from the organization. The attackers provided proof of compromise via a spreadsheet containing personal details of 1,000 students and their parents, including names, identification numbers, contact information, and educational records. The group has targeted multiple ASEAN entities across various sectors, with Singaporean authorities previously issuing an advisory about their activities. Sunway did not publicly confirm or deny the breach despite multiple inquiries, and while ALTDOS threatened further leaks, no confirmed public dissemination of the data was identified at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 15, 2021, the threat actor group ALTDOS contacted DataBreaches.net to claim responsibility for a cyberattack targeting Malaysia-based Sunway Group, a conglomerate with operations spanning real estate, construction, education, healthcare, retail, and hospitality across 50+ global locations. ALTDOS stated they would leak student data from Sunway’s education domain (sunway.edu.my) within 12 hours due to Sunway’s alleged failure to respond to their communications over the preceding 72 hours. As proof of compromise, ALTDOS provided links to two files hosted on a file-sharing site. One file contained a spreadsheet with personal data for 1,000 students and their parents affiliated with Sunway’s international schools, which operate under the Jeffrey Cheah Foundation. The exposed student records included names, IC numbers, email addresses, phone numbers, grade levels, states, and school names, while parental records included names, emails, and contact numbers. Most entries bore 2021 timestamps, indicating recent data collection. DataBreaches.net verified contextual consistency—matching parent names via public searches and confirming Sunway’s operation of schools covering the listed grades—but did not validate contact details or notify affected individuals. Between September 17-18, multiple inquiries sent via Sunway’s website contact form and the Jeffrey Cheah Foundation’s portal received no response by the article’s publication date (September 20). ALTDOS’s threatened data dump timeline passed without public confirmation of leaks, though the group historically utilized obscure forums and paste sites not all monitored by researchers.
The incident formed part of ALTDOS’s broader campaign targeting ASEAN entities, with prior victims including Singapore’s AudioHouse electronics retailer, OrangeTee real estate group, Unispec marine services, and Thailand’s MonoNext media group and 3BB telecom subsidiary. Singaporean authorities had issued a joint cybersecurity advisory (CSA AD-2021-007) warning about ALTDOS’s activities prior to the Sunway attack, though this did not prevent the breach. ALTDOS’s modus operandi involved exfiltrating consumer and proprietary business data, then threatening leaks to pressure victims, though Sunway’s non-response contrasted with some prior cases where victims acknowledged incidents. The compromised student/parent data carried risks of identity theft, phishing, and social engineering, given the inclusion of government-issued IC numbers and familial relationships. No technical details regarding Sunway’s attack vector, detection timeline, or containment measures were disclosed in available sources, nor did ALTDOS specify motives beyond their characteristic data-acquisition-and-dump pattern. The Jeffrey Cheah Foundation’s governance role over the affected schools was noted, but its direct involvement in incident response remained unconfirmed due to lack of replies to inquiries.