Cyber Incident Victim: Mono Next Public Company Limited
Date:
Dec 2020
Location:
Thailand
Summary
A Thai media conglomerate was targeted by the ALTDOS hacking group, which infiltrated multiple domains and exfiltrated hundreds of gigabytes of data over several months. The attackers, motivated by financial gain, attempted unsuccessful ransom negotiations before leaking a subset of stolen customer information from a home shopping subsidiary. The victim confirmed unauthorized access to employee personal data—including names and ages—and some online customer records, but asserted that financial details and identification documents remained secure. The company characterized the incident as a cybercrime aimed at extortion and defamation, emphasizing its existing security measures while acknowledging plans to enhance protections. ALTDOS cited language barriers as a potential factor complicating negotiations with Thai entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The ALTDOS hacking group targeted Mono Next Public Company Limited, a Thai media conglomerate with five core business divisions including digital television (MONO29), video-on-demand services (MONOMAX), online platforms (MONOCyber), content distribution, and home shopping (29Shopping). Between November 2020 and January 2021, ALTDOS conducted multiple intrusions across Mono’s networks, compromising 29shopping.com on January 6, mono29.com on January 3, and mono.co.th on December 25. The attackers exfiltrated hundreds of gigabytes of data during this period. Initial ransom negotiations with Mono failed, prompting ALTDOS to release a sample dataset containing 1,448 rows of customer information from 29shopping.com spanning 2018 to January 2021. The group provided DataBreaches.net with evidence of network access, including database screenshots, and disclosed using infiltration methods such as network sniffing, brute-force attacks, and code injections. ALTDOS emphasized their attacks were financially motivated, focusing on ASEAN-region targets, and cited communication difficulties with Thai companies as a potential obstacle during extortion attempts.
Mono Next Public Company confirmed the breach in a public statement, acknowledging unauthorized access to employee personal data (names, surnames, ages) and partial customer information from online platforms. The company asserted that critical financial data—including credit card details, identification card copies, and publicly disclosed financial reports—remained uncompromised. Mono described its security infrastructure as combining on-premises data center protections and cloud server safeguards with regular monitoring, though it announced enhanced security measures following the incident. The organization characterized the attack as a cybercrime campaign intended to extort funds through data exposure threats and to damage corporate reputation, warning that ALTDOS might target other Thai Stock Exchange-listed entities. No evidence emerged that Mono notified affected individuals beyond its initial statement, and the attackers’ communication channel was reportedly disabled. ALTDOS’s actions marked their second publicly disclosed breach in Thailand after previously targeting Country Group Securities.