SiegedSec group claims hack of IT monitoring firm WhaTap

By Sojun Ryu, The Readable
Aug. 19, 2022 7:43PM KST

A hacker group calling themselves SiegedSec have come forward to claim that they gained access to an information technology firm in South Korea. Through their Telegram channel, the group uploaded a video on Thursday to prove their claim, which demonstrated their ability to access an administrator account of the firm WhaTap and manipulate the service.

WhaTap Labs is a South Korean startup, established in 2015. They provide monitoring solutions for applications, servers, Kubernetes, databases, and URLs as Software-as-a-Service. In 2021, the company succeeded in attracting Series B investments, which accumulated 12 billion won (approximately $904,000). Now it has more than 1,000 customers.

The SiegedSec group uploaded a video around 4 p.m. (7 a.m. GMT) on August 18 and insisted that they had infiltrated WhaTap's service. In addition, they asserted that they had obtained an administrator account, which has access to the firm’s customer server.

Since the group did not mention anything about selling the data that they stole, it appears that this group is currently focusing on creating confusion by deleting some of the data as was shown in the video.

◇ Disputes over the hack: The company denies the claims

After some local media organizations reported the group’s claim, WhaTap published two separate statements on their official website denying the hack. In the second statement, published on August 19, the company stated that the hacker group had access to an on-premises environment of a specific company and its SaaS service was not affected.

Immediately after uploading the video, YOurAnonWolf, allegedly the leader of SiegedSec, argued that he had gained access to all customer projects of WhaTab and does not believe statements from victim companies, as they often lie to cover up their mistakes.

◇ SiegedSec group history

The SiegedSec group, which started its full-fledged activity on the deep web forum and Telegram in April 2022, has stolen data reportedly from 17 companies and organizations around the world. They show a tendency to disclose all leaked data and have not mentioned selling it in any previous reports. This means that they may not be interested in financial gain.

According to DarkOwl, a global dark web intelligence firm, SiegedSec started its activity last February and appears to have accessed sensitive information and compromised emails and databases from at least 30 companies in a variety of industries around the world, including India, Pakistan, Indonesia, South Africa, the United States, Philippines, Costa Rica, and Mexico.

SiegedSec group is also known for conducting so-called Operation Jane attacks, which affected the government servers in Arkansas and Kentucky during June and July. The group insisted that the attack was arranged as a protest against the U.S. Supreme Court’s ruling, which decreed that there is no constitutional right to abortion in the United States. Last June, SiegedSec uploaded about eight gigabytes of personal identification data that is said to be stolen from the two states.

hypen@thereadable.co

The cover image of this article was designed by Sangseon Kim.

Sojun Ryu is a cybersecurity researcher for The Readable. He graduated from the “Best of the Best” next-generation security expert training program (BoB) at the Korea Information Technology Research Institute (KITRI) in 2013, and holds a master’s degree in information security from Sungkyunkwan University in Korea. He worked at KrCERT/CC for seven years, analyzing malware and responding to incidents. He is also one of the authors of "Operation Bookcodes," published by KrCERT/CC in 2020. Recently, Ryu has been focusing on threat intelligence, cybercrime, and advanced persistent threats (APT) by expanding into the deep, dark web with TALON, the Cyber Threat Intelligence group at S2W.