Hackers HUNT3RXM & TUNIX_WOLF call themselves the “Tunisian Attackers” hacked the Immigration Bureau of Thailand’s Official webpages to over 20 subdomains within the Bureau’s website.
The list of subdomains is pretty extensive:
- http://nonthaburi.immigration.go.th/main/ElHunt3r.html
- http://narathiwat.immigration.go.th/2013/bots.txt
- http://maehongson.immigration.go.th/_MALWARE/robots.txt
- http://chiangrai.immigration.go.th/images/drxm.htm
- http://bkk-airport.immigration.go.th/web/attach/
- http://division5.immigration.go.th/images/index.html
- http://division3.immigration.go.th/div3j/drxm.htm
- http://songkhla.immigration.go.th/wp.MALWARE/
- http://udonthani.immigration.go.th/web/
- http://sakaeo.immigration.go.th/im/
- http://division4.immigration.go.th/images/index.html
- http://loei.immigration.go.th/images/index.html
- http://lopburi.immigration.go.th/lopburiimm/
- http://www.chiangmai-airport.immigration.go.th
- http://amnatcharoen.immigration.go.th
- http://phitsanulok.immigration.go.th/knowledgedata/index.html
- http://samutsakhon.immigration.go.th/web/
- http://sakonnakhon.immigration.go.th/images/index.html
- http://tormor6.immigration.go.th/index.html
- http://trat.immigration.go.th/
- http://chachoengsao.immigration.go.th/
When this article was written, the subdomains remained defaced (February 27, 2016). Our research suggests that the hacktivists gained access to the websites and uploaded their hacked page on all of the websites simultaneously on the same server. Additionally, the windows bring up a pop-up notifier— preventing further action.
The “Tunisian Hackers” posted the following message on the Bureau’s website:
# Hacked By HUNT3RXM & TUNIX_WOLF #
Oops ?! Your System is F****d ?
Y0ur S3cuR1ty G3t D0wN By Tunisian Attacker :'(
Hacking is not a Crime ! Hacking is an Art !
Remeber This Name HUNT3RXM
./justice_will_prevail
Greetings to : Palestine – Tunisia – El Castro – A.L.A …
Lax Server and Browser Security is the Norm for the Immigration Bureau of Thailand
Our research on zone-h suggests that this isn’t the first time that this website has been hacked. According to zone-h archive records, the website had been hacked and defaced in both 2014 and 2015. This certainly shows that the websites and servers are both operating with poor security, and have been for the past 2 years.
We were unable to discern any specific motives behind the attacks; they didn’t seem politically or emotionally charged. We’ll keep you updated with any more activity from this hacktivist duo HUNT3RXM & TUNIX_WOLF.