In an unsettling turn of events, the government of Guyana fell victim to a calculated cyberespionage campaign in February 2023, named Operation Jacana. The cyber experts at ESET, a renowned cybersecurity firm, pinpointed the attack, which used an innovative backdoor mechanism called DinodasRAT. Intriguingly, the backdoor’s moniker was inspired by a character from “The Lord of the Rings” because of the unique identifier it sent to its command and control servers, always beginning with the string “Din.” There is a persistent question about whether the government is even aware of the devastating compromise since it was never revealed to the citizens of Guyana.
This malware wasn’t just named after a fictional character but boasted alarming capabilities. It was designed to extract files, tamper with the Windows registry keys, and execute command prompts. But DinodasRAT wasn’t the only weapon in the attacker’s arsenal. The perpetrators also used Korplug, a tool associated with past cyber operations believed to be connected to China. While ESET couldn’t directly link the espionage to any known Advanced Persistent Threat (APT) group, there’s a medium level of confidence pointing to a threat group aligned with Chinese interests.
The initial penetration of the Guyanese governmental systems was through spearphishing emails. These weren’t generic spam emails but meticulously crafted messages meant to deceive their intended targets. Once the attackers had a foothold, they began to move laterally through the internal networks, deploying DinodasRAT and other malicious tools, including a version of Korplug. The intricacies of this breach are depicted in Figure 1.
The implications of such an orchestrated assault are severe. Confidential state information, including diplomatic communications, financial records, and other vital documents, might have been exposed. DinodasRAT’s capabilities suggest that the hackers had real-time access to strategic communications, plans, and even financial data. This puts the nation at risk of blackmail, especially if compromising information about its operations or officials is unearthed.
Additionally, the malware’s advanced command structure enabled attackers to manipulate essential files, potentially disrupting governmental operations or even altering official records. The fact that they could traverse deeper into the government’s systems, especially using the SoftEther VPN client, broadens the potential impact of the attack. The resultant potential for misinformation could lead to public confusion, eroding citizens’ trust in the government’s ability to protect national interests.
Most alarmingly, the possible ties to Chinese hackers might strain diplomatic relations between Guyana and China. This comes at a delicate time when both nations are engaged in several bilateral ventures. Operational disruptions, the necessity for increased cybersecurity investments, and potential financial implications are now inevitable for the Guyanese government. The nation now faces the arduous task of damage assessment and fortifying its cyber defenses.
