The new year break has been a bruising one for the Thai government, with members of the Anonymous collective attacking many Thai government websites in retaliation to its passage of the controversial computer crime law under the hashtag #opsinglegateway, which refers to the mass surveillance program that the Thai government still seems eager to push forward.
In one of the most high-profile attacks, the Thai consulate website in Los Angeles was not only hacked and defaced, but personal information of what was claimed to be people applying for Thailand visas was doxxed or leaked.
This was just days after security officials dismissed the Anonymous hackers as amateurs who could only deface websites, and that no databases had been compromised.
Government spokesperson Lt. Gen. Sansern Kaewkumnerd was one of the victims who had his personal bank accounts doxxed. However, Sansern shrugged it off, saying it was an old account that everyone in his unit was forced to open many years ago, adding the account itself was not hacked. Then the government spokesperson bluntly said that no government agency had been hacked and said that everyone was watching too many Hollywood hacking movies.
The Ministry of Foreign Affairs also had a database with personal data (seemingly of employees) doxxed and dumped on the dark web. Websites for the ministries of Tourism, Defence and ICT (Now Digital Economy), as well as the National Statistical Office, Army Veteran Affairs, Navy and numerous local administration and police websites were also at one point or another, taken down or defaced by the hacking collective in the past week.
The Anonymous collective are protesting the new Computer Crime Act that was unanimously passed by the junta-appointed legislature despite a petition with over 300,000 signatures calling for it to be reviewed.
The most controversial parts of the law are Section 16, which criminalizes mere possession of illegal information, and Section 20 which greatly expands the power of the Digital Economy Ministry.
Under Section 20, the DE will set up an ethics committee which can decree if any content, which may be legal, is counter to good ethics, after which the committee can either order it deleted or delete it themselves. Section 20 would require that all service providers cooperate and provide the DE with a back door for deletion of legal but immoral content. This has already caused many companies to rethink the future of their Thailand operations.
On 26 December, Police Commander Pol Gen Jakthip Chaijinda said the police had apprehended the hackers, and paraded one of them in front of the media. The suspect was allegedly in possession of guns, ammunition, drugs and a book on network security, all of which was put on display. The book in particular led to widespread ridicule on social media. The suspect has been denied bail and charged with drug offenses, possession of weapons, organized crime and the computer crime act itself, and faces 17 years behind bars if convicted on all offenses.
In a show of utter denial of the severity of attacks, police at the press conference said that the attacks were more like a pimple rather than a wound and reassured everyone that no data had been compromised.
“How can kids – 17, 18 or 19 years – old know anything, unless they were tricked by ‘them’?” Jakthip said, his voice full of contempt.
General Pravit Wongsuwan, deputy prime minister and defense minister, said that nine hackers have been apprehended so far.
The attacks nevertheless continued. Prominent Anonymous accounts have said that the suspect was just a scapegoat and have upped their attack demanding his immediate release.
The attacks have divided opinion among Thai netizens. Many say that the vicious attacks by Anonymous mean that the Computer Crime Act is necessary and even should be used aggressively to deal with Anonymous. Even the Thai Netizen Network, which led the 300,000-strong petition, has publicly distanced itself from Anonymous when the hackers started doxxing personal information. Others say that Anonymous is proving a point; that by showing how inept the government is with cyber security, it would be downright dangerous and reckless to allow them to continue with digitization of society until basic security literacy has been achieved.