Digital rights org claims cyberattacks against Filipino media outlets come from government and army
IP address inside Department of Science and Technology ran a vulnerability scan on target
Qurium Media Foundation has reported a campaign of DDoS attacks on Filipino media outlets and human rights organisations that appear to be coming from the country's Department of Science and Technology (DOST) and Army.
"During the past month, Qurium has received brief but frequent denial attacks against the Philippine alternative media outlets Bulatlat and AlterMidya, as well as the human rights group Karapatan," said the Swedish digital rights, data protection, and internet security NGO in its online report.
The flooding of the websites with superfluous requests to overload them and render them inaccessible occurred 17, 18 and 20 May, 6 June, and again during the late night and early morning of 22–23 June.
On 18 May, a DOST machine ran a vulnerability scan on Bulatlat with what Qurium said resembled Xerosecurity's "Sn1per" tool. These types of network attack surface and risk assessments are rarely done without permission from a system owner, and are believed to be the perpetrators checking on the status of the cyberattacks.
A closer look by Qurium into the DOST machine's network revealed an identical firewall configuration, suggesting action from another machine from within the organisation. Its digital certificate was linked to an email address issued by the Office of the Assistant Chief of Staff for Intelligence (OG2-PAS) of the Philippine Army.
The attacks come at a time when the three targets reported about potential investigations into crimes against humanity for drug war killings, as well as low mass testing for COVID-19, and other items critical of Philippines President Rodrigo Duterte.
DOST originally denied involvement but said that the organisation assists "other government agencies by allowing the use of some of its IP addresses in the local networks of other government agencies."
- 8-month suspended sentence for script kiddie who DDoS'd Labour candidate in runup to 2019 UK general election
- Not very sage rage over UK pay outage: Opayo says 'ohheyno' as payment processor's payments stop processing
- You had one job: Akamai's Prolexic Denial-of-Service protection system fingered after users in Australia denied, er, services
- Remember Anonymous? It/they might be back, and it/they are angry with Elon Musk
On 1 July, DOST's Rowena Guevara refused to name the office within the department linked to the cyberattacks in an interview with Filipino news outlet ABS-CBN, claiming it was part of an ongoing investigation.
Our position in general without naming names is that any attack on any IP address that is malicious is not acceptable. However, we also believe that when we issue the IP addresses, we take it for granted and we assume that the agency to which we issue this address will do the protection necessary and will adhere to standards and acceptable usage policies within the network.
On Tuesday, Bulatlat agreed with an op-ed calling DOST's response "a virtual washing of hands over that fundamental responsibility."
ABS-CBN news pointed out that the May 2022 elections in the Philippines are nearing and are a typical time for attacks and disinformation.
Duterte has reached the end of his term-limited presidency and is ineligible for re-election. However, he has named his daughter Sara as one of his potential successors. ®