Cybercrime , Fraud Management & Cybercrime , Geo Focus: Asia

Filipino Hacktivists Destroy Technology Agency Servers

Attackers Dismantle Department's Server Infrastructure, Delete Up to 25TB of Data
Filipino Hacktivists Destroy Technology Agency Servers
Filipino activists observe the anniversary of the EDSA People Power Revolution. (Image: Shutterstock)

A Filipino hacktivist group broke into servers owned and operated by the government's Department of Science and Technology and deleted up to 25 terabytes of confidential data and backups.

See Also: Advancing Cyber Resiliency With Proactive Data Risk Reduction

The group, operating under the pseudonym "ph1ns," announced on Tuesday that it targeted the department's servers, compromised two network-attached storage devices, obtained access to virtual servers and employee devices, and deleted all of the data and backups it could access.

The Department of Information and Communications Technology, the government's cybersecurity agency, said on Thursday that the cyberattack locked the affected department's employees out of their computers. DICT spokesperson Assistant Secretary Renato Paraiso told local news agencies in a Zoom news conference that the government is aware of the hacktivist group's claims and is taking steps to restore access to the DOST system.

"The first message of the threat actors was somewhat political. So, we're not discounting that this is part of hacktivism or something more nefarious or devious," he said, adding that the attack compromised "mostly data under the custody and care of the DOST."

"These include proposals for inventions, and even their backup and redundancies were also compromised," Paraiso said. DICT said the cyberattack resulted in the loss of up to 25 terabytes of data stored by the DOST.

The hacktivist group, which executed the attack under the banner #OpEDSA, calls itself a civil rights group and draws inspiration from the EDSA People Power Revolution, a major anti-government people's movement in 1986 that forced then-dictator Ferdinand Marcos Sr. to step down. His son, Ferdinand R. Marcos Jr., presently serves as the country's president.

The group has regularly launched cyberattacks against the government's digital infrastructure to destroy its credibility, creating another front for the government, which is also dealing with a major rise in nation-state attacks and espionage operations, particularly from China.

An analysis by Filipino cybersecurity company Deep Web Konek found that the hacktivist group conducted extensive reconnaissance on DOST's servers, probed the department's web applications for vulnerabilities and inspected accessible domains associated with the servers before launching the attack.

The hackers first executed malicious code to gain initial access to the server infrastructure and proceeded to establish persistent access to NAS devices and delete data stored on the devices. They also obtained root access and obtained administrative control over the server infrastructure before rendering the NAS devices irrecoverable.

"To ensure continued access to the compromised systems, the attacker installed backdoors within the DOST Servers' infrastructure. These backdoors provided them with persistent access, allowing them to maintain control even in the face of potential detection and removal efforts," Deep Web Konek said.

When contacted by the cybersecurity company, a member of the hacktivist group said it specifically targeted DOST's servers to expose the technology department's vulnerability to attacks.

"I've been scanning different agencies and found the DOST quite vulnerable. I decided to focus on this one to show the irony of an agency specialized in technology being so badly protected. Their networks were not badly configured, but they made some major mistakes," the hacker said.

Deep Web Konek found that the dump of stolen and deleted data includes emails exchanged within the department, HR logs pertaining to DOST employees, attachments, about 70,000 Chrome HTML documents, and over 10,000 embedded image folders.

"The comprehensive nature of the breach and the diverse range of compromised data types amplify the risks to affected individuals and the organization. Reputational damage, financial loss and legal consequences are among the potential ramifications," the company said.

The Department of Science and Technology, which leads scientific and technological projects to boost the nation's economy, told Manila Bulletin that it is investigating the cybersecurity incident.

"We recognize the concerns this incident may raise among our stakeholders and the public, and we want to assure you that we are treating this matter with the utmost seriousness," said DOST Secretary Renato U. Solidum Jr.

"Our technical teams are working diligently to address any vulnerabilities and reinforce our cyber defenses. We will continue to enhance our cybersecurity protocols to prevent similar incidents in the future," he said.

The successful attack on DOST's servers has exposed the continued vulnerability of the government's digital infrastructure to cyberattacks from hacktivists and external foes alike. In February, the government accused China-based threat actors of hacking into the websites of multiple government entities and infiltrating government email systems (see: Philippines Accuses China of Hacking 6 Government Agencies).

In response to rising cyberattacks on government agencies, Marcos approved the DICT's long-pending five-year National Cybersecurity Plan in February, giving the agency more powers to modernize IT infrastructure, enhance cyber awareness and coordinate incident response.

Marcos also signed an executive order in January to create a National Intelligence Coordinating Agency that now serves as the lead agency to direct, coordinate and integrate government efforts to safeguard national security.

The executive order also established the Office of the Deputy Director General for Cyber and Emerging Threats under NICA to plan, supervise and coordinate the agency's responses to cybersecurity threats.


About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.