A recent massive increase in cyber disinformation and hacking campaigns against the Philippines coincides with rising tensions between the country and its superpower neighbor, China.
According to Resecurity researchers who tracked the campaigns, cyber attacks consist of a combination of hacks and leaks (55%), distributed denial of service (10%), and disinformation and influence campaigns (35%). The main targets are the government (80%) and educational institutions (20%) in the Philippines, and these attacks – against police agencies, ministries and universities – and related data leaks are sowing discontent in the country, according to researchers.
This represents a four-fold (325%) increase in what researchers identify as malicious cyber espionage activity against the Philippines in the first quarter of 2024 compared to the same period last year. “The goal of this activity is to discredit the government and create chaos through cyberspace, as the Filipino population also relies on digital media channels and is active on social networks,” says Shawn Loveland, COO of Resecurity.
Resecurity worked with Philippine authorities to trace the source of attacks on online infrastructure in China and Vietnam. According to Resecurity, these “false flags” and “other territories” could be China’s allies in such campaigns or provide it with necessary infrastructure.
Fake news
The targeting of the cyberattacks is related to disinformation campaigns that spread Chinese narratives on topics such as regional disputes over territories in the South China Sea.
In a blog post This month, Resecurity detailed the myriad of different groups associated with this collective activity. In one notable attack, a threat actor going by the alias “KryptonZambie” claimed to have obtained over 152 gigabytes of stolen data containing identity cards of Philippine citizens from anonymous sources. Resecurity investigated this claim, which referred to a post on Breach Forums, a Dark Web site, but found it to be unfounded. The threat actor did not respond to any messages sent by Resecurity investigators to a Telegram account used to publicize the alleged breach.
Other elements of the campaign included the release of an “audio deepfake” of Philippine President Ferdinand Marcos Jr. purportedly ordering military action against China. There is no such directiveaccording to authorities in the Philippines.
It’s not all fake, though. Many of the groups covered in Resecurity’s report, including Philippines Exodus Security and DeathNote Hackers, carried out attacks that led to a confirmed data breach.
Not real hacktivists
While some of this activity may resemble that of activists, Resecurity believes nation-state-backed hackers from China or perhaps North Korea (another regional adversary of the Philippines) are to blame.
Resecurity reported that over 12 government organizations in the Philippines were targeted in the same time frame – hallmarks of a coordinated and well-organized attack by state actors rather than independent hacktivists.
“Exploiting hacktivist-related nicknames allows threat actors to avoid attribution while creating the perception of internal social conflict online,” according to Resecurity.
Last year a Chinese state-linked advanced persistent threat (APT) group known as Mustang Panda hacked a target of the Philippine government through a simple sideloading technique. “This group has a strong focus on the Philippines and [is] still active,” according to Resecurity. Cyberattacks by the group against Philippine government entities have been actively promoted via social media.
As of April 2023, more than 800 gigabytes of documents from both applicants and employees of several state agencies, including the Philippine National Police (PNP), the National Bureau of Investigation (NBI), the Bureau of Internal Revenue (BIR), and the Special Action Force (SAF) — have been compromised.
This was followed in September by a breach and ransomware attack against the Philippine Health Insurance Corporation (PhilHealth) that led to the disclosure of hospital bills, internal memos and identification documents. According to cyber threat detection firm Gatewatcher, an investigation into the full extent of the leak is still ongoing.
Why spy?
China (and to a lesser extent North Korea) is the prime suspect in much of this wrongdoing, according to Resecurity and other threat intelligence experts.
“China is a much more complex and nuanced territory than is generally portrayed. Its internal pressures will likely lead to an increase in cyber espionage activity, rather than slow it,” says Ian Thornton-Trump, CISO at the intelligence firm about Cyjax threats.
“The PRC’s approach to cyberspace has always been to use it to advance its own commercial interests, extracting technologies from Western companies and creating a protected domestic market for these industries, giving them an advantage in the global marketplace,” notes Thornton-Trump.
Relations between China and the Philippines have deteriorated in recent months. Beijing has condemned Philippine President Ferdinand Marcos Jr.’s congratulations to Taiwan’s President-elect Lai following the latter’s recent election. China considers Taiwan a renegade province.
The Philippines recently reaffirmed its strong alliance with the United States, announcing plans for “more robust” military activities with the United States and its allies, much to the chagrin of China. Additionally, the Philippines and China are in conflict over territorial claims involving islands and waters in the South China Sea.
Incident response
The United States, Japan and the Philippines have recently entered an a Cyber threat sharing agreement in the wake of growing attacks by China, North Korea and Russia, a development that will likely help the Philippines keep pace with the rising tide of cyber threats.
Understanding the pattern of rise in malicious cyber activity is the first step in combating it, experts say. “[With] By better understanding the country’s internal forces and how they relate to its cyber strategy, we can plan better defenses against PRC cyber espionage,” says Cyjax’s Thornton-Trump.
Resecurity offered recommendations to safeguard both the Philippine population and businesses from cyber attacks:
-
Accelerate the protection of the digital identity of Filipino citizens, as hacking and information leakage activities put the disclosure of their personal data at risk.
-
Strengthen web application security by implementing web application firewalls (WAFs), continuous vulnerability assessment and pen-test automation to detect and contain vulnerabilities before attackers exploit them.
-
Create online fact-checking services to fight misinformation and influence campaigns. Citizens should be offered a procedure to report suspicious online activity.