Cyberattacks on red-tagged news sites traced to DOST, Army

0
223

By: Krixia Subingsubing – Reporter/Philippine Daily Inquirer / June 24, 2021

MANILA, Philippines — A recent series of cyberattacks to temporarily block access to the websites of two alternative news organizations and the human rights group Karapatan were traced to computer networks of the Department of Science and Technology (DOST) and the Philippine Army, according to a Swedish digital forensic group.

In its report, “Attacks against media in the Philippines continue,” published on Tuesday, Qurium Media Foundation said it recorded “brief but frequent” distributed denial of service (DDOS) attacks against bulatlat.com, altermidya.org, and karapatan.org.

Bulatlat, Altermidya, and Karapatan have been red-tagged or vilified by state agents as fronts for the Communist Party of the Philippines and its armed wing, the New People’s Army.

The three groups denounced the cyberattacks.

Bulatlat said these were “politically motivated and state-sponsored” attacks after the National Task Force to End Local Communist Armed Conflict had “consistently labeled us as communist fronts for pursuing journalism for the people.”

Karapatan said the “attacks against the people’s freedom of information” were conducted by “cowards” who “hide behind the online cloak of anonymity.”

‘Flooding’

In a DDOS attack, the perpetrators “flood” the targeted machines or resources with superfluous requests to overload the host and disrupt its services, rendering them inaccessible to others, including the general public, for the duration of the attack.

Qurium found at least five attacks against the three groups — on May 17, May 18, May 20, and two on June 6.

In simultaneous attacks at 2:24 a.m. on May 17 against Bulatlat and Karapatan, Qurium said the attacker used several means to verify whether the attacks were successful.

The following day, at around 7:30 a.m., Qurium saw a “vulnerability scan” being conducted against Bulatlat’s website, which is one way to assess computers, networks, and applications for possible weaknesses.

Qurium said “one machine from the Department of Science and Technology” (DOST) launched the vulnerability scan, identifying its internet protocol (IP) address as 202.90.137.42.

“The IP seems to belong to the Philippine Research, Education, Government Information Network,” or Preginet, which is billed as the “only REN (research and education network) in the Philippines.”

It is a unit under the Advanced Science and Technology Institute (Asti) of the DOST, which is located at the University of the Philippines Diliman campus.

Zooming in, Qurium found that the Sophos firewall behind the DOST’s IP address had a certificate under “IP Solutions Inc.”

The company that signed the digital certificate was found to be a supplier of hardware and services to the Philippine government, it said.

Army statement

Qurium said another unit in the same IP address was also registered to a certain “[email protected],” which is under the official domain and website of the Philippine Army.

IP Solutions could not immediately be reached for comment.

Army spokesperson Col. Ramon Zagala said the Philippine Army “respects freedom of expression and per policy, will never infringe that freedom.”

“We take these accusation of cyberattack seriously and we will not condone or tolerate it if such occurred against media entities. Rest assured we are servants of the people and protector of freedom of expression,” Zagala said.

‘Already in touch’

The Inquirer reached out to the chief of staff of Science Secretary Fortunato dela Peña for comment but he only replied that they were “already in touch” with Asti about the matter. There was no response from Asti as of press time.

According to Qurium, from 10:50 p.m. on June 6 to 3 a.m. the following day, Bulatlat and Altermidya were under a DDOS attack and subjected to “pen testing,” also to check for vulnerability.

Bulatlat said it was “angered that taxpayer money is being spent to bring down our website and to deny our readers access to our reportage.”

It was during the May 17 attack that Bulatlat published reports on the designation of 19 individuals as terrorists by the Anti-Terrorism Council and the arrests of activists and elderly peasant leaders in Northern Mindanao.

On June 16 and June 22-23, Bulatlat journalist Len Olea said they were updating their stories about the possible investigation of President Rodrigo Duterte’s alleged crime against humanity involving murder by the International Criminal Court (ICC), the death of a political prisoner and the low capacity for mass testing for COVID-19.

ICC probe story

Altermidya noted that the attacks happened after it published a story also on the ICC prosecutor’s request to investigate Mr. Duterte.

Cristina Palabay, secretary general of Karapatan, said the May 17 attack on its website, which was overwhelmed by 350,000 hits in less than five minutes, was also when it posted a statement calling for the immediate release of two elderly Mindanao peasant leaders—Marcela “Silay” Diaz, 59, and a stage 4 cancer patient, and 70-year-old Virgilio “Yoyong” Lincuna, a former political prisoner and stroke survivor with partial paralysis.

“We believe that this attack is meant to keep our website down,” Palabay said.

She said the May 20 attack might have been “meant to track down” visitors of the Karapatan website.

“On that day, we posted materials related to our submission of cases and recommendations to the Supreme Court on search warrants and trumped-up charges against activists and on the rules on the petition for the writ of amparo and habeas data,” she said.

—WITH REPORTS FROM DEXTER CABALZA AND JEANNETTE I. ANDRADE