Disclosure of company facilitating massive cyber attacks against 20+ regime critical Philippine websites



Victims of attacks are filing lawsuit against company enabling them

March 29, 2019

March 12. Demonstration in front of the CERT-PH

“We’re in,” Dr. John Brule said on March 29, 1994, when the Philippine Internet had just been born. 25 years later, a coalition of Philippine media outlets and civil society organizations are taking legal actions against Suniway Group of Companies Inc, the company who’s infrastructure made possible the cyber attacks that have been targeting them during a three months’ period. The Philippines has a bad track record of threats against press freedom with 85 documented cases of intimidation and 12 journalists killed during President Rodrigo Duterte regime (June 2016 – present).

The National Computer Emergence Response Team of Philippines (CERT-PH), responsible for cyber crimes within the country, have not paid any attention to the case despite repeated requests and online campaigning. Since early February, Qurium has been providing Secure Hosting with Distributed Denial of Service protection and forensics analysis of the attacks to a handful of targeted organizations. As a founding member of CiviCERT, a CERT for civil society, Qurium has reached out to CERT-PH asking them in multiple attempts to initiate an investigation based on the forensics provided by Qurium.

On March 12, the victims of the cyber attacks held a demonstration in front of the CERT-PH to request a response. Three days later, CERT-PH responded but, according to Qurium, “showed little interest” in the case . As a result of CERT-PH’s lack of commitment to assist the regime critical organizations, Qurium has launched their own forensics investigation to trace back the attacks.

February 1. Tweet on Bulatlat’s Twitter account

Portrait of the attacker

The nickname of the Philippine attacker is P4p3r. His ’employer’ has given him a list of a dozen regime critical websites to attack: independent media, human rights organizations, political parties and journalists’ associations. P4p3r was so certain of his impunity that he did not go to the dark web to find a solution. Instead, he bought attacks from public services that test networks, and when those failed to take down the sites, he entered a public Telegram channel of a popular DDoS launcher and asked for help. That is where we found him.

“Anyone can help me to down these f***ing websites? I really need to down them”.

The first victims were the media outlets Bulatlat, Kodao Productions, and Pinoy Weekly who came under attack in December 2018. Attacks escalated and included more websites, a total of 20 organizations, in January 2019. All of them had something in common: they had reported on issues critical to the Rodrigo Duterte administration.

P4p3r had resources to rent Virtual Private Servers, Virtual Private Networks, private botnets and DDoS services to attack sites. By purchasing illegal services, P4p3r launched DDoS attacks during 50 days against the targets on the list. Daily attacks. One of the largest lasted 90 minutes and was using not less than 12 different attack vectors.

Qurium, who hosted many of the target sites, was also attacked. Qurium has assisted independent media against DDoS attacks for the past decade, and they have never seen such magnitude and scale of Distributed Denial of Service (DDoS) attacks launched in one single country.

Forensic investigation

Qurium’s forensic investigation quickly discovered that there was a pattern: the same techniques and same botnets were being used against all websites. As the attacks continued and increased in time and size, the attacker become less careful. He made mistakes, which created opportunities for Qurium to dig deeper.

Qurium could conclude that P4p3r was hiding behind a sea of Virtual Private Networks intended to hide his real location. It was a network of tunnels that came and went from Philippines, Hong Kong and China. The owner of this “sea of tunnels” is a Philippine company called Suniway Group of Companies Inc., which  will play a key role in the investigation.

The forensics investigation proofs that the attacker is hiding behind Suniway infrastructure, and can easily be identified by Suniway if they were interested in attributing the attacks that have been facilitated through their infrastructure. Qurium has reasons to believe that P4p3r is known by Suniway, as he has administrative rights to servers in their core infrastructure.

Stop media repression

In front of this wall of silence, the victims keep protesting in real life. On March 22, a second demonstration took place in front of the University of the Philippines’s College of Mass Communication, with the slogans “End impunity”, “Stop cyber attacks” and “Stop media repression”. A #MirrorUs campaign was launched as well.

On March 29, 25 years after the born of the Internet in the Philippines, independent media and organizations (Bulatlat, Kodao, Pinoy Weekly and AlterMidya) are filing a civil lawsuit against Suniway, the company who’s infrastructure made possible these cyber attacks. The attacks have slowed down for now, but they are likely to re-appear soon again, since the general elections of the Philippines will be held on May 13th. We can expect another wave of attacks attempting to silence regime critical voices in favor for the Duterte regime and his allies.

Those that do not act, those that do not speak up, those that facilitate the work of cyber criminals, silently supports the attacks against press freedom. Silence is consent.

Complete forensics report: Attributing the attacks against independent media and human rights organizations in the Philippines.