Philippines: cyber attacks against independent media outlets allegedly conducted by government and armed forces (joint communication)

BACKGROUND

On 8 October 2021, I wrote a communication jointly with other UN experts to the Government of the Philippines regarding the cyber-attacks in May and June 2021 against independent media outlets, Bulatlat and Altermidya, and the civil society alliance Karapatan allegedly conducted by the Department of Science and Technology (DOST) and the Armed Forces of the Philippines (AFP).

Bulatlat is a long-running independent online media outlet in the Philippines. Altermidya (People’s Alternative Media Network) is a coalition of independent media outfits, institutions and individuals, founded in 2014. Karapatan is a civil society alliance of individuals, groups and organizations working for the promotion and protection of human rights in the Philippines, founded in 1995.

Karapatan was the subject of a previous communication sent to your Excellency’s Government by special procedures mandate holders on 23 April 2018 (PHL 4/2018), which noted the organization’s mention in 15 earlier communications from 2004 to 2018. Concerns regarding the ‘red-tagging’ of human rights defenders were raised in a previous communication sent to your Excellency’s Government by special procedures mandate holders on 22 January 2021 (PHL 1/2021), wherein the mandate holders highlighted that ‘red-tagging’ would “contribute to a chilling effect on civil society” and “a deterioration of human rights in the Philippines”.

This is a shorter version of the original communication.

Read the full communication

ALLEGATIONS

On 17 May 2021, at 02:24 and 02:40 (UTC), the webpages of Bulatlat and Karapatan were subject to cyber-attacks, through HTTP POST flooding and HTTP GET flooding respectively. On 18 May 2021, at 06:06 (UTC), the webpage of Altermidya was subject to a cyber-attack through flood requests using the Apache Benchmark tool and about 90 minutes later, a machine allegedly linked to the Department of Science and Technology (DOST) with IP address 202.90.137{.}42 launched a vulnerability scan against Bulatlat. The conducting of a vulnerability scan indicated that the perpetrators of the cyber-attack were checking to see if the attack on the platform had been successful. From the information we received, the IP address reportedly belonged to The Philippine Research, Education, and Government Information Network (PREGINET) – a unit within the Advanced Science and Technology Institute (ASTI) of the Department of Science and Technology.

On 20 May 2021, at 13:05 (UTC), the webpage of Karapatan was attacked with a small flood with user-agent AdobeUxTechC4-Async/3.0.12 (win32). On 16 June 2021, at 06:42 (UTC), the webpages of Altermidya and Bulatlat were subject to large flood cyber-attacks from multiple IP addresses. Between 22 June 2021 22:50 (UTC) and 23 June 2021 03:00 (UTC), the webpages of Altermidya and Bulatlat were subject to DDOS cyber-attacks for several hours.

As of 1 July 2021, another set-up with identical firewall configuration was noted, strongly suggesting that the machine was set up and operated by the same entity. The firewall digital certificate indicated that the machine was linked to the email address, acepcionecjr@army.mil.ph, and the Office of the Assistant Chief of Staff for Intelligence (OG2-PA) of the Philippine army (AFP).

On 24 June 2021, the DOST’s Advanced Science and Technology Institute (ASTI) which oversees the Philippine Research, Education, and Government Information Network (PREGINET) – to which one IP address linked to a cyber-attack allegedly belonged – responded to note that “the implication of DOST’s involvement in (the) said cyberattacks is unfounded and patently false”, and that the tracked IP addresses “do not translate to the Department’s involvement in the matter”. We are also aware of the statement of the DOST’s Undersecretary for Research and Development who stated that the IP addresses had been “distributed across government agencies for their organizational networks’ connectivity”, that the management of each network fell under the ambit of each agency, and that “it is clear that the DOST did not take part in the alleged cyber-attacks”.[1] To date, however, the DOST, whether through its ASTI office or otherwise, has yet to identify the agency to which the IP address in question had been assigned – noting that the Department is refraining from doing so to allow for the Department of Information and Communications Technology (DICT) to conduct a “proper and clinical” investigation into the cyber-attacks.[2]  

Altermidya, Bulatlat and Karapatan previously have been presented as a threat to national security and labelled as “communist” or “terrorist” organisations – including through statements made by representatives of your Excellency’s Government, both online and offline.

Also, Bulatlat has been facing several cyber-attacks since late January 2019 by “click farms” – troll factories which hire people to inundate webpages. In late 2018 and early 2019, Karapatan was subject to a targeted DDoS attack against its website, in which Suniway Group of Companies, a Chinese/Philippine telecommunications company with tight connections to online gaming, was allegedly involved.

CONCERNS

In the communication we expressed serious concerns that the reported cyber-attacks against Bulatlat, Altermidya and Karapatan may be linked to their human rights advocacy and independent media reporting. We are concerned that these attacks appear to have been carried out at a time the three organizations were reporting on a request by the Chief Prosecutor of the International Criminal Court to open a full investigation into potential crimes against humanity committed in the Philippine administration’s ‘War on Drugs’[3]; as well as arrests of peasant leaders and activists in Mindanao region; the designation in May of human rights defenders as “terrorists” by the Anti-Terrorism Council and on continuing low mass testing rates for Covid-19.


[1]   https://www.pna.gov.ph/articles/1144854

[2]   https://news.abs-cbn.com/news/07/01/21/investigation-ongoing-dost-wont-name-agency-linked-to-media-cyberattacks

[3]   https://www.bulatlat.com/2021/06/20/icc-probe-on-drug-war-must-be-pursued/; https://www.karapatan.org/on+icc+chief+prosecutor+bensoudas+request+to+formally+investigate+dutertes+crimes+against+humanity

Actions

Submit Information

Submit confidential information on a HRD at risk

Communications and Press Releases

How do communications and press releases work?

Contact Mary

Reuest a meeting with Mary or her team