cyberattacks

Hacker group mounts DDoS attacks vs PH news outlets, hailed by gov’t

Gelo Gonzales
Hacker group mounts DDoS attacks vs PH news outlets, hailed by gov’t
(2nd UPDATE) Pinoy Vendetta’s DDoS attacks are considered illegal under the Philippines’ e-commerce law, but the government’s anti-communist task force endorses its activities
AT A GLANCE:
  • The Pinoy Vendetta hacking group claimed credit for a series of DDoS attacks against critical media, political opposition figures, and the Communist Party of the Philippines (CPP).
  • The group started publicly posting about the DDoS attacks in June 2021. Before that, most of the content of their Facebook page were general cybersecurity news.
  • The National Task Force to End Local Communist Armed Conflict (NTF-ELCAC) and its spokesperson Lorraine Badoy publicly endorsed the group in December, praising its attacks on the CPP. The NTF-ELCAC and Pinoy Vendetta have consistently denied any working arrangement between them.
  • A hacker from Davao has been found to have connections with the group, but disappeared right as the attacks began in June 2021.
  • DDoS attacks are a form of system interference that have been illegal in the Philippines since the enactment of the e-commerce law in 2000.
  • Statements coming from government body NTF-ELCAC and spokesperson Lorraine Badoy endorsing the hacker group and its attacks may also constitute a violation of specific criminal laws.

Editor’s Note: Posts linked here from facebook.com/PinoyVendetta are currently inaccessible. The Facebook page had its audience limited or deleted, according to a Facebook message that appears when accessing the page. The page became inaccessible between 2 pm and 4 pm on Wednesday, February 23. On March 2, a Meta spokesperson told Rappler: “The pages have been removed from Facebook for repeatedly violating our policies.”

On December 11, 2021, the day the news website of ABS-CBN went down for several hours, Facebook page Pinoy Vendetta published a quote from African-American leader Malcolm X: “The media’s the most powerful entity on earth. They have the power to make the innocent guilty and to make the guilty innocent. Media has the power to influence minds, ideas, behaviors, and attitudes of the masses.”

The post, shown below, was accompanied by screenshots of an online tool that showed that the website was registering a network error. On the comments thread, Facebook users gleefully rejoiced over the news. One user said: “Manahimik muna kayo ngayon election.” (You should stay quiet for now, during the elections.) Another user wished that the same thing would happen to Rappler.

Since that attack on ABS-CBN, there has been a series of DDoS attacks targeting mainstream news websites. 

The three targets in December 2021 were Vera Files, ABS-CBN, and Rappler. That same month, Rappler analyzed the attacks together with Sweden-based digital forensics non-profit Qurium Media, and found similar attack signatures that led us to believe that the attacks may be coming from the same groups.

Pinoy Vendetta has claimed to have been behind these attacks, their posts showing either an advisory from the target website indicating that they’ve been attacked or a screenshot from a web service that checks whether a website is down.

In January 2022, they continued to do the same. They posted about the January 22 and January 27 attacks on Rappler; a January 23 attack on TV5; a January 27 attack on the Bulgar website; and a January 29 attack on GMA News.

The attack on GMA News came about a week after the January 22 Jessica Soho interviews with the 2022 Philippine presidential candidates. Pinoy Vendetta posted a screenshot showing a non-accessible GMA page, and the caption “Masarap ba sa eyes aling Jessica?” (Is it good on the eyes, Ms. Jessica?) Presidential candidate Ferdinand Marcos Jr. was heavily criticized for not appearing in the Jessica Soho interviews. He accused Soho of being biased, which GMA took exception to. 

The DDoS attacks continued in February against Rappler and CNN, with the group again making several claims.

A Pinoy Vendetta member by the name “Abdul” also told Manila Bulletin in a February 7 article that their DDoS targets were chosen due “to their biased reporting” and to “proved (sic) that their security is weakshit (sic).”

Before the December attacks on news websites, the group had also posted about news websites being down. In July, they showed Inquirer being down, although they claimed that they were only reposting upon the request of a friend (“pinapost lang ng kaibigan naten“). In August, they showed the Philstar and TV5 websites being down, too, although this time there was no explicit statement about a friend requesting them to post about it.

The group has also claimed credit for cyberattacks against the websites of Filipino politicians mostly from the opposition, such as Senator Leila de Lima, former senator Antonio Trillanes IV, and the 1Sambayan website in June 2021, and Senator Richard Gordon in October. Gordon led Senate investigations into anomalous pandemic deals awarded by the government to Pharmally Pharmaceutical Corporation.

The group also posted about an attack on Vice President Leni Robredo‘s OVP.gov.ph shown below. Their post said the site was attacked by “Ordinary Citizens,” referring to a group associated with Pinoy Vendetta and formerly housed in the Facebook page facebook.com/pv.theordinarycitizens. The page was also unavailable at the time of this article’s posting.

Attacks on CPP lead to NTF-ELCAC endorsement

The long series of DDoS attacks being publicly posted by Pinoy Vendetta began in June 2021.

Specifically, on June 21, 2021, Pinoy Vendetta posted about aiming a DDoS attack on CPP.ph, showing a screenshot of an inaccessible CPP.ph website. In the same post, the group showed other sites associated with the Left that were taken down: bayanmuna.com.ph and kabataanpartylist.com.ph.

On its post, it explained, “‘Di po kame nag DDoS ng walang rason (maliban nlng kung man to troll or testing hehe) Kung tayo po ay may pinaglalaban baket po ba naten dinadaan pa sa karahasan. Sa National govt naten pake ayos naman ng mga websites nyo akala nyo ba safe kayo nyan? pinag pipitik na namin kayo isa isa andali nyo po natumba Ano ba ginagawa ng mga ‘IT Experts’ naten dyan.” 

(We don’t conduct DDoS attacks for no reason, except when it’s to troll or to test. If we are fighting for something, why do we need to resort to violence? To the national government, please fix your sites. Do you think you are safe? We’ve been attacking you one by one, and you quickly crashed. What are your IT experts doing?)  

The group, in August 2021, made clearer its support for the government’s National Task Force to End Local Communist Armed Conflict (NTF-ELCAC). In a post, the group vowed: “I as a member of Pinoy Vendetta hacking group. I personally support NTF-ELCAC sa mission nilang buwagin at wakasan ang CPP-NPA-NDF na 52 taong nang ginugulo ang mga Pilipino.  d we can even down all the government shitty websites too. Pero kayong mga politiko kayo na gustong ma defund ang budget para matugis ang mga salot ng bayan at yung mga politikong hindi kaya kundinahin ang gawain ng CPP NPA NDF terrorists, humanda kayo t4ng1n4 nyong lahat isa din kayo sa mga kanser ng Pilipinas. AMEN!”

(I, as a member of Pinoy Vendetta hacking group, personally support NTF-ELCAC in their mission to bring down and end the CPP-NPA-NDF, which has been creating disorder for 52 years. We can down all the shitty government websites too. But you, politicians, who want to defund efforts to pursue the scourge of the country, and the politicians who can’t condemn what the CPP-NPA-NDF terrorists do – get ready, sons of bitches, you are cancer to the Philippines. Amen.)

The attacks continued, and in December 2021 the group got endorsed in public by the NTF-ELCAC and its spokesperson Lorraine Badoy. 

On December 30, Pinoy Vendetta shared a post from the NTF-ELCAC Facebook page showing a quote from Badoy praising the group’s takedown of the CPP-NPA-NDF website, calling them “computer geniuses.” 

“There’s this group, Pinoy Vendetta. If a group is able to take down a website for 24 hours, ang galing-galing na nila. But this Pinoy Vendetta, they were able to take down the CPP-NPA-NDF website for over a month. These [people] are organic. These are ordinary Filipino citizens – but of course, they’re computer geniuses,” Badoy said, with the quote being attributed to a December 28 program called Laban Kasama and Bayan on the Apollo Quiboloy network, SMNI. 

On January 2, Pinoy Vendetta shared another NTF-ELCAC post, this time a video of self-declared former communist rebel Jeffrey Celiz, urging the group to take down “other sites of communist front organizations.”

About a month later, the group would reshare another post, this time from Badoy’s Facebook page, praising the group’s attacks on the communist group: 

In that same post, Badoy is seen in the comments thread repeating her endorsement of the group: ““Henyo kayo at mga bayani. Kanya kanya tayong ambag dito para tapusin na ang nagbigay ng hirap at pighati sa pinaka maliliit nating kapatid at dahan dahang sinira ang Bansa natin. Hindi ko kaya yang ginagawa nyo. (Ang alam ko lang tungkol sa computer ay mang asar ng mga komunista sa Facebook). Maraming salamat at kasama namin kayo dito at dinig na dinig nila ang pagkasuklam ng Pilipino sa kanila dahil sa inyo.” 

(You are geniuses and heroes. Every one of us is contributing something to end what has caused hardship and suffering to the poorest members of society, slowly destroying our country. I can’t do what you do. The only thing I know how to do on computers is to mock communists on Facebook. Thank you very much for being with us here, and they hear loud and clear the hatred of Filipinos for them because of you.) 

Badoy also reposted the Pinoy Vendetta post about the January 27 DDoS attack on Rappler. She said, “The computer geniuses who took down the CPP NPA NDF website also took down CRappler’s website.” 

She also left a laughing emoji reaction to a Rappler video reshared by Pinoy Vendetta about the Nobel website being DDoSed on Nobel Day:

Criminal offenses

DDoS attacks have been illegal in the Philippines since the enactment of the e-commerce law in 2000. The Philippines is one of the first countries to punish DDoS attacks, according to internet law expert JJ Disini. The offense carries with it penalties that include a minimum of P100,000 in fines and mandatory imprisonment ranging from six months to three years. Meanwhile, Badoy’s statements endorsing the group and its DDoS attacks, may “constitute a violation of specific criminal laws,” according to human rights lawyer Ted Te.

The group has denied connections with the government, NTF-ELCAC, and Lorraine Badoy. In a February 16 post responding to a statement by the National Union of Journalists of the Philippines to stop the cyberattacks, the group reacted strongly, saying, “Even our server used to attack all of you came from our own wallet.”

A comment made by the group on the same post also addressed Badoy’s interactions with the group: “Lorraine Marie T. Badoy porket nag la-like at comment si maam Lorraine dito sabihin kagad connected? HAHAHHA FYI Commies natutuwa lang si Maam samin kasi kahit ordinaryong mamamayan na tulad namin ay hindi bulag sa katotohanan. ~abdul

(Just because Ma’am Lorraine has liked and commented here, you immediately conclude we’re connected? Commies, Ma’am’s just pleased with us because ordinary citizens like us aren’t blind to the truth.)

The denials echo earlier statements of Badoy and Pinoy Vendetta. When Badoy praised the group in December, she said the group’s efforts were “organic” and were made by “ordinary citizens.” In Pinoy Vendetta’s August vow to support NTF-ELCAC, it said they were “not funded by the government.”

Pinoy Vendetta before the recent attacks

The Pinoy Vendetta Facebook page was created on October 30, 2014, but reports of the group’s activity had been documented on Pinoy Hack News as early as July 2013, when the group defaced the PCWorld Philippines website.

Other exploits of the group then, as documented on Pinoy Hack News, included the defacement of a number of government sites, one of which was accompanied by a message calling for a stop to mining in Zambales and another protesting the pork barrel scandal in 2013. Besides the government sites, also targeted were corporate sites like Globe and some banks, as well as hundreds of Chinese websites, in protest of animal cruelty. 

Moving forward to 2019 and 2020, most of the posts on Pinoy Vendetta’s Facebook page were signed by Pinoy Vendetta member “Crtc4L” – a 35-year-old Davao City-based hacker who also goes by the alias Shin Takata, according to evidence analyzed by Qurium and reviewed by Rappler. The hacker’s posts were mostly about cybersecurity issues, but from time to time, they indicated a pro-Duterte stance, taking potshots at opposition figures and government critics. 

In March 2019, Crtc4L called ABS-CBN biased, and deemed the station unworthy of being granted a new license to operate. Crtc4L also mocked then-senatorial candidate Samira Gutoc for wearing a life vest backwards in April 2019.

Throughout 2020, several other posts took aim at Pinoy Ako Blog, a website critical of the Duterte administration, as well as activists on TikTok who wanted to junk the anti-terror bill, and people speaking out against the ABS-CBN shutdown. 

In July 2020, the hacker also attacked the Communist Party of the Philippines, calling the developer of their website, CPP.ph, “pulpol” (dumb).

On May 28, 2021, Critc4L made his final post on the Pinoy Vendetta page signed with his name: “Hello! kumusta kayo? sorry hindi ako naka post dito sa sobrang busy” (How are you? Sorry I haven’t been posting here because I’ve been so busy.)

The next month, in June 2021, the attacks against the CPP started, as did attacks against critical news media and the political opposition, culminating with the endorsement by NTF-ELCAC spokesperson Lorraine Badoy of the group’s DDoS attacks. These attacks continue up to now.

Crtc4L – the most visible on the Pinoy Vendetta Facebook page from 2019 to 2020 – disappeared as the attacks began. The silence from Crtc4L was briefly interrupted in January 2022 when a post congratulated the group and greeted them “Happy New Year,” using the Shin Takata account as shown in the screenshots below.


Shin Takata/Crtc4L, in a message to Rappler a few hours after publication of this story on Thursday, February 24, said he has “no connection to the group” because he left it “after [his] last post.” His last known post on the Pinoy Vendetta page was on May 28, 2021.

He also said he “did not do” or was not behind any of the attacks, and that it was the handiwork of other members of the group. He said he only shares the weakness he finds in a site, but does not disrupt its operations. Shin Takata also said he had not been the only one handling the Pinoy Vendetta page and that he does not know who the other members of the group are, nor where they live. – Rappler.com

Gelo Gonzales

Gelo Gonzales is Rappler’s technology editor. He covers consumer electronics, social media, emerging tech, and video games.