Military, DOST links found in DDoS attacks on media – report

Sweden-based digital forensics nonprofit Qurium Media, recently released a report about recent distributed-denial-of-service (DDoS) attacks on alternative media outlets Bulatlat and Altermidya, as well as human rights group Karapatan.

The report claims to have found links to the Department of Science and Technology (DOST) and the military.

One attack dated May 18, 2021, 7:33 pm, originated from a machine with an IP address (202.90.137.42) that belongs to the Philippine Research, Education, and Government Information Network (PREGINET), a project under the DOST.

The attack was a vulnerability scan which tests for the potential weaknesses in a network. System administrators can perform vulnerability scans but this one came from an external entity, likely to see how best to attack the network. 

PREGINET is a research and education network (REN) interconnecting academic, research, and government institutions. 

Another machine in the network which Qurium says has links to the attacks has the IP address 202.90.137.43 with the details “acepcionecjr@army.mil.ph Taguig Red Server.” The mil.ph domain is reserved for the Philippine military. 

Qurium says that the “Red Server” appears to be a reference to Sophos XG Technology Remote Ethernet Device (RED), which is a small network appliance that allows for the building of internal networks. 

Bulatlat, in its own report of the findings said, “We are not surprised by the results of the recent digital forensic. State agents and the National Task Force to End the Local Communist Armed Conflict (NTF-ELCAC) have consistently labeled us as communist fronts for pursuing journalism for the people. Still, we are angered that taxpayers’ money is being spent to bring down our website, and to deny our readers access to our reportage.” 

The alternative media sites have routinely faced DDOS attacks which they pin on the current administration, with Qurium tracing attacks to a Philippine-based attacker back in 2019 as well.

The DOST issued a statement Thursday, June 24, denying the report's implication, calling it "unfounded and patently false."

"As part of DOST’s responsibility and mandate in terms of ICT management, DOST-ASTI is part of a larger government network and DOST-ASTI assists other government agencies by allowing the use of some of its IP addresses in the local networks of other government agencies," the department said.

The claim that the DOST was part of the attacks was "solely based on the tracked IP address and does not translate to the department’s involvement in the matter."

Meanwhile, AlterMidya, a network of over 30 independent media outfits, called on the DOST  "to conduct its own investigation on the use of their IP, make its findings available to the public, and do its part in stopping the cyberattacks."

AlterMidya added "Quirium has been instrumental in stopping the DDoS attacks we experienced in 2019. There is no reason to doubt their expertise in tracing the attackers."

Rappler has reached out to the AFP for its statement. – Rappler.com

Gelo Gonzales

Gelo Gonzales is Rappler’s technology editor. He covers consumer electronics, social media, emerging tech, and video games.

image