MANILA (SCMP) – All it apparently took for one Philippine hacker to break into a government website was “Admin123” – a password that reflects what experts say is the authorities’ lax attitude towards cybersecurity that not only leaves millions of Filipinos vulnerable to identity theft but has exposed some of the country’s top military secrets.
On October 3, hackers released a massive trove of personal data from the servers of the Philippine Health Insurance Corporation (PhilHealth), after the state insurer refused to pay a ransom of USD300,000. The breach affected millions of people, including domestic residents and overseas Filipino workers in places such as Hong Kong.
Last Sunday, the homepage of the Philippines’ House of Representatives was defaced with a drawing of a smiling troll face and had to be taken offline. It is currently under maintenance.
Late on the same day, a Filipino hacker said during a live discussion on X, formerly Twitter, that he had broken into at least five major government agencies and downloaded gigabytes of data, apparently to expose the security weaknesses of the websites.
The man, who called himself DiabloX Phantom, claimed he was a 19-year-old hacker from southern Davao city, who once worked in government as part of a “red team” – a group hired to challenge cybersecurity controls.
He told This Week in Asia: “I’m a hacktivist and I’m angry that these problems have long been known and openly pointed out but the government has done nothing to address them.”
This Week in Asia was unable to independently verify the true identity of the person claiming to be DiabloX Phantom.
He claimed he had hacked into the servers of the Philippine Statistics Authority, which handles the country’s national identification cards; the Philippine National Police’s forensics database that contains case files on the victims of rape, among other crimes; as well as the websites of the Department of Science and Technology, the Technical Education and Skills Development Authority (Tesda), and Clark International Airport.
He said he had little difficulty breaking into government servers using the cyber “tools” he had prepared. For instance, he said he easily breached the Department of Science and Technology because its password was “Admin123”.
DiabloX Phantom said he also sent an email containing malware to a Tesda employee to gain access, while he found an “open” door to the Philippine National Police through a subdomain of the website. The Clark International Airport website had a registration form with an image uploader, which he used to push through a source-code file that instructed the server to give him access.
For some sites, he said he could simply go in through “back doors” – or vulnerable points of entry – created and left open by other hackers. He denied any involvement in the PhilHealth or Congress hacks.
Asked what he intended to do with the data he had collected, DiabloX Phantom insisted: “I don’t ever intend to sell it (and) it depends on what the government does about the problem I exposed.”
The Philippine government has given some 150 million active SIM card owners up to next August to register, including those retained by overseas Filipino workers in cities like Hong Kong. Photo: AFP
Philippine security specialists independently verified the hacker’s feats and data packages. According to Carlos Nazareno, a cybersecurity advocate and rights initiatives director of Democracy.net.ph, one way that hackers leave evidence of their breach is by planting a text file on an infiltrated server and then sharing a link to that file on social media.
Nazareno said in the past 30 days, aside from PhilHealth and the websites mentioned by DiabloX Phantom, top institution De La Salle University was also likely to have been hacked. He described what was happening as “a fiesta”.
No single individual or organisation was behind all the hacks, Nazareno said, adding that Filipino hackers had a range of motives. “They want to prove government systems are insecure, or they want attention, to show off their skills. Or maybe they just want to do it for laughs.”
The Congress website was defaced by a person or group called “3musketeerz”, which wrote in Tagalog and English: “Have a nice day, Happy April Fool’s although it’s still only October. Fix your website.”
Dominic Ligot, a security specialist and executive director of Data Ethics PH, said hacking attacks occurred regularly, given the country’s “poor state of cybersecurity culture”.
“We don’t have a very strong privacy culture, that’s why data is very vulnerable in the Philippines,” he said, noting that data leaks had been happening for years.
Ligot said hackers who believed they were doing a public good by exposing a vulnerability were putting citizens at further risk, as their “credentials are out there”. He noted how, for example, the pilfered PhilHealth data had images of identification cards and mobile phone numbers.
“The moment you have an email, a phone number and an ID, you can already commit identity theft,” Ligot warned.
Meanwhile, for weeks now, Nazareno said reams of Philippine military secrets had been offered for sale on the ‘dark web’ – often used by criminals for illegal activities online.
He said among the data stolen was some 500 megabytes of documents from the National Intelligence Coordinating Agency, all related to the Philippine Air Force. The seller asked to be paid in cryptocurrency.
Experts say the government’s reaction has been slow, disjointed and dismissive. On October 13, the Department of Information and Communications Technology (DICT) admitted there had been “breaches” involving “experts’ data” but dismissed a report of the police website being hacked as “old” news.
This Week in Asia sent questions to the DICT, the Philippine Air Force and the police anti-cybercrime division, but did not get any replies.
“The downplaying of certain branches of government is infuriating,” Nazareno said, noting how “there was a week of stonewalling and denial from PhilHealth”.
PhilHealth was hit by Medusa Ransomware, named after a shadowy group that infiltrated the government agency’s servers, downloaded files and threatened to release them unless it paid up.
PhilHealth had refused and called the group’s bluff, but was later forced to admit that “some” members’ data had been compromised when stolen information – amounting to some 700 gigabytes’ worth, according to one news report – started surfacing on the dark web.
The insurer’s Data Privacy Officer Nerissa Santiago on Wednesday said the attack compromised the data of 13 million to 20 million members.
Nazareno described PhilHealth’s actions as being marked by “hubris, ignorance and incompetence”.
He noted that while not all government agencies were lax with security, “the typical government agency…is sloppy and lacks experts and funding”.
In PhilHealth’s case, the attack was aided by the fact that the agency had not approved a request to renew its subscription for an antivirus program, Ligot said. “It’s good to admit this, but it’s also very tragic. Usually these antiviruses don’t really cost a lot.”
The data leaks hark back to other incidents over the last few years after which the government and public were seemingly indifferent to actual breaches.
Filipinos had to register their SIM cards to comply with a new law earlier this year meant to crack down on mobile phone scams and other crimes. Police later discovered criminal syndicates offering tens of thousands of fake pre-registered SIM cards, while some users who registered their SIM cards said they had received scam texts offering jobs, rewards, and were even identified by name.
Three people were arrested in Metro Manila in September for selling 5,000 “registered” SIM cards, while in August, a raid of a gambling hub turned up 28,000 SIM cards.
In a February 2016 incident known as the “Comelec leak”, two groups of hackers – Anonymous Philippines and LulzSec Pilipinas – defaced the Commission on Elections website and revealed they had pilfered 340GB of personal data from up to 55 million Filipino voters.
A month later, the data turned up on a website apparently hosted in Russia called “wehaveyourdata”, and access was unrestricted.
It was the biggest hack in the country’s history, but no one was prosecuted or otherwise punished, and there were no public protests. Nazareno recalled how the Philippine military dismissed the leak of soldiers’ names, training and assignments as “old data”. But the expert noted how damage could be done if the details were cross-referenced with the Comelec data.
The magnitude of the recent hacks is likely to prompt authorities into action and focus on DiabloX Phantom. But even if he and other actors were caught, it is unclear how they can be penalised. The Philippines’ cybercrime law that criminalises hacking has yet to be used in this regard.
In 2000, Filipino computer-science student Onel de Guzman, 24, made headlines when he unleashed the ILOVEYOU virus that infected computers worldwide. Guzman was not prosecuted because there were no laws in the Philippines at the time criminalising malware creation.
Ligot said until the government improved its security culture and practices, the attacks would continue.
“You know what’s funny? (The Philippine Air Force documents for sale) contain material relating to the creation of a national centre of excellence in cybersecurity,” he said. “The plans for cybersecurity were leaked because of a lack of cybersecurity.”