Cyberattack vs alternative media traced to PH-based attacker

MANILA, Philippines – Swedish nonprofit Qurium Media Foundation, which provides rapid response services for media groups and civil society organizations, released a report on Friday, March 29, detailing how they assessed the distributed denial of service (DDoS) attacks that hit alternative media groups in the Philippines.

Not only did they attempt to explain the process by which they traced the attacker, they also detailed the steps after the investigation, which led to a lack of responses and, ultimately, appeared to force the victims of the DDoS attacks to file a suit against IP Converge, the Suniway Group of Companies, and specific members of both companies. (READ: Alternative media groups file civil case amid cyberattacks)

What did they find?

The report explained based on the group's findings the attacker is Philippine-based, is likely a native speaker of Mandarin, and uses the Telegram nickname "P4p3r."

It added that while most of the attacks were purchased from what are known as "booter services" – services that let users pay to have sites hit by DDoS attacks – the networks used to control the attacks "appear to be advertised in Hong Kong by the providers IP-Converge Data Center, Inc (AS23930) and Hong Kong Broadband Network Ltd (AS10103), but are in fact 'network traffic tunnels,' a special type of VPN (virtual private network) used to hide the traffic’s origin."

The infrastructure on which the attacker was ordering and performing these attacks against Philippine alternative media groups leads to a physical router that hides these connections, with the router being part of the infrastructure of Suniway Group of Companies Incorporated, a company registered both in Hong Kong and the Philippines that gives "network support to Chinese and Filipino companies in the Philippines."

Tracing the attacker 

The investigation began when Qurium first had to find the addresses linked to the attacks, which it did by tracking the attacker – who was using a VPN to start the attacks.

Forensic evidence from the attacks pointed to the attacker using NordVPN and "a different type of VPN service" with IP address 125.252.99.146 and 61.244.184.133 in Hong Kong. During their initial investigation in January, the attacker also used an Android phone on January 27 with address 110.54.223.67 from Globe Telecom

The next stage of the investigation had to do with determining the hidden networks, which they did by looking into the traffic traces and finding extra hops – travel points a data packet makes when it is sent online. The investigation eventually led Qurium to find the attacker operating from network infrastructure operated by Suniway.

Qurium added, "Looking at their network setup, it seems that Suniway is specialized in tunnelling network traffic to Hong Kong and from there to a CDN into China by carrier China Unicom and network 103.119.128.0/22. The company uses Sangfor VPN technology for their setup.

Qurium also found, through testing, that the networks were hosted in Manila under the supervision of Suniway, with the information tunneling back and forth from Hong Kong via private network. The group added IP Converge must be aware of Suniway's network setup because of how it announces the network 125.252.99.0/24, which was used by the attacker to perform the attacks.

The report also explained the attacker also appears to have a spreadsheet of targets, with more than one person monitoring the attacks.

Based on Qurium's findings, the attacker, using the Telegram nickname "P4p3r" and the account "P4perl" used Telegram for the purpose of hiring booter services for the attacks.

No response, no closure

As with many stories of cyberattacks, there are no easy solutions and sometimes, not even responses to give closure.

Before the filing of the civil suit, Qurium reached out to the country's Computer Emergency Response Teams (CERTs), notably Cybersecurity Philippines CERT (CSPCERT), beginning January 2018, though CSPCERT did not appear to reply.

The Department of Information and Communications Technology CERT (DICT-CERT), meanwhile said on January 15, 2019, that it had not received messages from Qurium.

Qurium said it messaged IP Converge staff a number of times during the last week of February.

The group messaged Sherwin Torres, director of technical operations of IP Converge, as well as their internet response team and network operations center (NOC), but they did not respond. They also sent emails on February 26 to Christian Villanueva and Cean Archievald Reyes, who work at IP Converge's Data Center and Cloud Services sections, but received no reply as well.

Qurium also messaged the Asia Pacific Network Information Center on February 26 due to the network 125.252.99.0/24 having fake records.

On February 27, they also sent a request to the Hong Kong Broadband Network Ltd so they could file an abuse email regarding the prefix 61.244.184.0/24, which was also involved in the attacks, but received no response.

Finally, on March 14, the group also sent a message to George Tardio. The group believes he might be responsible for NCERT-PH. Qurium got a response on March 15 that none of our requests were received, and they then "provided the logs of the 3 mails sent to NCERT" on February 5, 6, and 26, but did not receive a response. – Rappler.com

Victor Barreiro Jr.

Victor Barreiro Jr is part of Rappler's Central Desk. An avid patron of role-playing games and science fiction and fantasy shows, he also yearns to do good in the world, and hopes his work with Rappler helps to increase the good that's out there.

image