Hacktivists turn to ransomware in attacks on Philippines government

Hacktivist operations are using leaked ransomware builders to launch attacks on critical infrastructure in the Philippines — part of a trend among politically motivated groups who are increasingly trying to disrupt life in the Southeast Asian nation.

Researchers at the cybersecurity firm SentinelOne say a group called Ikaruz Red Team is one of a handful of hacktivist entities going after Philippines government targets. The operation is using a variety of ransomware builders — including LockBit, Vice Society, Clop and AlphV — to launch “small-scale” attacks. It also advertises data leaks online from a variety of organizations in the Philippines. 

The notes to victims are almost entirely cribbed from the original LockBit template, SentinelOne said, with the exception of the name at the top. Contact information is not provided.

“This is indicative of a threat actor with little interest or perhaps ability to engage in the kind of follow-up and victim negotiations typical of serious ransomware operators and affiliates, suggesting instead that the motivation is more to sow disruption and garner attention through social media postings,” researchers wrote.

In April, Resecurity reported that it observed a 325% spike in malicious cyber activity targeting the Philippines in the first quarter of the year, and activity involving hacktivist groups and misinformation had nearly tripled. The island nation finds itself on the front lines of China’s maritime expansion and is a staunch ally of the United States.

“Within the hacktivist landscape, Ikaruz Red Team fits into a larger movement of threat actors committing unsophisticated yet damaging attacks targeting the Philippines region,” SentinelOne said. “There is indication that a broader cluster of these behaviors may be part of rising regional tensions with China and a desire to destabilize Philippine critical infrastructure.”

While researchers did not connect Ikaruz Red Team with a nation-state actor, the line between hacktivism and official state-backed activity is murky in the Philippines. Resecurity found the China-linked group Mustang Panda launching “sophisticated information warfare campaigns.”

“Leveraging hacktivist-related monikers allows threat actors to avoid attribution while creating the perception of homegrown social conflict online,” they wrote. “This tactic is often combined with false-flag attacks originating under publicly known threat-actor profiles to keep a distance from the real intellectual authors of these malign campaigns.”

In April, the Philippines Department of Science and Technology was hit with a cyberattack claimed by a hacktivist group calling itself #opEDSA. The hackers stole at least two terabytes of data and locked employees out of the system. 

“The first message of the threat actors was somewhat political,” said Renato Paraiso, assistant secretary at the  Department of Information and Communications Technology (DICT). “So, we’re not discounting that this is part of hacktivism or something more nefarious or devious.”