Manila, Philippines
Image: RJ Joquico via Unsplash

Malicious cyber activity spiking in Philippines, analysts say

Cyberattacks and misinformation campaigns have increased dramatically in the Philippines as geopolitical tensions escalate in the region, according to a new report.

Researchers at the U.S. cybersecurity firm Resecurity reported a nearly 325% jump in malicious cyber activity targeting the Philippines during the first months of 2024, compared to levels at the end of 2023. 

The report attributes much of the activity to hacktivist groups that are trying to undermine confidence in government institutions. The operations appear to be domestic in origin, but probably are tied to foreign entities, Resecurity said.

The increase comes as tensions continue to rise over territories in the South China Sea, where China contests the Spratly Islands despite a 2016 ruling in favor of the Philippines.

The malicious cyber activity is characterized by “the intersection of ideological hacktivist motivations and nation-state-sponsored propaganda,” Resecurity said. One example is the China-aligned hacker group Mustang Panda, which is “using cyberspace to stage sophisticated information warfare campaigns.”

Hiding behind the guise of hacktivism helps the groups “to avoid attribution while creating the perception of homegrown social conflict online,” researchers said.

The most active hacker groups include Exodus Security, which carries out distributed denial-of-service (DDoS) attacks and leaks stolen data from targets in the Philippines and other countries, including the United Kingdom, France, Indonesia, Israel and India.

Another notable local group, DeathNote Hackers, was likely responsible for a data leak from the Bureau of Customs, while hackers calling themselves CyberMafia Philippines claimed to have attacked the National Electrification Administration.

Some threat actors, including Krypton Zambie, plant fake narratives about the theft of Philippine citizens' data as part of a broader cyber campaign, mixing some valid cyber events with fake ones.

"The combination of real and fake cyberattacks is a common tactic used by threat actors in staging their misinformation campaigns," researchers said. The news about fake data breaches "generates uncertainty in society."

Resecurity noted that many of the attacks, including those conducted by hacktivists, could be a "pre-staging for broader malicious, foreign cyber-threat actor activity in the region," including cyber espionage and targeted attacks against government agencies and critical infrastructure.

"Considering the Philippines' strategic significance in the Indo-Pacific, foreign actors interested in destabilizing civil society may support such activity," researchers said.

Earlier in February, government agencies in the Philippines announced they had repelled a cyberattack from hackers suspected to be based in China, prompting lawmakers to demand an urgent briefing on the national security issue.

The hackers reportedly targeted various email addresses and government domains, including those of the Philippine Coast Guard, the Cabinet Secretary, and the Department of Justice.

In April, leaders from Japan, the U.S., and the Philippines discussed the possibility of forming a defense network against cyberattacks by sharing information and expertise.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.