Bulatlat, the country’s oldest alternative digital news outlet, has been repeatedly hit with distributed denial of service (DDoS) attacks over the last two months, according to a statement released recently by the website’s managing editor, Ronalyn Olea.
The Bulatlat statement said: “For two months now, [Bulatlat has been] subjected to DDoS attacks, aiming to wipe out the website from the worldwide web.”
She added that the attacks may be the work of “agents” of the Duterte administration.
According to the Bulatlat statement, the attacks started on Dec. 26 shortly after publishing stories about the 50th anniversary of the Communist Party of the Philippines (CPP).
“Other alternative media outfits, Kodao Productions and Pinoy Weekly, were also taken down,” the Bulatlat statement said. “Bulatlat managed to be back online after taking protective measures to mitigate the attacks.”
According to an article written by ABS-CBN’s Inday Espina-Varona, Altermidya Network, which was another digital alternative news outfit, also “reported the discovery of still-unidentified spam and malware scripts, which IT specialists are addressing.”
Varona said in her report that the virtual assaults on the news outfits “coincided with growing cases of killings, arrests and surveillance and harassment of activists, including nationalist clergy.”
DDoS attacks take down targeted websites by overloading the target website’s server with requests for data that bog the server down, blocking legitimate user access to the website.
According to Bulatlat, its “website migrated to Qurium’s secure hosting. Quirium, a Sweden-registered non-profit foundation made up of IT experts, has been mitigating the attacks on Bulatlat.”
Qurium found that the attacks on both Bulatlat and Kodao Productions “are similar,” the Bulatlat statement said.
According to Olea, Bulatlat’s virtual assailants “are working full time, using huge resources and all imaginable techniques.” Qurium has found that the attacks on Bulatlat’s servers involved “multiple flooding using compromised devices and hosting servers; attacks against the search engine; bandwidth exhaustion [and]; session attacks.”
These attacks, Qurium said in a tweet, involved flooding Bulatlat’s website with “4,000 times” the site’s normal traffic, “4,000 compromised servers loading the website, 400 hours of work to mitigate the attacks, 40 attacks recorded in one week” and “[four] load balancers deployed”
to improve the responsiveness of the website and increase the availability of applications on it.
These load balancers sit between the client website and its server farm and work by accepting incoming network and application traffic, then distributing this traffic across multiple back-end servers using various methods.
Qurium reviewed several gigabytes’ worth of log files and found that the perpetrators of the attacks have been using these keywords: “Duterte” and “XD.” The Swedish non-profit foundation also found that Bulatlat’s attackers launched their DDoS attacks using hidden virtual private networks (VPNs) located in the Philippines.
“The magnitude and the resources being poured to launch this brazen yet insidious attack can only come from the powerful and the influential, and those who hope to hide the truth from the Filipino people,” Olea said. “We have every reason to believe that the attackers are minions of the current resident in Malacanang, who has, time and again, shown his disdain for the slightest criticism.”
Olea also said in the statement that the cyber-attacks against Bulatlat and Kodao “add to the intensifying media repression in the Philippines.”
The attacks on Bulatlat continued into the first few days of February, with Qurium detecting attempts to attack the news website from Feb. 1 to Feb. 4. The Swedish foundation detected similar attacks being launched against Kodao on Feb. 4. Qurium tweeted that “after two days of receiving vulnerability scans, @bulatlat [Bulatlat’s Twitter username] is under DDoS again.”
Quirium said attacker hit the link to an article headlined “Government covering up on Malayao murder—CPP.” Both Bulatlat and Kodao published reports by Raymond Villanueva on alleged attempts to cover up the killing of National Democratic Front of the Philippines (NDFP) peace consultant Felix Randy Malayao.
TYPICAL DDoS
Internet freedom advocate Pierre Tito Galla, meanwhile, told the Philippines Graphic in an interview over Facebook’s private messaging app that he’d heard about the attacks on Bulatlat, saying these attacks “sound like classic DDoS” attacks, in which the “search words trigger the action” the hostile VPN has taken to flood Bulatlat’s server using the compromised computers under the VPN’s control.
The Dec. 26 attack on Bulatlat shut the website down for several days, with the cyber-attacks focused on the front end, or immediately visible part, of the news website hosted by CloudFlare before they were directed to the back-end of the website, where data is stored and managed and access requests are processed.
The attack on Jan. 19, according to Bulatlat, followed the publication of two reports, namely “How the state is abandoning Filipino children by lowering the minimum age of criminal responsibility” and a story on the release of peace consultant Rafael Baylosis.
Bulatlat said it was able to successfully migrate its website to the Qurium servers on Jan. 29, amid the DDoS attacks.
Nearly half a year’s worth of typical website traffic for Bulatlat, the news outfit said, was used to flood its servers “in a mere second” on Jan. 29, “with three million packets per second for 60 minutes.”
Responding to questions of whether the cyber-attacks constitute assaults on press freedom, as Bulatlat claimed in its statement, Galla said: “Essentially. But can we say that Duterte agents are the ones [behind] the attack?”
The conclusion drawn by Bulatlat, Galla said, is “persuasive, but not conclusive. In our world, we also see many false flag attacks,” or attacks that “frame someone else.”
Galla describes “false flag attacks” this way: “B doing an attack that leads people to conclude that it is A [who is attacking], because it is convenient to believe that it is A.” He also said that “motive is hard to determine, until the attacker is caught.”
Catching the perpetrators of DDoS attacks, he added is a process that “takes time and effort, but the short answer is yes. Digital forensics will trigger the real world pursuit of the perpetrator” if Bulatlat chooses to seek an investigation into the cyber-attacks by the cybercrime units of the Philippine National Police (PNP) or the National Bureau of Investigation (NBI).
Galla also said local law enforcement and the private sector “have varying degrees of capability” for carrying out the necessary digital forensics investigations to determine who perpetrated the attacks on Bulatlat and the other alternative media entities that have been subjected to these DDoS attacks.
He also said that, “yes,” these attacks against Bulatlat and the other alternate media outfits’ websites could be linked to attempts to suppress press freedom, “but the tech head in me keeps on pointing out that this could be just another attack using an identified vulnerability and vector for a site that may not have had sufficient cybersecurity defenses and measures in the first place.”
He added that “the logic of ‘who else will do such a thing?’ no longer holds true all the time in this day and age.” That said, Galla added that the chances of catching the perpetrators of these DDoS attacks will depend “on how much effort is put into it.”
“However, not having seen the website logs, I can’t say for certain,” he added.
Bulatlat said it believes these attacks on its website are “state-sponsored” because of the attacks’ “social and political context in the country and [their] impact on the compelling role of journalists in ensuring transparency and truth-telling.”
“After all,” Bulatlat said, alluding to the suppression of the press during the Martial Law years, “curtailing press freedom and denigrating the importance of a free press was among the [first things] that former dictator Ferdinand Marcos did.”
LEGAL ANGLE
Lawyer Marnie Tonson, a cyberlaw specialist, meanwhile, answered queries from the Graphic on the legal aspects of the cyber-attacks on Bulatlat, Kodao and Pinoy Weekly.
According to Tonson, “the cybercrime offense here is ‘System Interference’ under the Cybercrime Prevention Act (Republic Act No. 10175), sec. 4(a).”
He said that provision of RA 10175 defines ‘System Interference’ as “the intentional alteration or reckless hindering or interference with the functioning of a computer or computer network by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data or program, electronic document, or electronic data message, without right or authority, including the introduction or transmission of viruses.”
Tonson also cited Section 3 of the same law, which states that “’Without right’ refers to either: (i) conduct undertaken without or in excess of authority; or (ii) conduct not covered by established legal defenses, excuses, court orders, justifications, or relevant principles under the law.”
“As a Punishable Act under Chapter II of RA10175, System Interference by means of a DDoS attack is punished under Chapter III with the penalty of imprisonment of prision mayor or a fine of at least P200,000.00, up to a maximum amount commensurate to the damage incurred, or both.”
Tonson said the affected online alternative media outfits “can file a complaint with the Anti-Cybercrime Group of the PNP or with the Cybercrime Division of the NBI. Under RA10175, these are the two law enforcement agencies with concurrent jurisdiction” over crimes committed in cyberspace.
“Hopefully, after investigation, either the PNP-ACG or the NBI Cybercrime Division will get to file a criminal information before a Regional Trial Court with competent jurisdiction,” Tonson said. “Once a complaint is filed with it, the designated law enforcement agency assumes jurisdiction to the exclusion of the other law enforcement agency.” He also said that the ‘splitting’ of a cause of action” between both cybercrime units “is not allowed.” G
