Cyber Threat Actor: Philippine Army
| Actor Type | Location | Known Incidents |
Nation State
|
Philippines
|
3 incidents |
|---|
Profile
The threat actor is publicly identified by the aliases Philippine Army and Armed Forces of the Philippines, and is known to operate from the Philippines. Attribution to this actor is supported by forensic analysis linking the infrastructure used in the attacks to the Department of Science and Technology (DOST) and the Army’s Office of the Assistant Chief of Staff for Intelligence, indicating a state‑affiliated nexus rather than a criminal or independent group. The actor’s activity has been documented in open‑source reporting that connects government resources to cyber operations against domestic media and civil society entities.
The actor’s observed targeting focuses on Philippine alternative media outlets such as Bulatlat and Altermidya, as well as the human rights organization Karapatan, all of which are located within the Philippines. The sectors affected are media and human rights advocacy, with the geographic scope limited to the domestic environment. The strategic objective demonstrated by the incidents is the disruption of online services through distributed denial‑of‑service flooding, which rendered the target websites unreachable for extended periods. In addition to disruption, the actor conducted vulnerability scans using penetration‑testing tools, suggesting an intent to gather information about the targets’ network configurations alongside the service‑interference effort.
Noted tactics, techniques, and procedures include the deployment of DDoS traffic floods to overwhelm web servers and the use of vulnerability‑scanning tools such as Xerosecurity’s Sn1per to map attack surfaces. The actor leveraged IP addresses associated with the DOST, which were shared with other government agencies, to launch these scans from infrastructure tied to the Army’s intelligence office. The campaigns described in the reporting span a two‑month period in May and June 2021, with a prominent incident occurring on June 22 2021 when Bulatlat’s and Altermidya’s sites were flooded with junk traffic for several hours. These operations represent the publicly disclosed examples of the actor’s activity, highlighting a pattern of state‑linked cyber disruption aimed at critical domestic media and human rights voices.
