Cyber Incident Victim: Government of the Philippines
Date:
May 2017
Location:
Philippines
Summary
A cyber-espionage campaign attributed to APT32, a group with suspected Vietnamese ties, compromised the Philippine government, resulting in the leak of confidential diplomatic documents. The stolen materials included transcripts of presidential calls with foreign leaders, national security briefings, and ASEAN-related files, potentially linked to regional tensions over the South China Sea. The documents were uploaded to a malware analysis platform alongside malicious email attachments, suggesting their use as operational lures by the attackers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early May 2017, sensitive Philippine government documents began appearing online, culminating in the public exposure of diplomatic communications involving President Rodrigo Duterte. On May 3, Chinese state media confirmed a phone conversation between Duterte and Chinese President Xi Jinping that had occurred days after Duterte’s April 29 call with U.S. President Donald Trump. Between May 15 and May 31, an unidentified actor uploaded at least five classified Philippine government files to the malware analysis platform VirusTotal. These included a transcript of the Trump-Duterte call marked "SECRET," briefing notes for Duterte’s call with Xi Jinping concerning North Korea, preparatory materials for a scheduled discussion between Philippine officials and U.S. Senator Cory Gardner, Philippine National Security Council situation reports, and an ASEAN conference layout diagram. Most documents carried "CONFIDENTIAL" or "SECRET" classifications. The Trump-Duterte transcript remained publicly accessible on VirusTotal for weeks before The Intercept and Washington Post independently reported its contents on May 23, with unnamed U.S. officials verifying its authenticity.
Cybersecurity researchers analyzing submission metadata and file characteristics linked the leaks to APT32 (OceanLotus), a hacking group previously attributed to the Vietnamese government. Forensic evidence showed the documents were associated with known APT32 lures—malicious email attachments designed to compromise targets—and originated from two consistent submitter accounts on VirusTotal. Targets aligned with APT32’s historical focus on Southeast Asian governmental entities. Analysts suggested Vietnam’s interest stemmed from geopolitical tensions in the South China Sea, particularly concerns that Duterte’s unilateral engagement with China might undermine ASEAN’s consensus-based approach to territorial disputes. The Philippine Department of Information and Communications Technology did not publicly acknowledge or respond to requests regarding the breach. No remediation actions or containment measures were documented, and the files remained accessible on VirusTotal through at least late May. The incident exposed confidential diplomatic strategies, including discussions on North Korea’s missile program and counternarcotics operations, though broader operational disruptions or systemic compromises within Philippine agencies were not reported.