A second look at the charges filed vs. IT companies over news sites cyberattacks

In this report, we take a second look on the charges filed against IT companies IP Converge and Suniway Group of Companies. The National Union of Peoples’ Lawyers provided legal assistance to the alternative media outfits.


MANILA – On March 29, the 25th year of the Internet in the Philippines, alternative media outfits filed a civil complaint before a Quezon City Regional Trial Court against two IT companies. Digital forensic investigation showed that these companies are the sources of the cyberattacks on the websites of four alternative news media organizations that filed the case.

For the past weeks, alternative media groups have been subjected to cyber-attacks in the form of a Distributed Denial of Service (DDoS), a malicious attempt to shut down a website by overwhelming its server, and render it inaccessible to its legitimate readers.

As such, these relentless and seemingly well-funded cyber-attacks have been pointed out as state sponsored, aimed to stifle press freedom and quell critical voices in the face of a looming authoritarian rule in the country.

In this report, we take a second look on the charges filed against IT companies IP Converge and Suniway Group of Companies. The National Union of Peoples’ Lawyers provided legal assistance to the alternative media outfits.

Who are the plaintiffs?

There are four plaintiffs in the civil complaint. These are Alipato Media Center, publisher of Bulatlat, Pinoy Media Center, publisher of Pinoy Weekly, Kodao Productions, and AlterMidya – People’s Media Network. They belong to the alternative media tradition of the Philippine press, known for critical reportage.

All of these alternative news websites are non-profit and non-stock, with most journalists working for them on a voluntary basis.

Who are the defendants?

IP Converge, along with its members of the board and officers, is one of defendants in the complaint. It supposedly offers information technology services and applications, including mitigation services in cases of cyber-attacks.

Another company facing the complaint is Suniway Group of Companies, a stock corporation that is primarily engaged in general construction and allied businesses. Like IP Converge, among those named in the complaint as defendants are its members of the board and its officers.

What are the allegations?

Cyber hit teams By DEE AYROSO
Sweden-based non-profit organization Qurium Media Foundation, as cited in the complaint, said that its investigation has led them to conclude that the cyber-attacks may be traced to tech companies IP Converge and Suniway.

In its forensic investigation report, the Sweden-based non-profit group revealed that the IP addresses were exposed when the alleged attackers committed a mistake of visiting the website under attack without turning on their hidden virtual private network and when another visited the website through a Samsung phone.

However, Qurium noticed suspicious “extra hops” in the traffic traces, which they later discovered as a traffic tunnel between Hongkong and Manila. The said traffic tunnel infrastructure, which diverts the origin of attacks, is owned by Suniway.

Qurium later on reached out to IP Converge, informing them that they have received reports about an attack coming from their network. But despite several e-mails, IP Converge has yet to acknowledge or respond to these messages.

Meanwhile, Qurium said in its report that the attacker may easily be identified by Suniway if it “is interested in attributing the attacks that have been facilitated through their infrastructure,” adding that the said attacker has “administrative rights to servers in their core infrastructure.”

Who is the attacker?


The results of the digital forensic report of Qurium revealed that the cyber-attacker sought support from the underground booter market to shut down the websites under attack. Using the messaging mobile app Telegram, the attacker “P4p3r” repeatedly asked for help to shut down the websites of the plaintiffs.

“Can’t even down this fucking website. I really need to down it” and “Can you help me? down this website using booter.pw?” were among the messages that Telegram account “P4p3r” sent.

The number of devices behind Suniway VPN suggests, said Qurium, that there is more than one person involved in monitoring the attacks. Furthermore, they also learned from thousands of gigabytes of logs that the attacker loads the website through a Microsoft Excel sheet.

Read: Disclosure Of Company Facilitating Massive Cyber Attacks Against 20+ Regime Critical Philippine Websites

Qurium highlighted that the the cyber-attacker had the resources to launch a DDoS attack that had a magnitude and scale that they have never seen before launched in one single country.

What has the government done so far?

Qurium said it has made multiple attempts to contact the Philippine government’s NCERT but to no avail. On March 15, 2019, the government agency responded via e-mail asking for more information on the cyber-attacks. However, it has yet to reply ever since.

What do the plaintiffs expect from this civil complaint action?

In the complaint, the alternative media outfits under attack identified three causes of action for the two tech companies’ (1) clear abuse of right, (2) the losses and injuries sustained by the plaintiffs, and (3) for the violation of their freedom to maintain publications. For each cause of action, the alternative news agencies under attack prayed for a P4.00 damages, exclusive of actual damages that the cyber-attacks have caused.

The tech companies, too, have acted as an instrument not only in the unlawful deprivation of property, but also the denial of their freedom as media institutions in the country. Such attacks could not have happened “without being orchestrated and well funded.”

But most importantly, the alternative media outfits under attack hope to achieve justice and hold to account those behind the cyber-attacks. Outside the court, they have repeatedly called on these tech companies to reveal the identity of the cyber-attackers. (https://www.bulatlat.com)

Share This Post