Hacktivist Groups Launch November 5 Attacks on Government Websites
Several government and educational websites across the Philippines experienced short service interruptions and cyber incidents yesterday, coinciding with the annual Million Mask March, a day symbolically associated with digital activism and cyber resistance. According to data from our Threat Monitoring Center, the anticipated Distributed Denial of Service (DDoS) attacks resulted in only minimal impact, with most disruptions lasting an average of 15 minutes.
Most agencies reported brief slowdowns or downtime spikes, except for select departments that faced longer interruptions. The Bureau of Customs experienced multiple outages throughout the day from 5:00 a.m. to 6:00 a.m., 10:30 a.m. to 11:17 a.m., and again between 3:09 p.m. and 5:12 p.m. The Department of Health (DOH) reported downtime around 5:00 p.m. and again from 10:05 p.m. until midnight.
The Department of Agriculture (DA) noted short disruptions at 10:00 p.m. and 5:45 a.m. on November 6, while the Department of Transportation (DOTR) recorded downtime at 1:00 a.m. on November 5. The Freedom of Information (FOI) website also experienced two outages, first around 3:00 p.m. and again at 8:00 p.m., lasting roughly two hours.
Among the affected agencies, the Philippine National Police (PNP) saw the most visible disruption. A group identifying itself as #HappyGoLuckyPH claimed responsibility for taking down several PNP regional and provincial websites, calling it their “contribution” for November 5. The group further warned that outages could continue if backend systems were not migrated. As of this writing, the several Philippines National Police systems are still unavailable.
Meanwhile, a collective known as Quantum Security Group (QSG) claimed responsibility for a major breach involving several government and local systems, primarily targeting the Department of Health (DOH). The breach, disclosed on November 5, exposed critical data from multiple health databases, including:
• pwd.doh.gov.ph – Persons with Disability Registry and Certification System
• gidas.doh.gov.ph – Geographic Information for Disability and Health Surveillance
• itis.doh.gov.ph – Integrated Tuberculosis Information System
• mndrs.doh.gov.ph – Maternal, Neonatal Death Reporting System
• nhfr.doh.gov.ph – National Health Facility Registry
• pidsr.doh.gov.ph – Philippine Integrated Disease Surveillance and Response
• rabies.doh.gov.ph – Rabies Case Monitoring System
• uhmistm.doh.gov.ph – Unified Health Management Information System
Preliminary inspection of the leaked samples revealed structured CSV-type datasets containing over 70 columns of personal, medical, and administrative information. The exposed data includes:
• Personal identifiers such as full name, birth date, gender, address, and contact details.
• Government IDs like SSS, GSIS, PAG-IBIG, and PhilHealth numbers.
• Medical and disability information, including health conditions, cause of disability, and related physician and certificate details.
• Vaccination records, suggesting data linkage between health registries and immunization systems.
Other compromised domains include aims.rcc.edu.ph, eco.bohol.gov.ph, pampanga.gov.ph, prime.depedncr.com.ph, and t-tadac-admin.dilg.gov.ph.
In a related incident, a separate group calling itself Nullsec Philippines defaced multiple government and academic websites earlier in the day. The campaign was tied to the Million Mask March and featured anti-government and anti-censorship messages.
Affected websites observed by DWK analysts include:
1. LRMDS – Department of Education
2. University of the Philippines Open University (UPOU)
3. College of Our Lady of Mercy
4. JH Cerilles State College – Crop Land Suitability & SMART Agri Production-Marketing Digital Information System
5. Boiling Waters PH
The defaced pages displayed messages denouncing corruption and urging transparency, consistent with hacktivist narratives from previous November 5 events. Early analysis suggests the use of unpatched content management systems (CMS) and weak admin credentials as the likely entry points.
Despite the minimal service disruptions observed, the team cautions that the situation remains dynamic.
> “Just because no large-scale outages occurred on November 5 doesn’t mean the threat has passed. New attacks or breaches can happen at any time if defensive measures are not continuously improved,” the Elizze, Deputy Division Head for Cybersecurity Division stated.
DWK recommends that affected agencies perform immediate digital forensics and incident response (DFIR), update outdated servers, and strengthen their intrusion detection and data protection systems.
The Department of Information and Communications Technology (DICT) has yet to issue an official statement on either the DDoS campaign, the data breaches, or the defacements as of this writing.
