Initial Review of DPWH Ransomware Attack Confirms Exposure of Internal Communications
The Department of Public Works and Highways (DPWH) ransomware incident, first observed on March 18, has progressed following new developments linked to the threat actor.
Nine days after the initial monitoring, a small portion of the allegedly stolen data was publicly released, prompting the DWK Team to immediately begin validation and analysis.
The attack has been attributed to Bashe Ransomware (APT73), which previously claimed responsibility via its leak site, alleging the exfiltration of approximately 50 GB of data. As of now, only a fraction of this dataset has been made public.
Initial validation confirms that the Mail System is among the compromised assets. From the 1.77 GB sample analyzed, the dataset includes more than 2,000 of email files, resulting in over 78,000 extracted email records, nearly 2,000 URLs, more than 7,000 contact numbers, and multiple datasets linking names, email addresses, job titles, and organizational affiliations.
https://iili.io/B93gJ0G.png
https://iili.io/B93Umxt.png
Based on the validation also, the leaked data appears to include raw email archive files, organized in bulk and timestamped formats. The structure suggests direct extraction from a mail server or backup repository, rather than manually compiled data. Several files show larger sizes, indicating the presence of email attachments or bundled communications, which may contain additional sensitive information.
The extracted emails show interactions not only within DPWH but also across multiple Philippine government domains, including those associated with offices under the executive branch, procurement systems, civil service, education, and other local government units, indicating a broad communication footprint across government networks rather than isolated correspondence.
Further analysis also identified several URLs and links tied to internal systems, intranet environments, or non-public portals, raising concerns about potential exposure of restricted infrastructure and access points.
Additionally, the dataset includes flood control-related documents, such as bidding materials. While some may already be publicly accessible, their inclusion in a breached dataset increases the risk of aggregation and misuse.
More concerning is the presence of citizen-submitted complaints within the emails, detailing issues such as project negligence, substandard materials, and alleged corruption. This suggests that personally identifiable information (PII) and sensitive communications from the public may have been compromised.
At this stage, only a small portion of the claimed 50 GB dataset has been released, indicating a high likelihood of further disclosures.
