NBI clueless months after ‘Comeleaks’
The National Bureau of Investigation (NBI) did not know that an internet protocol (IP) address registered to the bureau allegedly downloaded data from the website of the Commission on Elections (Comelec) until five months after “Comeleaks” happened.
The Cybercrime Division (CCD) said this in a letter, to NBI Director Dante Gierran as the National Privacy Commission (NPC) urged the Department of Justice (DOJ) to look into the allegation that an NBI-registered IP address downloaded Comelec website data less than two months before the 2016 general elections.
The NPC, in its 35-page decision dated Dec. 28, 2016, sought an investigation of the NBI after “finding that there was an unauthorized exfiltration of data” from the Comelec web server on March 23, 2016, “through a computer with an IP (internet protocol) address of 202.90.136.202, registered with the (NBI).”
On the night of March 27, 2016 or four days after the supposed exfiltration of data by an NBI-registered IP address, a group introducing itself as Anonymous Philippines defaced the Comelec website, the NPC decision said.
Moments later, another group called LulzSec Pilipinas posted on its Facebook account that it was able to download at least 320 gigabytes of data from the Comelec website, which were posted on both Facebook and file-sharing platforms, the ruling also said. Comelec to blame?
In the letter, obtained by The STAR, the NBI-CCD explained that the Comelec gave its report – which detailed security threat reports that took place on the Comelec data server – contained in eight compact discs (CDs) on Aug. 13 last year.
The report revealed that “open source domain tool query indicated that” IP address 202.90.136.202 “is within the IP range assigned with the Department of Science and Technology (DOST).”
“Further verification on this said IP address through online facility revealed that this is an IP address allocated to the NBI,” it also said.
The NBI-CCD noted that the Comelec gave the report around five months after alleged hackers defaced the Comelec website and leaked huge amount of data containing personal information of registered voters, now called “Comeleaks.”
However, the NBI’s data center said in a separate report that based on the “review shown” by the activity of the IP address, “no retained logs were recorded.”
“The NBI does not maintain a dedicated server log which can record all activities of NBI-registered machines,” it said. It added that NBI’s current server retains records for a month.
On April 25 last year, the NBI-CCD also said that the issue of the NBI-registered IP address used to exfiltrate Comelec website data was not brought up in a meeting with the DOJ’s Office of Cybercrime, the DOST’s Information and Communication Technology Office, the NPC and the Philippine National Police’s Anti-Cybercrime Group.
The meeting was held a month after “Comeleaks” happened and days after two of its alleged perpetrators were nabbed by NBI-CCD agents.
It was only on Oct. 24 last year that the DOJ approved the NBI-CCD’s confidential investigation on the involvement of IP address 202.90.136.202, which is still ongoing, according to NBI sources.
“Proper coordination with counterparts will also be made for any identification that could provide leads as to the identity of the individual who used the IP address assigned to the NBI, and also to determine whether the said IP address was goofed or anonymized to make it appear as such,” the NBI-CCD said in the same letter.