Tension in the West Philippine Sea has also spread into cyberspace after a cyber security consultant revealed an attempt by hackers to spread malware on a government workstation on a Philippine Coast Guard vessel early this year.

Rodel Plasabas, a former consultant of the Department of Information and Communications Technology, said a hacker impersonating another Coast Guard official sent a file to another official onboard the BRP Melchora Aquino via Viber messaging app. The vessel was deployed in the West Philippine Sea at the time of the incident.

“Ang ginawa ng hacker - nagpanggap siya na isang opisyal ng  Philippine Coast Guard at nagpadala ng mensahe via viner sa isang taga coast guard din sa BRP Melchora Aquino. This happened in January 8, 2025,” he said in a TeleRadyo Serbisyo interview.

He said the Coast Guard official did not download the file, which contained a ZIP archive that had a shortcut file “designed to appear as a legitimate document.”

He said he examined the Viber message and found out it was malware that could be used to either control the government workstation or extract sensitive information from the computer.

“This is a sophisticated group…that tried to use a computer to illegally access another government computer to get confidential information,” he said.

Analysis posted by Plasabas on Medium showed the shortcut (LNK) file would “initiate a series of malicious actions, including downloading additional payloads, establishing persistence, and attempting to connect to Command and Control (C2) servers.

Based on the analysis, the LNK file downloaded and executed a batch file which downloaded a Remote Administration Tool (RAT) called LiteManager.”

“The LiteManager configuration file (config.xml) revealed key details about operational parameters, such as primary and backup C2 servers, unique victim identifiers, and connection intervals. The RAT was designed for stealth, leveraging HTTPS-like traffic and failover mechanisms to maintain control over infected systems. Indicators of compromise (IoCs) were identified for further monitoring and threat sharing,” it added

Plasabas said it is too early to blame the attack on any particular group or nation, noting that analysis showed IP addresses coming from Singapore, Netherlands and Russia.

“‘Yung hackers ngayon use VPN to mask their actual IP address. In this particular scenario, he could have rented a server in these locations,” he said.

He said the cyber attack has many implications including a possible attempt to monitor the vessel’s movements even before it goes out to sea.

The malware could also be ransomware, which would lock up the computer until a huge amount is paid to the hackers, he said.

The consultant urged government to have wider cybersecurity awareness by creating an interagency task force that would collaborate with ethical hackers and cybersecurity researchers.

He also urged government to do a sweep of all government workstations, particularly in top government offices, to ensure that these are not infected with malware.

“In this particular incident, although it was prevented, it doesn’t mean that it did not happen to other computers,” he said.