Lesson 1.1: Case Study: The Philippine Military Cyberattack

Compliance Framework Mapping

Introduction

Welcome to Lesson 1.1: Case Study: The Philippine Military Cyberattack! Over the next 45 minutes, we will explore how a sophisticated cyberattack unfolded against a national defence organisation, and what it teaches us about modern threat intelligence.

But first, let me tell you about Major Ana Santos.

It's 08:30 on a Tuesday in October. Major Ana Santos, a logistics officer at the Philippine Army headquarters in Manila, is reviewing supply manifests for a joint military exercise. The morning sun filters through the blinds, catching the dust motes in the air. Her computer hums quietly, connected to the secure military network. She sips her coffee, scanning rows of data for ammunition and rations.

A routine email notification pops up. It appears to be from the exercise planning committee, with a subject line about updated transport schedules. The sender's address looks correct. She clicks the attachment, a PDF labelled 'Revised_Logistics_Timeline.pdf'. Her computer hesitates for a second before the document opens, displaying a familiar-looking table. Nothing seems out of place.

Over the next hour, Ana notices her computer is running slower than usual. Simple tasks take longer. She dismisses it as a system update running in the background. What she doesn't know is that the PDF she opened didn't contain a schedule. It contained a weapon. A hidden script has been running, quietly mapping her network privileges and searching for a connection to the wider defence network.

This is the story of a targeted cyberattack. By the end of this lesson, you'll understand exactly why Ana never stood a chance, and more importantly, what could have saved her.

Content Section 1: What is a Targeted Cyberattack?

Think of a targeted cyberattack not as a random smash-and-grab, but as a precision burglary. The thieves don't try every door on the street. They study one specific house, learn the family's routine, and craft a key for that exact lock.

Key Characteristics

A targeted attack focuses on a specific organisation or individual, unlike widespread malware. The goal is often to steal sensitive information, disrupt operations, or gain a strategic advantage. In the case of a military target, the objective could be troop movements, defence plans, or supply chain data.

These attacks often start with reconnaissance. Attackers gather information from public sources, social media, or previous data breaches to craft a believable lure. The email Ana received was convincing because it used real details about the upcoming exercise.

The implications are serious. A successful breach in a defence organisation can compromise national security, expose personnel, and undermine public trust. The damage isn't just digital; it has real-world consequences.

The Attacker's Objective

In a military context, the objective is rarely financial. Research suggests the primary goals are espionage, sabotage, and gaining strategic insight. Access to logistics data, like what Ana handled, can reveal troop strength, deployment readiness, and supply vulnerabilities.

Industry data indicates that attacks on government and defence sectors often have longer dwell times—the period an attacker remains undetected inside a network. This allows them to move slowly, gather more information, and plan their next steps carefully.

DORA Article 5-17 DORA requires financial entities to have strong ICT risk management. For defence, the principle is the same: knowing your critical assets (like logistics data) and their vulnerabilities is the first step in protecting them.

ISO A.5.1 ISO 27001 mandates that management provides clear direction and support for information security. Without this top-level commitment, security policies are just documents, and staff like Ana aren't equipped to be the first line of defence.

Content Section 2: The Anatomy of the Breach

Understanding the attack flow reveals why it's so effective. Let me show you exactly how Ana was compromised, step by step.

Attack Flow

Step 1: Reconnaissance. Attackers researched the upcoming joint military exercise. They identified likely participants and crafted a credible lure—an email about logistics.

Step 2: Weaponisation. They created a malicious PDF document. The PDF appeared normal but contained hidden code designed to exploit a vulnerability in the PDF reader or operating system.

Step 3: Delivery. The email was sent to a list of targets, including Ana. The sender address was spoofed to look like it came from a legitimate internal committee.

Step 4: Exploitation. When Ana opened the PDF, the hidden code executed. This step is often silent; the user sees the decoy document while the malware installs in the background.

Step 5: Installation. A backdoor or remote access tool was installed on Ana's computer, giving the attackers a foothold inside the military network.

Step 6: Command & Control (C2). The malware called back to a server controlled by the attackers, awaiting further instructions.

Step 7: Actions on Objectives. With access established, the attackers began to move laterally, searching for the specific data they wanted—the logistics and supply manifests.

Key Technical Components

The malicious PDF likely used a 'fileless' technique. Instead of dropping a suspicious executable file on the disk, the malware runs directly in the computer's memory (RAM). This makes it much harder for traditional antivirus software to spot.

To communicate, the malware would use common internet protocols like HTTPS, making its traffic look like normal web browsing. It might also use 'domain generation algorithms' (DGAs) to constantly change the address of its command server, evading blocklists.

Why Traditional Defences Fail

Notice what all of these methods have in common. They focus on known threats or perimeter defence. The attack succeeded by being novel, targeted, and exploiting the human element inside the perimeter.

This attack was designed to slip past common security measures. Here's how:

NIST ID.RA-1 The NIST CSF category 'Identify - Risk Assessment' requires organisations to understand their vulnerabilities. This attack exploited both a technical vulnerability (in the PDF software) and a human vulnerability (Ana's need to open work documents). A proper risk assessment would flag both.

NIS2 Article 21 NIS2 mandates risk management measures. This includes not just technical controls, but also processes for handling incidents and raising staff awareness—both of which were critical gaps in this scenario.

Content Section 3: Detection: Seeing the Unseen

Ana's computer knew something was wrong. The unusual processes, the network calls to strange domains—it just couldn't tell her. Modern detection is about listening to those subtle signals.

Network-Level Indicators

Unusual outbound connections are a major red flag. Security teams should monitor for workstations, especially those of non-technical staff like logistics officers, making repeated HTTPS calls to new or suspicious external domains, especially in regions with no business relevance.

A spike in data volume leaving the network, particularly from a single user's machine, can indicate data exfiltration. In this case, compressed logistics files being sent out would be a clear signal.

Look for 'beaconing'—the regular, timed call-backs from malware to its command server. Network analysis tools can spot this patterned behaviour, which is unnatural for human browsing.

Endpoint-Level Indicators

Unexpected processes spawning from trusted applications, like a PDF reader launching PowerShell or Command Prompt, is a classic sign of exploitation.

Changes to system files or registry entries that are made by a user account, not by a system update, can indicate persistence mechanisms being installed. Fileless malware will often leave traces in event logs or Windows Management Instrumentation (WMI) repositories.

Monitoring for these requires Endpoint Detection and Response (EDR) tools that track process behaviour, not just scan file signatures.

Identity and Behaviour Signals

Ana's user account suddenly accessing network shares or systems she never used before would be a huge red flag. This is a sign of 'lateral movement' as the attacker uses her credentials to explore.

Failed login attempts followed by success from the same workstation, but at an unusual time (like 02:00), can indicate credential stuffing or brute-force attacks after the initial foothold is gained.

Security experts recommend implementing User and Entity Behaviour Analytics (UEBA). This establishes a baseline of normal activity for each person and device, making anomalies like these stand out clearly.

SOC2 CC7.1 SOC 2 requires detection and monitoring procedures to identify new vulnerabilities and suspicious activity. The network and endpoint indicators described here are exactly the types of monitoring controls an auditor would expect to see evidence of.

GDPR Article 32 GDPR requires appropriate security for personal data. If personnel data was on the compromised system, the lack of detection for this attack could represent a failure to meet the 'security of processing' requirement, potentially leading to a personal data breach.

Content Section 4: Building Your Compliance Evidence

Compliance documentation is often seen as a box-ticking exercise. But in this case, it's the blueprint for your defence. Good frameworks ask the right questions this attack exposed.

Evidence Generation

This lesson provides documentation for multiple compliance frameworks:

For DORA Article 5-17 auditors... For DORA auditors, you can now demonstrate that your team has been trained on specific, real-world ICT threat scenarios (like targeted military cyberattacks) as part of your risk management framework.

For ISO A.5.1 auditors... For ISO 27001 assessors, you can evidence that information security awareness training includes case studies on sophisticated social engineering, linking management policy (A.5.1) to practical staff education.

For NIST ID.RA-1 auditors... For NIST CSF reviewers, you can show you have processes to identify vulnerabilities through threat intelligence analysis, using this lesson to document how you stay informed about attack techniques relevant to your sector.

Audit Trail

Document your completion of this lesson:

• Lesson title and date completed: 1.1 - Case Study: The Philippine Military Cyberattack
• Time invested: approximately 45 minutes
• Key learnings in your own words: The 7-step attack chain, why perimeter defences fail against targeted attacks, key behavioural detection indicators.
• Activity submission reference: Your Threat Intelligence Briefing draft.
• Follow-up actions identified: e.g., 'Review our own phishing test scenarios for relevance' or 'Schedule a briefing with our security team on lateral movement detection.'

Conclusion

Let me tell you how Ana's story ended.

The attack was discovered not by an automated alert, but days later by a network analyst who noticed anomalous traffic from a server in the logistics department. By then, significant amounts of data on the joint exercise had been exfiltrated. The exercise plans had to be hastily revised at great cost. Ana faced a formal disciplinary review for violating policy by opening an unsolicited attachment, despite the email's convincing appearance. Her career was permanently stalled.

The organisation eventually invested in an EDR platform and mandated more rigorous, scenario-based security training. But these were reactive measures. The damage to operational security and morale was already done.

But it doesn't have to be your story. That's why we're here.

You should now understand what a targeted cyberattack looks like and its potential impact. You understand the step-by-step anatomy of a breach, from reconnaissance to data theft. You know why traditional, perimeter-based defences are often insufficient. And you understand the key behavioural and technical indicators that can provide early detection.

Next, we'll explore Next, we'll explore Lesson 1.2: The Psychology of Social Engineering. We'll break down exactly how attackers manipulate human behaviour to bypass even the most expensive technology, and how to build a human firewall.

See you there.

Resources

The course materials folder contains downloadable resources for this lesson:

• Lesson 1.1 Quick Reference Card - Summarise the 7-step attack chain and the key network, endpoint, and behavioural detection indicators for the Philippine Military Cyberattack case study on a single page for your security operations centre.
• Compliance Mapping Worksheet - Map the controls and lessons learned from this military cyberattack case study to the specific requirements of DORA, ISO 27001, NIST CSF, NIS2, SOC 2, and GDPR frameworks.
• Risk Assessment Template - Assess your organisation's exposure to targeted cyberattacks using the reconnaissance and delivery methods covered in this lesson, focusing on publicly available information and supply chain relationships.
• Further reading - Links to official framework documentation (NIST, ISO) and threat intelligence sharing platforms for tracking advanced persistent threat (APT) activity and targeted attack methodologies.

The Philippine military said the country continues to face escalating cybersecurity threats ... Defence Masterclass | Threat Intelligence | Lesson 1.1
© LimitedView Limited | 2026