DTI Foreign Trade Service Corps allegedly targeted in ransomware attack — Deep Web Konek

• Photo from Pixabay

By TechWatch PH Staff

The Department of Trade and Industry (DTI)– Foreign Trade Service Corps has allegedly been targeted by a ransomware group, according to a post by cybersecurity watchdog Deep Web Konek (DWK).

DWK posted that the Foreign Trade Service Corps was listed on a ransomware leak site operated by the threat actor known as “The Gentlemen,” suggesting a possible ransomware-related security incident involving the DTI unit. The listing was reportedly discovered on January 11, at around 5:59 p.m.

“The Department of Trade and Industry (DTI) – Foreign Trade Service Corps has been listed on a ransomware leak site operated by the threat actor known as The Gentlemen,” DWK said in a post.

While the appearance of an organization on a ransomware leak site does not automatically confirm the scope of a breach, DWK noted that ransomware groups typically publish victim names only after allegedly exfiltrating data prior to encrypting affected systems.

The leak reportedly references publicly available information about the Foreign Trade Service Corps, including its role in promoting Philippine exports, supporting trade facilitation efforts, and assisting micro, small, and medium enterprises (MSMEs).

As of this writing, there is no public indication of what type of data may have been accessed or whether sensitive government or partner information was involved.

Operating under the DTI, the Foreign Trade Service Corps plays a critical role in the country’s international trade engagement and export promotion programs. Any confirmed compromise could potentially affect trade-related initiatives and stakeholders that rely on its services.

According to DWK, ransomware group “The Gentlemen” has previously been linked to attacks against Philippine-related organizations.

“The threat actor The Gentlemen has previously been linked to ransomware activity targeting Philippine-related organizations. A few months prior to this incident, the same group was associated with a breach involving 2GO Group, a major logistics and transportation company in the Philippines. That earlier case highlighted the group’s ability to target both government-linked institutions and large private-sector enterprises,” said DWK.

As of publication, the DTI has yet to issue an official statement confirming or denying the alleged attack. It also remains unclear whether systems were disrupted, data was exfiltrated, or negotiations are underway.

DWK is a Philippine-based cybersecurity advocacy group that specializes in monitoring and addressing threats originating from the deep web and dark web, particularly those affecting local organizations and institutions.

On January 15, DWK also reported that a separate alleged collection of sensitive documents linked to the Philippines’ preparations for ASEAN 2026 had surfaced on a dark web forum.

DWK said the dataset was advertised in a post dated December 30, 2025, by a threat actor using the alias “OperationDawn,” who claimed that the archive contains several gigabytes of data and is being sold exclusively to a single buyer.

“While the seller asserts the authenticity of the materials, the account shows limited activity and no established reputation, a factor that warrants caution at this stage,” DWK said.

Meanwhile, the Department of Information and Communications Technology (DICT) confirmed that it is aware of reports regarding the unauthorized disclosure of a limited set of documents related to preparations for ASEAN 2026 activities in the Philippines.

“Based on initial assessments, the documents are preparatory and administrative in nature and do not include substantive ASEAN agenda papers, official deliberations, or policy discussions. There is currently no indication that ASEAN systems, platforms, or classified deliberative materials were compromised,” the DICT said in a social media post.

The agency added that the Philippine National Police (PNP), in coordination with relevant law enforcement and intelligence agencies, is conducting an active investigation to determine the circumstances surrounding the incident. The DICT said it is closely coordinating with these agencies to support ongoing forensic, containment, and monitoring efforts.