Senior Forensic Investigator Michael John Marcos of Pacific Strategies & Assessments explains the differences between original emails from TVI Resource Development (Phils) Inc. and fraudulent and fabricated emails purporting to have come from the Canadian mining company. InterAksyon.com
MANILA, Philippines — A Canadian mining firm operating in the Southern part of the Philippines was discovered to have been a victim of a “sophisticated, vicious, and concerted” cyber attack so large it even involved deception of the highest government officials of the land including the President, officials revealed Monday.
According to results of separate digital forensic investigations shown to the media by executives of the TVI Resource Development (Phils) Inc. (TVIRD), the cyber attacks involved 21 sets of email messages purporting to have come from the company, alleging the mining firm’s top officials of involvement in “murder and other criminal conspiracies” against small-scale miners in Balabag, Bayog, Zamboanga del Sur.
TVIRD legal adviser Fulgencio Factoran, Jr. vehemently denied the accusations leveled against the firm, saying these are “clear dirty tricks operation” used to “criminally misrepresent TVIRD.”
“We are a legitimate, multi-million dollar publicly listed business. Our business practices here and in various parts of the world are beyond reproach,” Factoran added.
TVIRD operates a gold, silver, and copper-zinc mining project at the town Siocon town in Zamboanga del Norte.
According to forensic experts from Pacific Strategies & Assessments (PSA), the firm commissioned by TVIRD to look into the authenticity of the purportedly fake emails, the messages that were circulated and sent to Aquino and other top government officials had questionable elements that differentiate it from other standard emails usually sent out by TVIRD.
“Every email has a unique identifier,” explained Michael John Marcos, senior forensic investigator at PSA. “The sender’s email, date, and time is usually combined to create this random unique identifier.”
Marcos said that in the original emails given to them by TVIRD, the messages’ unique identifiers vary from email to email. With the purportedly fake documents they examined, however, “the unique identifiers are the same in all the emails.”
The PSA investigator likewise noted glaring differences in the scaling of the company’s logo in most emails, the grammatical lapses in the purportedly fake messages, as well as the name-dropping of a company, which allegedly made sure that the email conversation is secure and untraceable, when in fact the company only provides web development and IT outsourcing services.
Meanwhile, a freelance forensic expert consulted by PSA churned out the same observations, noting how the tone and the language of the email messages appear as if three individuals drafted the documents.
“It appears that there are three individuals who crafted these [email messages] because of the choice of words,” said Dr. Ariel Manlusoc, a freelance forensic specialist. “One is seemingly connected to the military because of the use of words such as absolves and liquidates, one has a more direct and vulgar language, while a third appears to be more professional.”
Marcos also noted that based on examinations of documents attached to the emails, the sources of the email “spent about three hours” to edit the documents to make them look like the originals, underscoring the sophistication in the methods of the cyber attackers.
These elements have led the investigators to conclude that some of the emails can be considered fraudulent, while some can be deemed fabricated.
“It is my strong conviction that there were really a fraudulent execution of documents in this case,” added Manlusoc.
The National Bureau of Investigation (NBI), whose help was also sought by TVIRD, concurred with the private investigators’ conclusions.
“It appears that there is a grand strategy to maliciously discredit TVIRD and the individual complainants with the ultimate objective of forcing TVIRD to give up its MPSA (Mineral Production Sharing Agreement) area in Balabag so the small-scale miners will have exclusive possession over the area of their illegal mining operations,” said part of the NBI investigation’s report, which was handed to the media on Monday.
“It is thus clear that the purported emails could not have originated from TVIRD or any of its officers or employees,” the report added.
The NBI has suggested filing cases of libel and falsification of private documents against three individuals identified to have direct connection with the creation of fake emails. TVIRD said it has already filed a case at the Makati Regional Trial Court on Friday.
Marcos and Manlusoc said cases of fake emails have been happening in the Philippines for some time now, but that this case was “more large-scale” and more targeted considering the people to whom the fraudulent and fabricated email messages was sent to.
