DPWH ransomware attack linked to Bashe group (APT73)

Summary

On March 29, 2026, the Department of Public Works and Highways (DPWH) ransomware incident has escalated following partial data leaks attributed to the Bashe Ransomware group (APT73).

The threat actor claimed to have exfiltrated approximately 50GB of data, with an initial 1.77GB sample already released and analyzed.

Initial findings confirm compromise of the DPWH mail system, exposing internal communications and sensitive datasets.

Research Source

According to analysis from Deep Web Konek (DWK Team), the leaked data was validated after being published by the threat actor on its leak site.

The dataset appears to originate from direct mail server or backup extraction, rather than manual collection.

Technical Details

Analysis of the leaked 1.77GB dataset revealed:

• Over 2,000 email files
• More than 78,000 email records extracted
• Nearly 2,000 URLs
• Over 7,000 contact numbers
• Linked datasets containing names, emails, job titles, and affiliations

The structure of the data suggests:

• Bulk extraction from mail archives
• Timestamped and organized email records
• Inclusion of attachments and bundled communications

Observed Attack Activity

Threat Actor
• Bashe Ransomware (APT73)

Initial Access & Exfiltration
• Compromise of mail system infrastructure
• Extraction of bulk email archives and datasets

Data Leak Activity
• Release of 1.77GB sample data
• Claim of total 50GB exfiltrated data

Exposed Content
• Internal government communications
• Inter-agency emails across Philippine government domains
• Procurement and flood control documents
• Citizen-submitted complaints (potential PII exposure)
• Internal URLs and non-public system links

Potential Risks
• Exposure of internal infrastructure
• Leakage of sensitive communications
• Aggregation of government-related intelligence

Impact

The breach may result in:

• Exposure of sensitive government communications
• Potential compromise of personally identifiable information (PII)
• Increased risk of phishing and social engineering
• Disclosure of internal systems and infrastructure links
• Reputational and operational impact to DPWH and related agencies

The presence of cross-agency communication data increases the risk beyond a single organization, potentially affecting multiple government entities.

Mitigation

Recommended actions include:

Conduct full forensic investigation of affected systems
Reset credentials associated with compromised mail systems
Review and restrict access to internal portals and URLs
Monitor for phishing attempts using leaked data
Notify affected individuals if PII exposure is confirmed
Strengthen email security and backup protection mechanisms

Government agencies should also coordinate incident response across affected departments.

References
• https://konek.hn.plus/item/182243/initial-review-of-dpwh-ransomware-attack-confirms-exposure-of-internal-communications