Sign in Subscribe
OSINT

Operation Liwanag: The Same Map a Chinese Intelligence Asset Drew of Philippine Infrastructure Anyone Can Build From a Browser

A practitioner-grade methodology for surveying the Philippines' internet-exposed attack surface using Shodan, Censys, and ZoomEye. No target names, no exploitation, full responsible disclosure pipeline.

Sigmund

17 min read
Share
Operation Liwanag: The Same Map a Chinese Intelligence Asset Drew of Philippine Infrastructure Anyone Can Build From a Browser

On January 17, 2025, agents of the National Bureau of Investigation walked into a condominium unit in Makati and arrested a Chinese national named Deng Yuanqing along with two Filipino accomplices. The charge was espionage. The evidence, according to the NBI, was a multi-month operation to map critical infrastructure across the Philippines, including military installations the United States retains access to under the Enhanced Defense Cooperation Agreement.

What did Deng's mapping work actually look like? Court filings have been thin on technical detail, but the operational picture is not exotic. Foreign intelligence services, organised crime, and bored teenagers in coffee shops use the same tools to do the same job. Most of them never leave a browser tab.

This post is about those tools. It is also about how any OSINT practitioner can run the same survey in an afternoon, build a defensible map of the Philippines' exposed attack surface, and turn it into a responsible disclosure pipeline instead of a target list. I call the methodology Operation Liwanag because the entire point is to put light on the parts of our country that are already public and that most defenders never bother to look at.

This is a walkthrough, not a target dump. You will not find IP addresses, hostnames, or organisation names (of course you will see the Telcos where certain servers / services may be hosted at but no identifiable info on the actual infra) in this post. If you do, let me know, it may have escaped the redaction process. What you will find is a method any practitioner can replicate against their own ASN, their own clients, or the national exposure picture, and a clear path for what to do with the findings.

All of the below can be replicated with the tools mentioned, in their free tier, without having to pay for any of their premium and adanced features, though in some cases they are well worth their money. Like with CVE based search and tag based search.

The following are queries run in Shodan 

country:PH

The same query in Censys would be

host.location.country:"Philippines"

For ZoomEye:

country="Philippines"

You can also look for results that include a screenshot:

country:PH has_screenshot:true

The defender deficit

The Philippines has a thriving offensive security community. We have CTF teams that place internationally. We have a steady output of penetration testers servicing the BPO sector. What we do not have, in any meaningful volume, is published defensive surveillance work. There is no equivalent of Shadowserver's daily country report being mirrored locally. There is no NCERT-PH-affiliated programme, to the best of my knowledge, but feel free to contact me if I got this wrong, that periodically publishes an exposure scorecard for the country, the way the Dutch NCSC publishes for the Netherlands or the UK NCSC publishes for British infrastructure.

The defender deficit is the reason the Deng case matters past the headlines. A foreign intelligence service is going to map us whether we map ourselves or not. The asymmetry is that they keep the map. We do not.

Operation Liwanag is the inverse. The map becomes a defensive artefact. Every exposed system catalogued is one ticket in a responsible disclosure queue. Every queue cleared is a measurable reduction in national attack surface.

What we are actually counting

Before any queries, a definition. "Exposed Philippine infrastructure" is not a single thing. It is at least seven distinct categories, each with its own protocol fingerprints, its own owners, and its own disclosure pathway:

  1. Industrial Control Systems and SCADA: Modbus, Siemens S7, BACnet, EtherNet/IP, DNP3, and OPC UA endpoints reachable from the public internet. This is the highest-impact category and the smallest in volume.
  2. Government infrastructure: portals, admin panels, file shares, and management interfaces operated by national agencies, LGUs, and GOCCs.
  3. BPO sector infrastructure: exposed Remote Desktop endpoints, jump hosts, VDI gateways, and Citrix/VMware Horizon brokers. This is the largest category by volume in Metro Manila.
  4. Telecommunications infrastructure: customer-premises equipment with default credentials, exposed router admin interfaces, BMC and IPMI on telco edge gear.
  5. Banking and fintech: a small, sensitive category that lives under Bangko Sentral ng Pilipinas regulatory jurisdiction. Handle with extreme care.
  6. Building management and IoT: CCTV systems, IP cameras, building automation in Makati and BGC high-rises, residential surveillance.
  7. Cloud misconfigurations attributable to Philippine entities: S3 buckets, Azure blob containers, Elasticsearch and MongoDB instances without authentication, hosted on cloud but operated by Philippine organisations.

Each of these has a different methodology, a different signal-to-noise ratio, and a different disclosure path. Treating "the Philippines" as one bucket is a beginner mistake.

The toolkit

Three search engines, used in combination, cover roughly 95 percent of the public-internet exposure picture for any given country.

Shodan is the oldest and most opinionated. Its banner grabbing is aggressive, its protocol parsing is mature, and its filter syntax is well documented. Shodan's country:PH filter is the lazy first step. Refining by ASN is where the real work starts.

https://www.shodan.io

Censys has cleaner certificate transparency integration and better TLS fingerprinting. For finding government and corporate assets through certificate metadata rather than banners, Censys is the sharper tool. Censys also surfaces virtual-host pivots that Shodan misses.

Censys | The Authority for Internet Intelligence and Insights
Censys empowers security teams with the most comprehensive, accurate, and up-to-date map of the internet to defend attack surfaces and hunt for threats.
Censys

ZoomEye has stronger coverage of Asian infrastructure, including some segments that Shodan undercounts. It is operated out of China, which is a relevant fact when you are working anything that touches PRC operational interests. Use it; do not rely on it exclusively.

ZoomEye
Search engine of Internet-connected devices. Create a free account to get started.
ZoomEye

You can do the entire survey with the free tiers of all three plus an API key for Shodan that costs a one-time fee. CrimeWall users get most of this pivoted through Maltego-style graph transforms, which is faster but not strictly necessary.

For automation, the survey scripts I run are Python wrappers around the Shodan and Censys SDKs with a rate-limited polite mode and a deduplication layer that joins on IP/port/service-fingerprint to prevent double-counting. I am building these out into a branded utility called Bantay-Eye, which will be the first public release in what I intend to be the OSINT-PH tool suite. Watch this blog for the GitHub drop.

You may also wanna look at

Shodan Terminal

Methodology: ASN-first, not country-first

The most common mistake new practitioners make is to start with country:PH and stop there. The filter is approximate. Shodan's GeoIP attribution is good but not surgical, and you will pull in transit hops, cloud-tenant misattributions, and CDN edges that are not really "Philippine" in any operational sense.

A better approach is ASN-first. The Philippine address space is concentrated in a small number of major ASNs:

  • PLDT and its subsidiaries
  • Globe Telecom
  • Converge ICT
  • Sky Cable / ABS-CBN Convergence
  • DITO Telecommunity
  • A handful of corporate ASNs operated by banks, conglomerates, and government-owned-and-controlled corporations

For a credible national survey, you enumerate the ASN list from PeeringDB or BGP.tools, then query each ASN individually:

asn:AS9299
asn:AS4775
asn:AS17639

Then you union the results, deduplicate by IP, and tag each result with the originating ASN. The output is a per-ASN exposure profile, which is far more actionable than a country aggregate because each ASN maps to an accountable entity.

For organisation-specific work, add the org: filter and an SSL certificate pivot:

ssl.cert.subject.cn:*.gov.ph
ssl.cert.subject.cn:*.gov.ph asn:AS9299
ssl.cert.issuer.cn:"DigiCert" port:443 country:PH

The .gov.ph certificate pivot is particularly useful because every government domain that ever issued a public certificate becomes findable through certificate transparency logs, regardless of whether the underlying IP is currently advertising the domain.

Category 1: Industrial Control Systems

ICS work demands the most care and produces the most uncomfortable findings. The protocol fingerprints are well known:

I share screenshots for a sample query, you can experiment with the others, or come up with your own specific queries.

Protocol Port Function
Modbus TCP 502 Industrial fieldbus
Siemens S7 102 PLC programming and HMI
BACnet 47808 Building automation
EtherNet/IP 44818 Rockwell/Allen-Bradley
DNP3 20000 Power and water utilities
OPC UA 4840 Modern industrial middleware
IEC-104 2404 Power grid telecontrol

A first pass for the Philippines might look like:

Shodan queries:

port:502 country:PH
port:102 country:PH
port:47808 country:PH

The same protocol sweep on Censys:

host.services.port: 502 and host.location.country: "Philippines"
host.services.port: 102 and host.location.country: "Philippines"
host.services.port: 47808 and host.location.country: "Philippines"

And on ZoomEye:

port="502" && country="Philippines"
port="102" && country="Philippines"
port="47808" && country="Philippines"

Run all three. They will not agree on totals; each engine crawls on its own cadence and parses banners differently. The disagreement is the signal. A device that shows in Shodan but not in Censys is worth looking at twice; it is either freshly exposed, recently fingerprinted by Shodan only, or sitting on a port-knock that one crawler tripped and the other did not.

The volumes will not shock you in absolute terms. Per Forescout's January 2024 global ICS exposure data, the Philippines sits well below the major exposing countries, with the United States accounting for 27 percent of all internet-facing ICS globally and four others taking another 17 percent combined. The Philippines is in the long tail.

What does shock, in my experience, is the identity of the exposed devices. I am not going to name sectors here because the disclosure work is not finished. What I will say is that the categories of Philippine ICS exposure I have personally observed include building management systems on high-rise commercial properties, water utility telemetry in provincial deployments, and a small but non-trivial number of solar-farm SCADA endpoints from independent power producers.

For each finding, the practitioner workflow is the same:

  1. Confirm the banner is genuine and not a honeypot. Three quick filters: an ASN mismatch against the registered owner (honeypots cluster in commercial cloud ASNs such as DigitalOcean, Vultr, Linode, OVH commercial), the "honeypot" tag that Shodan automatically displays on result cards (visible to everyone without enterprise), and cross-checking the same IP in Censys and ZoomEye to see if all three engines agree on the banner. Real exposure tends to be consistent across all three; a synthetic banner often is not.
  2. Identify the asset owner. WHOIS on the IP, reverse DNS, hostname patterns, certificate subject fields, and Maltego-style entity resolution all contribute.
  3. Document, do not touch. Operation Liwanag is a survey, not a penetration test. You do not connect to the device. You do not query its registers. You document what is in the banner and you move to disclosure.

Category 2: Government infrastructure

The .gov.ph zone is the cleanest pivot point. A few productive searches:

I share screenshots for a sample query, you can experiment with the others, or come up with your own specific queries.

ssl.cert.subject.cn:*.gov.ph
ssl.cert.subject.cn:*.gov.ph port:!443
hostname:.gov.ph
http.title:"Sign in" hostname:.gov.ph
http.title:"login" hostname:.gov.ph

The second query, ssl certificates on non-443 ports, is the surprising one. Government TLS endpoints on unusual ports are routinely admin panels, management interfaces, or staging environments that nobody remembered to firewall after deployment. FTP is also popular it seems.

For Censys:

host.services.cert.names: ".gov.ph"

For ZoomEye

The exposure patterns in this category tend to be:

  • Legacy web admin interfaces with no MFA
  • File shares with directory listing enabled
  • Sharepoint and Exchange instances on unsupported versions
  • Network device management on the public side of the firewall
  • VPN gateways exposing version-banner information that reveals known-vulnerable firmware

The disclosure pathway here is NCERT-PH first, then the agency directly if the response window allows.

What I also find quite interesting is, Zimbra is very common across the Government sectors.

Category 3: Remote access infrastructure

This is the largest category by volume. It is also the most over-attributed: practitioners new to Philippine infrastructure tend to assume that exposed RDP and VDI gateways must be BPO infrastructure because the Philippines is a BPO country. The protocols themselves are sector-agnostic. Banks, GOCCs, manufacturers, universities, hospitals, and BPOs all run Citrix, VMware Horizon, and Outlook Web Access. Shodan tells you what is exposed; it does not tell you which sector the tenant operates in.

I share screenshots for a sample query, you can experiment with the others, or come up with your own specific queries.

port:3389 country:PH
port:443 product:"Citrix" country:PH
http.title:"Outlook Web App" country:PH

For Censys:

host.services.port: 3389 and host.location.country: "Philippines"
host.services.software.product: "Citrix" and host.location.country: "Philippines"
host.services.http.response.html_title: "Outlook Web App" and host.location.country: "Philippines"

For ZoomEye:

port="3389" && country="Philippines"
app="Citrix" && country="Philippines"
title="Outlook Web App" && country="Philippines"

The findings are not exotic. They are exposed. The risk is concentrated in three areas: RDP on the public internet without a VPN in front of it, Citrix and VMware gateways running outdated software with known CVEs, and Outlook Web Access endpoints that lack modern authentication or conditional access.

Sector attribution is the second pass, not the first. Certificate subjects, the organisation field on Shodan, reverse DNS, and known IP ranges from PeeringDB are what move a finding from "exposed RDP somewhere in the Philippines" to "exposed RDP at a named entity I can disclose to". The BPO sector does appear heavily once you do that pass, because BPOs do expose a lot of remote access by design. But the same query also pulls back banks, schools, factories, and small clinics. Defender education needs to land wherever the protocols land, not only where the practitioner expected them to.

Category 4: Telecommunications infrastructure

Telco exposure is a sensitive area because the operators are the entities you would normally disclose through, not to. The findings here tend to be customer-premises equipment and back-office infrastructure rather than carrier-grade equipment, but the brand attribution lands on the telco regardless.

I share screenshots for a sample query, you can experiment with the others, or come up with your own specific queries.

country:PH product:"RouterOS"
country:PH product:"Huawei"
port:23 country:PH
port:5060 country:PH

For Censys:

host.services.software.vendor: "Huawei" and host.location.country: "Philippines"
host.services.port: 23 and host.location.country: "Philippines"
host.services.port: 5060 and host.location.country: "Philippines"

For ZoomEyeL

app="Huawei" && country="Philippines"
port="23" && country="Philippines"
port="5060" && country="Philippines"

The combination of port 23 (Telnet) and country:PH still returns results in 2026, which should not be the case in any country with a functioning telecommunications regulator. The disclosure path is the operator's NOC or security team directly, with NCERT-PH as the escalation point if the response is slow.

Category 5: Banking and fintech

This category is the one where I will be most circumspect. The BSP, through its Information Technology Risk Management framework and BSP Circular 982 and 1019, has prescriptive cybersecurity requirements for supervised financial institutions. Exposure here is rare and when it appears it tends to be third-party adjacent: e-money issuers, payment processors, lending app backends, and the occasional rural bank whose IT outsourcing has not kept up.

The methodology is the same as the other categories. The disclosure path is different: BSP Cybersecurity Surveillance Division, often via the supervised entity's compliance officer, sometimes via NCERT-PH if the affected entity is non-cooperative. Document carefully and proceed slowly. Banking-sector disclosures get litigated; consumer-facing ICS does not.

Category 6: Building management and IoT

This is the "Who Would Put a Printer on the Internet" category in a Philippine accent. The findings are similar to what you would see anywhere in the world: IP cameras with default credentials, building automation controllers, network printers, smart-home gateways. The signal here is not so much "this country has a problem" as "the same global problem applies here, and the disclosure is on a per-owner basis".

I share screenshots for a sample query, you can experiment with the others, or come up with your own specific queries.

port:554 country:PH
product:"Hikvision" country:PH
product:"Dahua" country:PH
http.title:"Webcam" country:PH

For Censys:

host.services.port: 554 and host.location.country: "Philippines"
host.services.software.product: "Hikvision" and host.location.country: "Philippines"
host.services.software.product: "Dahua" and host.location.country: "Philippines"

For ZoomEye:

port="554" && country="Philippines"
app="Hikvision" && country="Philippines"
app="Dahua" && country="Philippines"

a

The largest concentrations cluster around dense commercial real estate in Makati, BGC, Ortigas, and Cebu IT Park, which is a logical consequence of where the building stock with addressable IoT is.

Category 7: Cloud and other misconfigurations

For cloud or general server misconfigurations, Shodan and Censys are less useful than purpose-built tooling. GrayhatWarfare's S3 bucket search, public Azure container scanners, and direct enumeration of cloud DNS zones tend to be more productive. The attribution problem is harder here: a misconfigured S3 bucket lives at an AWS IP, not a Philippine one, so the country filter does nothing. Attribution comes from bucket-name patterns, embedded organisation references in object metadata, and TLS certificate subjects on hosted services.

This is the category most likely to yield a National Privacy Commission referral if personal data is exposed, so the disclosure pathway forks: NCERT-PH for the technical fix, NPC for the data-protection regulatory side, the data controller for both.

port:27017 country:PH product:"MongoDB"
port:9200 country:PH product:"Elastic"
port:6379 country:PH product:"Redis"
port:2375 country:PH
port:6443 country:PH

For Censys:

host.services.software.product: "MongoDB" and host.location.country: "Philippines"
host.services.software.product: "Elasticsearch" and host.location.country: "Philippines"
host.services.software.product: "Redis" and host.location.country: "Philippines"
host.services.port: 2375 and host.location.country: "Philippines"
host.services.port: 6443 and host.location.country: "Philippines"

a

For ZoomEye:

app="MongoDB" && country="Philippines"
app="Elasticsearch" && country="Philippines"
app="Redis" && country="Philippines"
port="2375" && country="Philippines"
port="6443" && country="Philippines"

a

The responsible disclosure pipeline

A survey without a disclosure pipeline is a target list. Operation Liwanag is the pipeline.

Step 1: Identify the owner

Owner identification is the work. WHOIS, certificate subjects, reverse DNS, BGP routing, and entity resolution through tools like CrimeWall, Maltego, or open-source equivalents. For every finding, you need a named contact, an email address, and ideally a verified security.txt or vulnerability disclosure policy.

Step 2: Choose the disclosure channel

The Philippine disclosure landscape, as of mid-2026, looks like this:

  • NCERT-PH / CERT-PH: National CERT under the DICT Cybersecurity Bureau. Reachable at [email protected] and (02) 920 0101 local 1002. They are the catch-all if you cannot identify the owner or the owner is non-responsive.
  • CICC: Cybercrime Investigation and Coordinating Center, the law-enforcement-adjacent body. Engage them when there is a criminal dimension (active exploitation, evidence of compromise), not for routine exposure.
  • NPC: National Privacy Commission, for any finding that involves exposed personal data of identifiable individuals. The NPC operates under the Data Privacy Act of 2012.
  • BSP Cybersecurity Surveillance: for supervised financial institutions.
  • Sectoral CERTs: as established under the National Cybersecurity Plan 2023-2028, sectoral CERTs are forming for banking, telco, and energy. Coverage is incomplete; default to NCERT-PH if unsure.
  • The owner directly: always the first step when identifiable. A security.txt at the apex domain is the ideal channel. In its absence, security@, abuse@, or the published incident response contact.

Step 3: Disclose with a timeline

Use a standard responsible disclosure timeline. The defaults I publish to in my own work:

  • 90 days for non-critical exposure
  • 30 days for actively exploitable vulnerabilities with public exploit code
  • 7 days for active exploitation in the wild

The clock starts when you have made first contact and received an acknowledgement. If the owner is unresponsive, escalate to NCERT-PH at day 14, and publish a redacted advisory at day 90 regardless. The point of the timeline is to create accountability, not to punish slow patchers.

Step 4: Publish carefully

When you publish, the standard is the same one this post follows. No named targets. No specific IPs. No proof-of-concept code for active vulnerabilities. The advisory describes the category, the methodology, the volume, and the disclosure outcome. It does not give the next attacker a head start.

What practitioners and defenders should actually do

If you are a defender working inside a Philippine organisation, the takeaway is straightforward and uncomfortable: run these queries on your own ASN. Whatever ASN you announce, whatever blocks you own, the methodology in this post applies to you first. The first time you point Shodan at your own org filter, you will find something that you did not know was exposed. Everyone does. The question is whether you find it before someone else does.

Establish a Shodan Monitor for your ranges. Set up alerts on new banners in your space. Publish a security.txt at your apex domain so that practitioners running surveys like this one have a place to send findings.

If you are a practitioner doing OSINT work in or against the Philippines, the takeaway is different. The exposure picture is bad but not exceptional. The disclosure infrastructure exists but is under-utilised. The community of people willing to do the unglamorous, unpaid work of running surveys, identifying owners, and pushing disclosures through to closure is small. It needs to be larger.

If you are sitting in NCERT-PH and reading this, the request is the same one every national CERT gets from its security research community: a clear, published vulnerability disclosure policy with a guaranteed acknowledgement window. Three working days would put you ahead of most of ASEAN. Five would be acceptable. The current implicit policy of "send an email and hope" is the friction that keeps the Operation Liwanag pipeline narrower than it should be.

What comes next

This is the first post in what I intend to be a recurring exposure survey series on this blog. The cadence will be quarterly. The categories will rotate. The methodology will remain transparent and reproducible. Every survey will publish aggregate findings, the disclosure outcomes from the prior quarter, and a public ledger of how many findings were closed, how many remain open, and how many were escalated.

Bantay-Eye, the survey tool I mentioned earlier, will land on GitHub before the next instalment. It will be a Python utility, with rate-limited polite-mode defaults and a built-in disclosure-template generator. It will not include exploit code, target enumeration, or anything that turns a defensive tool into an offensive one.

The Philippine attack surface is public. The question this country has not seriously asked is whether we are willing to look at it before someone less friendly than the OSINT community does. Operation Liwanag is one practitioner's answer.

The light is on. Let me know what you find.

If you operate Philippine infrastructure and want to know whether you appear in the Operation Liwanag dataset, contact me directly through the OSINT-PH channels listed on the About page. Findings will be shared confidentially with verified owners ahead of any public advisory.