"Cyberattackers use easily available tools to target media sites, threaten press freedom", 30 July 2024

When exiled Russian news website Meduza was hit with a flood of internet traffic in mid-April, it set off alarm bells among the staff as the deluge blocked publishing for more than four hours and briefly rendered the site inaccessible for some readers. It was the largest distributed denial of service attack (DDoS) attack in Meduza’s 10-year history.

...

To source and direct online traffic en masse, attackers often use a combination of these tools, including:

• Proxy providers offering access to IP addresses, which are unique numbers assigned to internet-connected devices;
• Other marketplaces where IP addresses are leased or re-sold; and,
• Data centers that host and route online traffic.

Experts told CPJ that such tools, offered openly by for-profit companies, can make cyberattacks particularly difficult to defend against. Their use appears to be part of an emerging censorship strategy that poses a serious transnational threat to press freedom and access to information. 

...

Proxy service attacks: ‘You really need to think fast’

Amy Brouillette, advocacy director at the International Press Institute (IPI), a global press freedom group based in Vienna, told CPJ that she initially thought the group’s website was broken when a DDoS attack knocked it offline for three days in early September 2023. The timing was eerie: the group had recently published a report about similar cyberattacks targeting over 40 Hungarian news sites. 

The attacker targeting IPI used the services of proxy providers, which aren’t by definition malicious; their services are used for online research, security, and privacy protection. But they have also been abused. In March, French telecom company Orange warned that proxy providers are part of a “financially motivated cybercrime ecosystem.” 

...

Qurium, a Sweden-based non-profit that hosts websites of independent media and human rights groups, found that the attack on IPI, as well as several Hungarian news sites, “weaponized” services of a proxy provider called White Proxies, also known as White Solutions. 

In the Meduza attack, Qurium also identified the use of at least two proxy providers: Vietnam-based MIN Proxy and Hong Kong-based RapidSeedBox. 

Qurium does not host IPI or Meduza, but collaborated with them to investigate the attacks. 

CPJ emailed White Proxies questions about the use of its services in DDoS attacks, but received no response. 

“[W]e immediately notified the client who was using our IP ranges…[and] worked with them mutually to immediately block the actual client who rented the IPs from which the attacks came,” RapidSeedBox product manager Yuri Meshalkin told CPJ by email, explaining the company’s reaction upon learning of the attack on Meduza, but declined to disclose any client information.  ...

CPJ sent emails to addresses listed on MIN Proxy’s websites but received error messages in reply. Questions sent via messaging app to a number listed on a Facebook page for the company were not answered directly; instead, the respondent accused CPJ of “planning to scam” them. 

Other media sites have been similarly targeted: In October 2023, attackers used services of two proxy providers – U.S.-based RayoByte and FineProxy, founded in Russia – to flood Philippines news site Rappler, which is headed by Nobel laureate and CPJ board member Maria Ressa. CPJ previously reported that RayoByte’s services were used in DDoS attacks on at least six other media sites around the world.

RayoByte and its parent company Sprious confirmed receipt of CPJ’s emailed questions about the attack on Rappler, but did not respond further. ...FineProxy did not respond to CPJ’s emailed questions about its services being implicated in attacks on Rappler and websites reporting on Azerbaijan.

Qurium said both companies responded to abuse reports by ​blacklisting the victimized websites, and “refusing to help identifying the customer behind the DDoS.”

...

Why it’s hard to fight proxy-enabled DDoS attacks

Experts told CPJ that standard strategies for defending against DDoS attacks involve analyzing incoming traffic to see which IPs are overwhelming the site, where they are coming from, and determining how to block them most efficiently without blocking legitimate site visitors. 

...

Attacks can give clues to who is responsible

Neither the staff of the targeted websites, nor the people defending them, have been able to confirm who is responsible for the attacks. But by analyzing the traffic, clues emerge.

As Jović defended IPI, he recognized what appeared to be a message from the attacker: “HanoHatesU.” The phrase was embedded in many of the URLs used as requests to visit the site and ironically allowed him to successfully identify and filter the malicious traffic. It was the same cryptic message seen in attacks on some of the Hungarian sites earlier that year, suggesting a link between the incidents.

Lundström has also detected patterns. Proxy providers often source and route IP addresses via other companies and Qurium reported that services from some of the same companies, including data centers operated by UK-based A1 Network Exchange, were used in the attacks against Meduza, IPI, and Hungarian media. 

CPJ emailed Shakib Khan, A1 Network Exchange’s director, at addresses publicly listed for the firm and its parent company, HostCram, which Khan heads and is registered in the U.S., but received no response.

The attack on IPI similarly used services of several companies, including five specialized in IP address leasing and re-selling. Addresses leased from one of those companies – U.K.-based IPXO – appeared in DDoS attacks in August 2023 targeting media sites covering news in Somalia, Turkmenistan, and Kosovo. Lundström also noticed that IPs used to attack IPI were used the same day, September 8, 2023, in a DDoS attack against the Philippines-based Bulatlat news site.

IPXO did not respond to CPJ’s questions about the use of IPs sourced via its leasing service to attack IPI, but told Qurium that it would “inform their client so they can suspend the attacker.” Following CPJ’s reporting on the August attacks, IPXO said in an email that it expected lessees of its IP address to “take appropriate action to cease and prevent any abusive or unlawful activities” and may take further action depending on a lessee’s conduct. ....

Lundström believes that companies should not protect the identities of their clients that use their services to launch such attacks. So far, none have cooperated in this way and some even hide using U.S.-based shell companies.

Though they don’t have confirming evidence, staff at Meduza believe the Russian government ordered the large-scale attack on their site. It came just days before Russian authorities initiated legal proceedings against Meduza’s head, Galina Timchenko, and two other reporters for the outlet. Cyberattacks often happen alongside other assaults on journalists’ freedom and safety. 

...