The Somali Journalists Syndicate (SJS) faced a crippling cyberattack during a precarious period. In early August, a distributed denial-of-service (DDoS) attack inundated the website of this local press freedom organization, causing it to go offline. Shortly after, Mohamed Ibrahim Osman Bulbul, an SJS staff member and editor at Kaab TV, was arrested in connection with his reporting on alleged corruption, compounding the crisis for the organization.
Abdalle Ahmed Mumin, SJS’s secretary general, described the situation as traumatic, with sleepless nights and extreme stress. The organization was unable to issue statements about Bulbul’s detention due to its disabled website.
SJS received assistance when it connected with Qurium, a Sweden-based nonprofit that hosted its website. However, a week after the initial attack, another DDoS assault targeted the website. This time, Qurium successfully shielded SJS from going offline. Qurium’s analysis of these subsequent attacks revealed that a US company, RayoByte, had provided the tools used in the attack.
Sprious, the parent company of RayoByte, informed Qurium via email that it had removed the abusive user from its network and added SJS’s website to its blacklist to prevent further targeting.
SJS was not the sole victim of DDoS attacks facilitated by RayoByte’s services. News outlets in five other countries – Kosovo, Nigeria, Kyrgyzstan, the Philippines, and Turkmenistan – have experienced similar attacks over the past two years, according to Qurium’s analysis. These incidents offer insight into online censorship efforts and the potential profit motive for private corporations.
Sprious declined to provide interviews and did not directly address written questions from CPJ. However, the company expressed deep concern about reports of its services allegedly being used in DDoS attacks and emphasized its opposition to online harassment and cyberattacks.
RayoByte, headquartered in Lincoln, Nebraska, is among the companies that sell clients access to Internet Protocol (IP) addresses for data scraping, a technique for extracting large amounts of data from websites. Although scraping is a legitimate research method, using it to inundate a website with IP requests rapidly and en masse, causing it to go offline, constitutes a DDoS attack.
DDoS attacks against news outlets conducting critical journalism have been documented worldwide, often accompanied by other threats to journalists’ safety and press freedom.
Qurium’s analysis indicated that it blocked nearly 20,000 IP addresses responsible for millions of requests targeting SJS’s website on August 18 and 19. Approximately 50 percent of this traffic came from RayoByte and its hosting partners, while the remainder came through various online channels, including virtual private networks (VPNs).
Attacks against Nacionale, a Kosovo-based news site, commenced shortly after it began publishing in March 2022. The attacks disrupted its ability to reach audiences, severely impacting its operations. Qurium began hosting and defending Nacionale in September 2022 and notified Sprious in March and April 2023 of attackers using its services against the outlet.
Sprious responded by blacklisting access to Nacionale’s website and barring the responsible user. However, RayoByte-sourced traffic continued to be used in DDoS attacks against Nacionale in July and August, despite the arrest and prosecution of one individual connected to the cyberattacks.
Besides DDoS attacks, Nacionale’s staff has experienced constant online harassment and physical attacks on the job, underscoring the toll such pressure takes on journalists.
Qurium has also identified DDoS attacks involving RayoByte’s IP addresses against four other outlets: Peoples Gazette from Nigeria, Kloop from Kyrgyzstan, Bulatlat from the Philippines, and Turkmen.news, which reports on Turkmenistan from exile.
Sprious stated that it investigates reports of DDoS attacks involving its services and takes appropriate actions, including blacklisting associated domains and removing abusive users. However, the company did not directly respond to CPJ’s questions regarding the customers responsible for these attacks and their specific responses in each case.
While proxy and VPN services have legitimate uses in preserving online privacy and security, their weaponization in DDoS attacks presents a challenge. Gabe Rottman, director of the Technology and Press Freedom Project at the Reporters Committee for Freedom of the Press, stated that DDoS attacks are illegal under the US Computer Fraud and Abuse Act but providing services used in DDoS attacks is not necessarily illegal.
Service providers can take steps to mitigate such abuses, such as notifying authorities and stopping malicious users from accessing their services. However, Sprious has yet to respond to Qurium’s emails concerning these attacks.
Despite ongoing attacks, SJS remains resilient and committed to its mission, with Abdalle expressing confidence that the organization can continue to operate effectively both online and in Somalia.
