In mid-April, the exiled Russian media website Meduza experienced its largest distributed denial of service (DDoS) attack in its 10-year history. The attack, which flooded the site with traffic and blocked publishing for over four hours, briefly rendered the site inaccessible to some readers. This event highlighted a growing trend of cyber assaults targeting media sites globally, utilizing a suite of easily accessible online tools that keep the attackers’ identities hidden.
Pavel Manylov, Meduza’s lead software engineer, recalled the chaos during the attack: “We were trying to spin up solutions… everything to continue to write news”, he told the Committee to Protect Journalists (CPJ). The site’s content management system was overwhelmed by the traffic, causing error messages and significant disruptions.
The attackers used a combination of online tools, including proxy providers, IP address marketplaces, and data centers that host and route online traffic. These tools, offered openly by for-profit companies, make it challenging to defend against such attacks. Experts warn that this emerging censorship strategy poses a serious transnational threat to press freedom and access to information. Doug Madory, director of internet analysis at Kentik, a global network monitoring company, emphasized that media outlets engaged in independent journalism but lacking resources for robust cybersecurity are particularly vulnerable.
Proxy service attacks: ‘You really need to think fast’
In early September 2023, the International Press Institute (IPI), a global press freedom group, experienced a DDoS attack that knocked its website offline for three days. This attack occurred shortly after the group published a report on similar cyberattacks targeting over 40 Hungarian news sites. The attacker used proxy providers’ services, which, although not inherently malicious, have been increasingly abused. French telecom company Orange has warned that proxy providers are part of a “financially motivated cybercrime ecosystem”.
KontraBit Development’s Žarko Jović, hired by IPI to defend its site, described the attackers’ tactics: “When the attackers see that you are comfortable with protecting yourself… they start using proxy networks”. The attack on IPI, as well as several Hungarian news sites, weaponized services from a proxy provider called White Proxies, also known as White Solutions.
Qurium, a Sweden-based non-profit that hosts websites for independent media and human rights groups, collaborated with IPI and Meduza to investigate these attacks. In the Meduza attack, Qurium identified the use of proxy providers such as Vietnam-based MIN Proxy and Hong Kong-based RapidSeedBox. Despite CPJ’s inquiries, White Proxies did not respond.
RapidSeedBox, however, claimed to have blocked the client responsible for the attack upon notification but declined to disclose any client information.
Challenges in fighting proxy-enabled DDoS attacks
Defending against DDoS attacks typically involves analyzing incoming traffic to identify and block malicious IPs without affecting legitimate site visitors. Manylov described the process during the Meduza attack as “cat and mouse”, noting the difficulty in managing traffic that appeared to come from real visitors due to the use of residential proxies.
Residential proxies are often part of malicious operations, including DDoS attacks. Microsoft identified their use in state-sponsored cyber activities, and an international law enforcement operation led by the US Justice Department disrupted cybercrime activities involving these proxies. The ability to quickly rotate IP addresses makes defending against such attacks even more complex.
The growing threat of IPv6 addresses
Qurium’s analysis of the Meduza and IPI attacks highlighted a concerning trend: the use of IPv6 addresses, which are more numerous and cheaper than the older IPv4 addresses. This makes them attractive for cybercriminals. Renting millions of IPv6 addresses can make it particularly difficult to block DDoS attacks without also blocking legitimate traffic.
IPv6’s vast pool of addresses and lower cost pose a significant threat to smaller media outlets with limited IT resources. This complicates efforts to monetize journalism, as blocking malicious traffic can inadvertently prevent real readers from accessing sites, impacting ad revenue.
Identifying attackers and their motivations
Although the exact identities of the attackers remain unknown, analysis of the traffic can provide clues. For instance, during the IPI attack, Jović identified a recurring message, “HanoHatesU”, in many of the URLs, linking it to attacks on Hungarian sites. Additionally, proxy providers often source and route IP addresses via other companies. Services from companies like UK-based A1 Network Exchange were used in attacks against Meduza, IPI, and Hungarian media.
Companies like IPXO, which leases and resells IP addresses, have also been implicated. IPs leased from IPXO appeared in DDoS attacks against media sites covering news in Somalia, Turkmenistan, and Kosovo. IPXO, however, has stated that it expects its lessees to prevent unlawful activities and may take further action based on their conduct.
The impact on press freedom
The staff at Meduza suspect that the Russian government orchestrated the large-scale attack on their site. The attack coincided with legal proceedings against Meduza’s head, Galina Timchenko, and two other reporters, reflecting a broader pattern where cyberattacks accompany other assaults on journalists’ freedom and safety. Russia’s Federal Service for Supervision of Communications, Information Technology and Mass Media, known as Roskomnadzor, did not respond to CPJ’s request for comment.
“The mission of journalism is to inform people, and there are many forces that want to stop that,” Madory said. “They either want to threaten a journalist or take a source of journalism offline. That works too”.
As cyberattacks on media sites become more sophisticated and difficult to defend against, the threat to press freedom and access to information grows. The use of easily available online tools by attackers underscores the need for enhanced cybersecurity measures and international cooperation to protect independent journalism.
Leave a Reply