Fredrik Laurin, August 2023
Being shot by al-Shabaab or arrested by the regime are only two dangers facing Somali journalists. More than 50 media workers have been killed since 2010. Now the digital war has arrived in Somali newsrooms. In late August the regime-critical website Somali Journalists Syndicate was hit by a massive DDoS attackA distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. from over 20,000 unique IP addresses.
“Friday night, on the 12th of August, I went to bed after doing some work online. It was a normal night, I had been talking to my colleague Mohammed Bulbul in Somalia. We were working on an investigation about corruption in the police in Mogadishu. We were also discussing threatened journalists,” says Abdalle Mumin, Secretary-General and co-founder of Somali Journalists Syndicate.
What he didn’t know as he went to bed in his house in York, England, was that a major DDoS attack had started against sjsyndicate.org.
“On Saturday morning when I woke up, there was an email from our hosting company Hostgator saying that there is high volume of malicious traffic coming in and they think that this is an attack,” says Mumin.
Hostgator monitored the situation but was soon overwhelmed by tens of thousands of independent IP addresses calling sjsyndicate.org at increasing speed. Other customers’ traffic was being affected and the hosting company took sjsyndicate.org offline.
“We waited for 24 hours. Then our email system was not accessible. Now we could neither send emails nor access the website. It was madness. What could we do?”
Communicating over Gmail and WhatsApp, Mumin and his colleague Mohammed in Mogadishu decided to change hosting provider. The new provider could offer some protection through Cloudflare. But it wasn’t enough.
“So much malicious traffic leaked in anyway that the sever was overwhelmed and became unreachable. People started calling, asking if the government had closed us down or what was happening,” says Mumin.
Somali Journalists Syndicate is an independent journalists’ trade union that speaks for journalists’ human rights. “SJS is all about press freedom. We can’t be offline just like that. Then there is no press freedom,” says Mumin.
“Then Committee to Protect Journalists (CPJ) sent a message asking for our annual report. And I could only say that ‘Oh my God, we cannot access the website or any material on our servers.’” CPJ then told Mumin about Qurium and introduced us.
When the case landed on Qurium’s desk, the forensic team could soon conclude that the infrastructure being used to launch the attacks was largely coming from a so-called “ethical proxy provider” in the U.S. – “a company that promises to do good. Not evil”, says Qurium’s technical director Tord Lundström.
In this case, it was the U.S. based RayoByte, owned by Sprious LLC, that provided the vast majority of the infrastructure used in the attack.
“It is not the first time that Qurium has fingerprinted attacks sourced from Sprious LLC. In March 2023, their infrastructure was used to conduct denial of service attacks against the Kosovoan news site Nacionale.com. Sprious’s Security Operations Manager then assured us that they had ‘one of the most rigorous vetting policies in the IP address space’ and that it was ‘a rare case where someone got through.’ Well, it happened again, says Lundström at Qurium’s forensics team.
The strength of a proxy provider like RayoByte is its control over hundreds of thousands of IP addresses that are geolocated to every corner of the world. By gaining access to a pool of such IP addresses for a limited period of time – hours – it is fairly simple to deploy a large DDoS attack. The huge amount of IP addresses involved (and in turn the low rating of requests per second and IP address) makes it complex to mitigate an attack like this. In short, it was a sophisticated attack that could benefit from a large pool of IP addresses.
The investigation showed how a proxy provider like RayoByte again and again can become a facilitator of cyber attacks by allowing access to their immense pool of IP addresses.
A set of forensic reports of the attacks is available on Qurium’s website.
“The real question is why a proxy provider like RayoByte has no measures in place to stop this behavior among its customers,” says Lundström.
For SJS, the DDoS protection meant getting back online.
“Qurium’s work for SJS meant relief, mitigation, and defense against attackers in a very stressful situation. Qurium came when we needed them most,” says Mumin. “Now they are our walls, our defenders and we salute them. It is like a painkiller. When you are in pain and the doctor hands you medication, you feel super happy. We are super happy because our website is now back online again.”
While is difficult to attribute the culprit behind the denial of service attacks, it is worth mentioning the recent research on corruption within the Somali police force by SJS journalist Mohamed Ibrahim Bulbul. After publishing the report, bad turned worse.
On August 17 2023, in the midst of the massive DDoS attack, Mohammed Bulbul was detained by unidentified plain-clothed individuals allegedly linked to national intelligence and the police in Mogadishu. Bulbul, Editor in Chief of Kaab Somali TV. is at the time of writing being held incommunicado and no charges have been brought against him.
“They went for my colleague Mohammed, because they knew they could not longer reach me,” Mumin says. Since May 2023 Mumin has been a fellow at the University of York (UK) where he has established a small office to support SJS work in Somalia.
All of those attacks in the refugee camp where I grew up gave me the ambition to become a journalist because I wanted to fight injustices.
“Here in the UK I’m safe, very safe,” says Mumin.
But that hasn’t always been the case. Mumin has been a journalist for 20-something years after growing up in a displacement camp in Somalia, where his mom died of poor health and his brother was shot dead by the army militia.
“All of those attacks in the refugee camp where I grew up gave me the ambition to become a journalist because I wanted to fight injustices. I wanted to advocate for human rights, minority rights, marginalized communities.”
Mumin has been working for various media outlets, locally and internationally. After working for the Somali newspaper Qaran, he became a radio reporter at Radio Banadir then the online media company Raxanreeb.com where he became the editor.
“Raxenreeb publishes news in both Somali and English, so I became more familiar with international media,” says Mumin, who later became a stringer for both The Guardian and The Wall Street Journal in Mogadishu.
“I started writing articles that were tough. Articles that were critical to the authorities and the militia commanders running Somalia. When I went to the station in the morning to start my radio show at 8 a.m., they would call and say, ‘You are a good man. You are a good journalist. We know you, but watch your mouth. Stop criticizing us. If you don’t stop, we will kill you. We know where you live.’ I didn’t listen to that. I wanted to hit them and report on the government’s bad services and the militia calling themselves ‘part of the government.’ They take what they call tax from the people, but they don’t give any services back to the people. No security, no health, nothing. No education. Why are people giving?”
In 2015, the Al-Shabaab militia had had enough of Mumin. They tried to kill him.
“I was in the car when they shot at me three times. The bullets hit the car and I survived.”
Munin left for Nairobi, Kenya, where he stayed with his family for four years until 2019.
“I finally said, okay, let me go back to Somalia and see if I can start something new that can speak out for the people.”
So in May 2019 he co-founded the Somali Journalist Syndicate and started to report on press freedom and corruption, working with international support from organizations like Amnesty International and CPJ to highlight the worsening security and human rights situation for Somali journalists. Not what the authorities wanted to hear.
“They said, this guy has returned and this is what he’s doing.”
In October 2022, the government detained Mumin at the airport when he was flying to Nairobi to visit his wife and kids. “Every two, three weeks I went to Nairobi to meet with them, but this time, the 11th of October 2022, they were waiting for me at the airport when I checked in.”
Mumin was detained in an underground cell, he says. Beaten, tortured and put on “trial.” After seven months he was able to gain his freedom and left for Kenya and then later to the UK.
“We are very active defenders of human rights. That is why the Somali government is attacking us,” says Mumin.
And Somalia needs that attention. According to Reporters without Borders, Somalia is the most dangerous country for journalists in all of Africa, with more than 50 media workers killed since 2010.
Somali Journalists Syndicate is hosted by Virtualroad.org since 2023.