Somali journalist union under DDoS attack
September 7, 2023
The Somali Journalists Syndicate (SJS) is a union with the mission to defend the rights of journalists and promote press freedom in Somalia, a country where journalists operate in a corrupt and violent environment. With more than 50 media workers killed since 2010, Somalia is the most dangerous country for journalists in Africa.
On August 11, SJS was targeted by a large denial-of-service attack and their website was brought down. When the case landed at Qurium’s desk, SJS had already had its hosting service disabled by two hosting providers as a result of the attacks.
“SJS is all about press freedom. We can’t be offline just like that. Then there is no press freedom,” says Abdalle Mumin, Secretary-General and co-founder of Somali Journalists Syndicate.
The attacks started just days after Mohamed Ibrahim Bulbul, Information and Human Rights Officer at SJS and Editor in Chief at Kaab Somali TV, published a story that revealed corruption within the police force. On August 17th, Mohamed was detained by unidentified plain-clothed individuals allegedly linked to national intelligence and the police in Mogadishu. He is since then held incommunicado.
Qurium’s forensic investigation reveals that the infrastructure being used to launch the attacks composed by up to 20,000 unique IP addresses is largely coming from a so called “ethical proxy provider” – the US based Rayobyte, owned by Sprious LLC.
It is not the first time that Qurium has fingerprinted attacks sourced from Sprious LLC. In March 2023, their infrastructure was used to conduct denial-of-service attacks against the Kosovoan news site Nacionale. Sprious’ Security Operations Manager then ensured Qurium that they had “one of the most rigorous vetting policies in the IP address space” and that it was “a rare case where someone got through”. Well, it happened again.
The strength of a “proxy provider” is the control over hundreds of thousands of IP addresses that are geolocated to every corner of the world. By gaining access to a pool of such IP addresses for a limited period of time, it is fairly simple to deploy a large DDoS attack that is complex to mitigate due to the huge amount of IP addresses involved and the low rating (request/second) of each of them.
Weaponizing proxy and VPN providers
Today Qurium is releasing two reports in the investigative series Weaponizing proxy and VPN providers. The series aims to bring light to malicious or careless infrastructure providers that allows their infrastructure to be used to launch digital attacks. Over the year, several independent media organizations including Nacionale.com (Kosovo), Kloop (Kyrgyzstan), Peoples Gazette (Nigeria), Bulatlat (Philippines) and Turkmen News (Turkmenistan) have been targeted by attacks from the infrastructure providers revealed in the reports.
- The first report focuses on fingerprinting the attacks against SJS and bringing light to how a proxy provider like Rayobyte gains access to immense pools of IP addresses with bogus geolocation data and how it is being used for malicious purposes.
- The second report describes how infrastructure of VPN providers are being utilized in denial-of-service attacks and reveals the lack of interest from the providers to mitigate the problem.
A proxy or VPN provider that has no measures in place, or no willingness to stop malicious behavior among its customers is a facilitator of cyber attacks.
Qurium reports: Weaponizing proxy and VPN providers
Digital forensics: Tord Lundström <firstname.lastname@example.org> Technical Director
Media: Clara Zid <email@example.com> Media and Outreach Manager