Millions of unaccountable IPs used to silence independent media
September 2023
In this series of forensic reports – Weaponizing proxy and VPN providers – Qurium will present how known Proxy and VPN providers are weaponized to conduct denial of service attacks.
In the past year, several of Qurium’s hosted organizations including independent media from Kosovo (Nacionale), Kyrgyzstan (Kloop), Nigeria (Peoples Gazette), Philippines (Bulatlat), Somalia (Somali Journalist Syndicate) and Turkmenistan (Turkmen News) have received denial of service attacks sourced from one or multiple proxy and VPN providers. Tracing and fingerprinting these providers has been as challenging as making them understand that their business and profits can not grow at the expense of facilitating attacks against news media outlets.
In the latest years, we have witnessed a large development of new features and technologies associated with proxies and VPNs including the ability to frequently rotate their IP addresses or the expansion of the number of addresses by means of residential proxies. With the new features aimed at improving anonymity, providers have also enlarged their networks geographical location enabling their clients to conduct activities as being located in any part of the world.
Some of these providers remain with undisclosed owners and practices while other business in the space are making a great effort to present themselves as transparent and accountable. Millions of dollars of venture capital have been poured into this space and one is left to wonder what kind of digital privacy is currently being funded.
Proxy and VPN providers promote their services for competitor and academic research, search engine rank tracking, keyword research, price monitoring, technical SEO, site audits, and content analysis but behind these markets hide other less ethical use areas such as disinformation, click-fraud and denial of service attacks.
The asset is the weapon
The main asset of the Proxy and VPN providers is to have access to very large pool of IP addresses that are paired to geographical locations in every corner of the world. In that way, their clients can scrape online services without being banned, or access content that normally would be restricted from their own country.
Despite the huge efforts from different residential proxy service providers to introduce ethical-washing elements in their communication strategies, our experience is that there are several elements in this industry that remain problematic including the sourcing of IP addresses or how abuse cases are currently handled.
During the investigation Qurium has monitored large pools of IP addresses obtained with questionable practices and discovered that tampering with third party geo-location data is a common practice.
Despite our efforts to notify these providers about how their infrastructure is currently being miss-used to conduct Denial of Service attacks, no tangible progress has been achieved and these attacks continue. In the past year alone, Qurium Media Foundation has reported denial of service attacks to six residential proxy providers and VPN providers.
These forensic reports aim to bring more transparency and public scrutiny into these industries and explain how proxy and VPN providers are currently weaponized to conduct attacks against independent media.
Report 1: RayoByte infrastructure enabling DDoS attacks (7 Sept 2023)
Report 2: Infrastructure of VPN providers is used to launch DDoS attacks. (7 Sept 2023)
Report 3: Volatile networks as a source of Denial of Service (19 Sept 2023)
Report 4: DDoS attacks against Hungarian media traced to proxy infrastructure “White Proxies” (2 Nov 2023)
Report 5: Proxy providers weaponized to launch denial of service attack against Rappler (5 Dec 2023)
Media Coverage
[Dec 17, 2023] Inforrm’s Blog New report exposes infrastructure behind cyberattacks on IPI and Hungarian media
[Dec 12, 2023] Reuters How cybercriminals are using Wyoming shell companies for global hacks
[Dec 11, 2023] IPI New report exposes infrastructure behind cyberattacks on IPI and Hungarian media
[Dec 11, 2023] iMedia The DDoS attack against Rappler (Philippine online media) originated from the proxy servers of the United States and Russia
[Dec 9, 2023] Hackread DDoS Attacks on Rappler Linked to Proxy Service Providers in US and Russia
[Dec 8, 2023] Risky Business News Rappler DDoS attacks
[Dec 5, 2023] Rappler DDoS on Rappler shows proxy firms still used for attacks, safety measures questioned
[Sep 20, 2023] Premium Times Nigeria A wave of cyberattacks threatens media freedom, yet again
[Sep 19, 2023] CPJ ‘Network abuse’: Attacks on 3 media sites involved services of US, UK firms
[Sep 16, 2023] Blitz Cyber attackers used US company to crash media sites
[Sep 8, 2023] Risky Biz News Rayobyte’s role in DDoS attacks
[Sep 8, 2023] Eyetro Digital Unveiling the Dark Side of Proxy and VPN Providers, Rayobyte Infrastructure
[Sep 7, 2023] Mastodon – Catalin Cimpanu An investigation by the Qurium Media Foundation has found that…
[Sep 7, 2023] Peoples Gazette Cyberattackers used U.S. firm RayoByte to target Peoples Gazette, other media outlets in Africa, Europe, Asia: Report
[Sep 7, 2023] CPJ – The Torch Cyberattacks attempt to crash 6 media sites globally using U.S. company RayoByte
[Sep 7, 2023] CPJ Cyberattackers used US company RayoByte in efforts to crash media sites
[Sep 7, 2023] MyBroadband Internet addresses that Africa’s registry tried to seize used in cyberattack on African journalists
[Sep 8, 2023] Rappler, Popular VPN services ExpressVPN, NordVPN, ‘ethical’ proxies used in DDoS attacks
[Aug 21, 2023] Horn Observer Cyber attack: Qurium uncovers DoS attack targeting SJS