For 25 consecutive days beginning July 29, the website of human rights alliance Karapatan was subjected to cyber attack aimed at taking it down. The “unprecedented” attack targeted the website’s resource folder where the reports on human rights abuses in the Philippines are stored.
“Billions of requests, thousands of dollars spent on feeding garbage 24/7, night and day. They just kept going and going and going,” said Tord Lundstrom, a Swedish cyber security expert.
Lundstrom is technical director of Qurium Media Foundation, a Swedish non-profit digital security solutions provider, that made a detailed forensic investigation into a “sophisticated, well-resourced dedicated” denial-of-service (DDoS) attack against the website of Karapatan.
It was Lundstrom’s team that tracked and analyzed the DDoS attacks that used botnets – networks of infected devices – proxied through 30,000 bots in Russia, Ukraine, Indonesia and China. The bots directed millions of requests to the page karapatan.org/resources, where Karapatan stores its human rights violations reports.
After making a detailed forensic investigation, Qurium issued a report titled “Israeli firm ‘Bright Data’ (Luminati Network) enabled the attack against Karapatan.”
The onslaught against Karapatan was remarkable for the volume of requests and the relentlessness of the attack, leaving Lundstrom and his team exhausted as they worked around the clock to mitigate them, according to a report by Peter Guest, editor of Rest of the World, which reports on global technology developments.
“Ten years that we’ve been in this space, we have never seen [anything like] this,” Lundstrom acknowledged. “It’s almost, like, psychotic, you know? It’s almost sick.”
Qurium was able to trace thousands of IP addresses used in the cyber attack to Bright Data. The latter denied any involvement in the attack, but Qurium has shown correspondence from the firm which read: “We did find customers who were targeting this [Karapatan] website.” There’s no practical way that IPs from inside Bright Data’s network could be involved in the attack, Lundstrom pointed out, “unless the company’s infrastructure was being used.” Later the company claimed it had already blocked the reported domain (the Karapatan website) for all its customers.
The Israel-based firm previously known as Luminati Network rebranded to Bright Data last March. It offers proxy networks and data services to mobile operators, data centers and residential buildings, what Qurium said was “a perfect infrastructure to hide the source of the DDoS attacks.”
“The nature of the attack means that it was paid for, if not to Bright Data, then to another provider,” Guest pointed out. “Based on the amount of traffic (requests) that has been directed to Karapatan’s website, and typical rates, Qurium estimated that the attack could have cost at least $260,000 – meaning that someone, somewhere, is willing to spend serious money to take down Karapatan offline.”
“This is not for free,” Lundstrom said. “We know that it’s not a kid playing computer games that has decided…to have some fun. This is something different. You don’t do this for three weeks in a row if you don’t have the resources.”
Who could have paid for the cyber attack? Pointing to the timing of the attack, Karapatan has declared: “We see no other actor who would do that with the resources, with the motivation, or who (would) benefit most from our website being taken down, except for the government.”
Karapatan launched an online campaign, #StopTheKillings PH, to draw attention to violence against human rights defenders on Aug. 16, the anniversary of the extrajudicial killing of human rights worker Zara Alvarez in Bacolod City. On that day, Qurium observed the DDoS attack had “ramped up a notch.”
Karapatan also noted a connection: Online attacks happen “during critical or big campaigns that we have – on Stop the Killings, on political prisoners and on the International Criminal Court investigation (of extrajudicial killings in the ‘war on drugs’).”
“We know whose interests these attacks serve,” said Karapatan secretary general Cristina Palabay. “Specifically targeting Karapatan’s online resources only means that these attacks were clearly trying to suppress our documentation and human rights work and, of course, the people’s right to freedom of information.”
Recall that in July 2020, Karapatan’s website and those of online journalism outlets Bulatlat and AlterMidya were briefly targeted by DDoS attacks. Quriam then was able to link those attackers to a computer registered to the Department of Science and Technology. It turned out that military intelligence groups had used the DOST computer in trying to paralyze, if not take down, the three websites.
Trying to unravel the infrastructure used in the latest attack, the Qurium team recorded all the IP addresses sending requests to the Karapatan website, and determined which of them were so-called “open proxies” – publicly available machines that are often used to amplify and mask attacks – or other commonly used infrastructure. They found 2/3 of them were such.
Tracking down around 8,000 of the 30,000 IP addresses to a small number of places, they also found them coming in a regular pattern. Lundstrom observed: “That’s what made us believe [the attack] was something bought privately. The traffic was hitting the site in dense bursts, and the IPs were being renewed hourly.” Looking deeper at the requests, the Qurium team found that a lot of the proxies had the name “Luminati.”
Lundstrom warned that the type of attack against Karapatan could become “increasingly commoditized” as countries with weak regulations and poor network security…could have their compromised devices coopted by attackers for use in botnets.”
“Well-resourced governments or organizations can simply pay $10,000-$20,000 to take content they don’t like offline,” he added.
The targets of attack, he further warned, are “civil society groups with extremely small budgets. The money invested now to take them down is definitely much, much, much larger than the money they will ever have themselves.”
So, did the Karapatan website survive?
Lundstrom mused: “This time the attackers just got unlucky that some Swedish guys who have never been in the Philippines decided to help.”
* * *
Email: satur.ocampo@gmail.com