“Billions of requests, thousands of dollars”: Inside a massive cyberattack on a Philippine human rights group

0
150

Researchers say they traced the month-long DDoS attack back to an Israeli company’s network.

By Peter Guest 25 August 2021 • Singapore

For nearly a month now, Tord Lündstrom has spent his days and nights trying to defend a website on the other side of the world from an extraordinary cyberattack.

On July 29, the site belonging to Karapatan, a human rights organization in the Philippines, was targeted by a sophisticated, well-resourced dedicated denial of service (DDoS) attack. Traffic flooded in from botnets spread across the world, from Ukraine to Indonesia — all aimed at a single folder on Karapatan’s site, which hosts the group’s reports detailing extrajudicial killings in the Southeast Asian country. Karapatan has long been a target of attacks online by supporters of the Philippines president, Rodrigo Duterte.

Since then, the attack has not let up for a single moment, something that Lündstrom, the technical director of the Swedish cybersecurity nonprofit Qurium, said is unprecedented. “Billions of requests, thousands of dollars spent on feeding garbage 24/7, night and day,” Lündstrom told Rest of World. “They just keep going and going and going.”

This week, Lündstrom and his team say they were able to trace IP addresses used in the cyberattack to a network operated by Bright Data, an Israel-based company that offers proxy networks and data services to corporate clients. Bright Data has denied any involvement in the attack.

After the publication of this article, Bright Data reached out to Rest of World again, stating, “Bright Data had absolutely no connection to the reported incident, and the Qurium report is categorically false, unprofessional, and unethical. Qurium approached Bright Data just before they published the false report, and even though Bright Data showed Quirum’s researchers that their report was blatantly wrong, they chose to ignore Bright Data and the facts. Qurium acted recklessly, if not intentionally, without any effort to look into the facts Bright Data presented.”

The nature of the attack means that it was paid for — if not to Bright Data, then to another provider. Based on the amount of traffic that has been directed to Karapatan’s site, and typical rates, Qurium estimates that the attack could have cost at least $260,000, meaning that someone, somewhere, is willing to spend serious money to take Karapatan offline.

“This is not for free. We know that it’s not a kid playing computer games that has decided, you know, to have some fun. This is something different,” Lündstrom said. “You don’t do this for three weeks in a row if you don’t have the resources.”

Karapatan is being targeted by a so-called application layer DDoS attack. DDoS attacks use botnets — networks of infected devices — to flood a site with requests, overwhelming its servers and taking it offline. This attack has been proxied through 30,000 bots in Russia, Ukraine, Indonesia, and China, directing millions of requests to the page karapatan.org/resources, where the organization stores its human rights reports. 

DDoS attacks have become increasingly prevalent over the past few years, due partly to the growth of the internet in poorly-regulated jurisdictions and the proliferation of internet-of-things devices, which often lack security controls and are susceptible to being hijacked to be used in botnets, many of which are available for hire. Netscout’s 2020 internet threat report counted more than 10 million attacks worldwide in 2020. 

The onslaught against Karapatan is remarkable for the volume of requests and the relentlessness of the attack, leaving Lündstrom and his team exhausted as they work around the clock to mitigate them. “Ten years that we’ve been in this space, we have never seen this,” he said. “It’s almost, like, psychotic, you know? It’s almost sick.”

But the scale and duration of the attack has also given Qurium time to try to unravel the infrastructure that the attackers are using. 

Qurium’s team recorded all of the IP addresses sending requests to Karapatan’s site, and determined which of them were so-called “open proxies” — publicly available machines that attackers often use to amplify and mask their attacks — or other commonly-used infrastructure. About two-thirds were, but the remainder couldn’t easily be classified.

They looked into around 8,000 of the 30,000 IPs and realized that they were coming from a small number of places, and that the attacks were coming in a regular pattern. “That is what made us believe it was something bought privately,” Lündstrom said. The traffic was hitting the site in dense bursts, and the IPs were being renewed hourly. Looking deeper at the requests, Qurium said it found that a lot of the proxies had the name “Luminati.”

Qurium has published a technical forensics report detailing their evidence, which appears to show hundreds of IP addresses associated with the Luminati network participating in the attack on Karapatan. Rest of World asked two independent experts to confirm the validity of the methodology, both of whom agreed that it was sound. One said that the findings were “weird, but also plausible.”

Luminati rebranded to Bright Data in March 2021. The company offers proxy networks for other businesses, allowing them to collect data at enormous scale, typically for market research or for targeted marketing campaigns. It achieves this by proxying its customers’ web traffic through mobile networks, data centers, and residential buildings. The company is currently embroiled in a lawsuit in Israel, in which a plaintiff alleges that Luminati is widely used for click fraud. As part of the suit, it was revealed that the spyware company NSO Group was a Luminati client.

This kind of infrastructure is rarely used in DDoS attacks, experts told Rest of World — Qurium has never seen it before — because it’s an expensive way to buy traffic. Between August 10 and August 20, Qurium researchers estimated that around 10 terabytes’ worth of traffic was directed at karapatan.org via Luminati.

Bright Data’s compliance team leader Gal Shechter denied that the company’s networks had been used in the attack

“Bright Data confirms that it had nothing to do with such an attack and the attack did not come from Bright Data‘s network,” Shechter said.

“All our customers are granted access to our products and networks following a very comprehensive compliance procedure. We also keep logs of the networks’ traffic. For this reason, we can verify and check any case thoroughly,” Shechter said over email to Rest of World. “We are happy to offer our expertise and top professionals to support or assist in identifying the actual attackers.”

However, Rest of World has seen correspondence between Qurium and Bright Data, in which the company confirmed that the IPs that Qurium had identified were indeed from within Bright Data’s network. One message read: “We did find customers who were targeting this website.”

Asked to comment on Bright Data’s denial, Lündstrom sent Rest of World a Toy Story meme reading: “Evidence. Evidence Everywhere,” along with screenshots showing the company’s product, in which it offers users proxies on Ukraine’s Kyivstar and Russia’s MegaFon, two of the mobile carriers used in the attack. There’s no practical way, he added, that IPs from inside Bright Data’s network could be involved in the attack unless the company’s infrastructure was being used.

In response, a Bright Data spokesperson said: “We provided Karapatan all details confirming that our networks and products have no connection to this incident. Our compliance team are in direct contact with Karapatan since the second we learned about the incident. Regardless, our team of experts has offered Karapatan free assistance to help identify those responsible for this attack.”

The distributed nature of the cyberattack makes it difficult to prove conclusively where it originated. But Karapatan has been a perennial target for the government of Rodrigo Duterte in the Philippines. The group has documented human rights abuses in the country, including those relating to the government’s brutal “war on drugs,” in which at least 5,000 people have been killed — human rights groups say the number is more like 12,000. In June, the prosecutor of the International Criminal Court in the Hague requested an investigation into whether the killings constitute a crime against humanity. Karapatan’s reports are routinely referenced by international human rights organizations and media investigating abuses.

In response to Karapatan’s documentation of, and campaigning against, human rights abuses under the Duterte administration, the organization has been targeted with online and offline attacks. Its members have been routinely “red-tagged” — falsely “outed” as Communists and terrorists. Several have been murdered. 

In early July 2020, Karapatan, along with two independent news outlets, Bulatlat and AlterMidya, were briefly targeted by a DDoS attack, which Qurium was able to link back to a computer registered to the Philippines Department of Science and Technology, and apparently used by military intelligence. 

Whoever is behind the July-August attack hid their tracks better, but Karapatan Secretary General Cristina Palabay said the timing means there’s only really one suspect. “We see no other actor who would do that with the resources, with the motivation or who will benefit most from our website being taken down, except for [the] government,” she said.

Karapatan launched an online campaign, #StopTheKillingsPH, to draw attention to violence against human rights defenders and journalists on August 16, the anniversary of the killing of one of its activists, Zara Alvarez. On that day, the DDoS attack ramped up a notch. “It has a correlation,” Palabay said. “[Attacks happen] during critical or big campaigns that we have: on Stop the Killings, on political prisoners, or the ICC.”

Palabay said that she’s concerned by the growing frequency of attacks aimed at human rights organizations and independent media in the Philippines. The country holds elections next May, and she fears a double-pronged assault on the truth: pro-government troll networks pushing out huge volumes of disinformation on social media, while cyberattackers take authoritative, verified sources offline. That, she said, could turn the vote into “a cesspool of disinformation, [with] smears, threats not only against activists but against the political opposition.”

The nature of the attack on Karapatan has ramifications beyond the Philippines. Lündstrom expects this kind of event to be even more common, with DDoS attacks becoming increasingly commoditized. Countries with weak regulation and poor network security, including Ukraine, Thailand, and Indonesia, offer huge wells of compromised devices that can be co-opted by attackers for use in botnets. Alongside more publicly accessible botnets, which can be hired for a few hundred dollars for small-scale attacks, there are professional groups offering content removal as a service. “There’s this kind of darker space where powerful people … are willing to pay $10,000, $20,000 for some expert in x, y, z country to take down a website,” Lündstrom said.

This, he warned, creates a dangerous asymmetry, where well-resourced governments or organizations can simply pay to take content they don’t like offline. 

“These [targets] are civil society groups with extremely small budgets. The money invested now to take them down is definitely much, much, much, much bigger than the money they will ever have themselves,” Lündstrom said. “This time, [the attackers] just got unlucky that some Swedish guys who have never been in the Philippines decided to help.”

This story was updated to correct Gal Shechter’s title. This story was also updated with a new statement from Bright Data.Peter Guest is the enterprise editor for Rest of World.

Header photo caption: Cristina Palabay, head of local human rights group Karapatan, on her laptop during an interview with AFP in Manila in 2020.