DEC 24, 2021, GEMMA B. MENDOZA
Patterns indicate that the ones behind the attack probably hired a black market service that was involved in, or had access to, infrastructure used in black hat SEO techniques
MANILA, Philippines – The cyberattacks against the websites of newsgroups ABS-CBN News, Rappler, and Vera Files may have been initiated by the same groups because they bore the same “distinctive” attack signatures.
The three news websites all experienced Distributed Denial of Service (DDoS) attacks during the second week of December. DDoS is a malicious attempt to bring down a website by flooding it with an overwhelming amount of simulated traffic.
It is also a form of system interference that has been illegal here since the enactment of the E-Commerce law in 2000. The Philippines is one of the first countries to punish DDoS attacks, according to internet law expert JJ Disini. The offense carries with it penalties that include a minimum of P100,000 in fines and mandatory imprisonment ranging from six months to three years.
First to be attacked was ABS-CBN News on Saturday, December 11. This was followed by the attack on Rappler’s website on Wednesday, December 15. The last to be attacked that week was Vera Files, which was hit the following day on Thursday, December 16.
Patterns derived from a comparative analysis of attack logs sourced from the servers of the three news websites indicated that the ones behind the attack probably hired a black market service that was involved in, or had access to, infrastructure used in black hat SEO techniques.
“It appears that in this case, someone repurposed infra used in SEO for this purpose,” said Tord Lundström, technical director at Sweden-based digital forensics nonprofit Qurium Media.
Attacks evolving, ramping up
The attacks appear to be part of a ramp-up activity. On Thursday, December 23, less than a week after the attacks against the three media groups, Rappler was once again subjected to another, more intense DDoS attack. Earlier, on the same day, the website of ABS-CBN News also went down. While the media giant did not confirm the reason for the outage, chatter in online hacker communities insinuated that it was also a DDoS attack.
There have been similar attacks in recent months against alternative media outlets but this is the first time that several major Philippine media outlets have been attacked in succeeding days.
ABS-CBN is the largest media network in the Philippines. While it lost its broadcast franchise in 2020, its digital media assets have a significant online footprint. Rappler is the top digital native news organization in the country. Vera Files has a smaller following compared to other two media outlets.
The three media organizations are all known for critical reporting that has angered the Duterte administration. Both Vera Files and Rappler are third-party fact check partners of Facebook.
All three organizations have been subjected to tremendous attacks on social media by pro-administration social media influencers and social media propaganda channels.
Change in strategy?
Qurium Media also previously analyzed the DDoS attacks on the websites of human rights group Karapatan and the Altermidya group. They were able to trace the attacks on Karapatan and Altermidya to the Philippine government, particularly the Department of Science and Technology and the military.
Lundström, however, said “these attacks (on the three newsgroups) are different from the other attacks (like those on Karapatan).” There is no direct link between government forces and those who recently targeted the three news websites.
“This could be a change of strategy,” said Lundström. He pointed to the experience in Myanmar where government agents infiltrated hacker groups that were eventually weaponized against enemies of the state.
One attack signature used in the attacks against the three media groups – the use of CC attack (challenge collapsar) python code – was also seen in other attacks against Philippine targets, such as Karapatan.
Interestingly, a number of local hacker groups online have published posts indicating knowledge of the cyberattacks on the media groups. For the past two years, Lundström said, most of these groups had been posting about purely technology-type of hacking.
Recently, however, these local hacker groups have been seen to be posting more political content. “Even if there is no direct connection, somebody is trying to weaponize them,” Lundström said.
It is unclear if these groups are involved in the attacks against the newsgroups. Some pages belonging to these groups were observed to have posted anti-media and anti-communist propaganda days before the attack. This is being investigated further.
By examining referral links shown in the logs collected from the three websites, digital forensic analysts found that the attacks used techniques similar to those used by blackhat search engine optimization (SEO) practitioners to funnel fake traffic to websites.
Further analysis of the logs of the three news websites during the period of the attacks showed that the botnet used to launch the attacks utilized several thousands of domains classified as “referrer spam” in the floods. These domains have been reported by users to the referrer spam list of Matomo, for having been used for SEO spam referral operations, according to Lundström. Matomo is an analytics company similar to Google Analytics.
More than 2,500 of these “spam referrer” domains were found in the logs of the attacks against the Rappler website.
This technique, according to Lundström, is often used by marketers who want to simulate traffic and sell marketing sites to advertisers. “There is a lot of money in that. This is used for scamming advertisers,” Lundström said.
Spammy links are what SEO practitioners often refer to as “bad neighborhood” sites. These are typically used by unethical SEO practitioners because having more sites linking back to a website could be one measure of a website’s importance.
This practice is discouraged by search engine platforms like Google as an SEO strategy. A website that is getting numerous referrals from these poor-quality websites could be demoted by the algorithm in search results pages, indicating another potential motive for choosing this attack technique against critical media.
Lundström also said this indicates that the ones behind the attack probably hired one of existing black market operations that has access to this other type of business. “This is a very specific signature. You do not normally see this in typical denial of service attacks. You need many IP addresses and many URLs to create this type of traffic.”
Only very sophisticated actors will build their own infrastructure of this scale, according to Lundström. “They often sell these.” Transactions, he said, typically use bitcoin.
More attack signatures
After analyzing around 8 terabytes of logs from the attack against Rappler, Qurium identified close to 14,000 IP addresses flooding the website. The majority of the IP addresses were open proxies in the US, China, Germany, Indonesia, Russia, and Vietnam.
An open proxy is a proxy server that is accessible to any internet user. Typical proxy servers are usually used by companies to store and forward information such as web pages accessed within the network to control the amount of bandwidth used. Open proxies, on the other hand, are typically used by those looking for online anonymity and privacy to hide an IP address from web servers that the users visit.
Lundström compared a small sample of 2.5 million log lines from the attack against Rappler with data from the attacks against Vera Files and ABS-CBN and found similar referrer links.
They also compared the patterns from the Vera Files and Rappler attacks against 250,000 events recorded by the firewall of ABS-CBN. The patterns detected in the logs indicated the use of the DAVOSET, a tool for conducting DDoS attacks on websites by abusing other websites to make them the source of the attack. Similar patterns were found in the Rappler logs. – Rappler.com