Cyberattackers target Meduza with unprecedented DDoS campaign in effort to disable site

In mid-April 2024, Meduza was hit by the largest DDoS attack in its history. The scale of the attack made it clear that the perpetrators weren’t just trying to interfere with our work — they wanted to make it impossible for anybody to access our journalism. And while we don’t have direct evidence, we believe that this attack, like previous ones we’ve faced, was orchestrated by the Russian authorities. Our technical partners at Qurium Media Foundation have compiled a report using the initial data from the attack. Meduza summarizes their findings.

Last month, Meduza reported on a far-reaching cyber-attack that targeted our newsroom in the leadup to Russia’s presidential “election.” That campaign included numerous attempts to hack into our employees’ accounts as well as intense DDoS attacks against our site. After the “election,” the attackers didn’t relent — and the DDoS attacks escalated to a new level.

DDoS attacks involve perpetrators sending massive numbers of requests to their victims’ servers in an attempt to overload them, making it impossible for regular users to get through. When these attacks target online media outlets, they can cause content to load significantly slower — or not to load at all.

The first attack

In the initial weeks after Russia’s presidential “election,” we were targeted by several small DDoS attacks whose apparent aim was to identify vulnerabilities in our site’s infrastructure.

Then, on the evening of April 15, the real assault began. The attackers found a point of vulnerability in Meduza’s internal search engine: while we store our texts and photos on cache servers, requests through our site’s search engine go directly to our main servers to ensure that the results are as fresh as possible.

This DDoS attack lasted for 48 hours. During that time, our servers received more than two billion requests — several hundred times more than the typical amount generated by our readers. The logs from the attack take up about three terabytes.

Qurium’s analysis found that the attack was carried out through a botnet operating from household “smart” devices or malware in desktop computers. About 6,300 IP addresses were recorded in total. The devices sent waves of requests ranging in scale from several thousand per hour to several million. According to Qurium, this suggests the botnet lacks the ability to internally control the attack’s intensity and that each device was simply sending requests as aggressively as it could.

More than 25 percent of the IP addresses used in the attack were from Brazil, while nearly 20 percent were from the U.S. The rest were from countries in Southeast Asia, South America, and the Middle East.

The second attack

The second DDoS attack began on the morning of April 18. This attack looked very different from the first one, both in the technologies it used and in the pattern it left. Despite lasting just one hour, it employed 10 times more IP addresses than the previous attack.

This time, the attackers used IPv6 networks as well as residential proxy providers, which allow attackers to disguise their traffic as requests from ordinary users in other countries, unlike proxy services that route requests through servers in data centers.

Qurium identified three residential proxy provider companies whose resources were used in the attack: Plain Proxies, RapidSeedbox, and MIN Proxy. The analysts noted that they saw similar infrastructure used in attacks against Hungarian media outlets in October 2023.

Your help can be the bridge to hope for many in Russia. Join Meduza in its mission to challenge censorship with the truth. Donate today.

Qurium contacted Plain Proxies on April 18, the same day the attack occurred. The company responded the following day (after the attack was over), saying that it was “not seeing any traffic going to this target as of now” but that it would block all future requests to Meduza’s site.

At the same time, the company’s CEO expressed doubt that its services were used for a DDoS attack, saying that 250,000 requests from a single IPv6 address is “not a reason to consider it a denial [of] service attack.” He promised to contact the customer to find out why it had sent so many requests to Meduza. It’s unclear who this customer is or how they responded.

At the time of this article’s publication, the major attacks on Meduza’s infrastructure have ended, but we continue to face smaller attacks, with the perpetrators likely probing for new vulnerabilities.

Who’s behind these attacks?

We don’t know. But we do know that they’re very expensive and that their goal is not just to temporarily disrupt our site and mobile app but to stop them from working entirely. The only actor who would be so determined to do this is the Russian government. And we’re confident they’re not going to stop.