Cyber Incident Victim: International Press Institute

On or around September 1, 2023, the International Press Institute (IPI) began experiencing a targeted and sustained cyberattack. The attack is believed to be a direct act of retaliation for the organization's advocacy work on behalf of independent media in Hungary, which has itself faced a wave of similar attacks since the summer. This incident represents the most brazen and direct assault on IPI’s online infrastructure in its history, reflecting a wider and deeply alarming pattern where digital tools are abused by malicious actors to silence critical journalists and their defenders. The cyberattack commenced just days after IPI released a statement on August 29 highlighting the recent wave of distributed denial-of-service (DDoS) attacks that had downed the websites of dozens of independent Hungarian media outlets over the preceding five months. In that report, IPI described these DDoS attacks as a new form of digital censorship threatening Hungary's already besieged independent media and called on Hungarian law enforcement and the European Union to take action.

The initial phase of the attack on IPI involved a series of DDoS attacks specifically designed to disrupt the website by overwhelming it with traffic. These attacks took the form of increasingly larger “HTTP flood attacks” aimed at saturating the server with HTTP requests, ultimately resulting in a denial-of-service for normal visitors. The first wave of requests occurred on September 1 and may have served as a test to probe the organization's defenses. During this initial phase, the security protections provided by Project Shield, a service from Jigsaw, a subsidiary of Google, proved sufficient to keep the website online. However, the situation escalated significantly between September 6 and 8, when the attackers successfully brought the IPI website down multiple times. They persistently overcame security countermeasures implemented by the IPI IT team by increasing the scale of the attack in successive waves. The attack peaked on September 8 with a massive volume of 350,000 requests per second, which successfully overwhelmed the existing defenses and caused significant downtime.

In response to the escalating attack, IPI scaled up its defenses on September 8 by enrolling in security measures offered through Cloudflare’s Project Galileo, which provides cyber defenses aimed at preventing malicious traffic from reaching servers. These enhanced security measures proved effective at countering the large-scale DDoS attacks, allowing the website to be restored and remain online. Following this defensive upgrade, the size of the ongoing DDoS attacks became much smaller, though they have persisted at a milder level. The mode of attack subsequently shifted from overwhelming traffic floods towards efforts to gain unauthorized access to the website, indicating a persistent and multi-faceted assault on IPI's digital infrastructure. The website was initially taken offline for three days during the most intense period of the attack but has since been restored and is being closely monitored by the IT team.

Analysis of the attack log data by the IPI IT team has revealed several key characteristics of the incident. The DDoS attacks were carried out using the infrastructure of ordinary web-hosting services rather than traditional botnets composed of malware-infected devices. The services exploited included those offered by major providers such as Amazon AWS, Microsoft Azure, and Google Cloud. This method of attack raises critical questions about the mechanisms these private companies have in place to prevent and mitigate the abuse of their services for carrying out illegal DDoS operations. The malicious traffic originated from servers located in numerous countries around the world, including the United States, Germany, Russia, France, Indonesia, Singapore, Japan, China, the United Kingdom, and the Netherlands. However, this geographical distribution does not reveal the actual location of the attacker or attackers, as the traffic is constantly rerouted through different countries, illustrating the inherent complexity of defending against and attributing such attacks.

A notable aspect of this cyberattack is the persistence of the attacker, who responded to each new security measure with counterattacks over the course of many days. This sustained effort is one of the clearest indications that the assault was highly targeted. While uncovering the precise source of such attacks is difficult, evidence strongly indicates that the same attacker or group behind the ongoing DDoS attacks against independent media in Hungary is responsible for targeting IPI. This actor operates under the name “HANO”. The name HANO was found within the IPI log data from the attack, and the attacker left a specific message for the organization in English, which read: “see you next time Hano hates u”. The meaning of the name is not certain, though Hungarian media have noted that HANO is the Hungarian acronym for a medical condition that results in severe bodily swelling. This same actor has likely targeted dozens of independent Hungarian media outlets with sustained DDoS attacks over the previous five months, demonstrating knowledge of the Hungarian media landscape and individual journalists, and has left messages in Hungarian code warning of future attacks. The scale and duration of these attacks, continuing over months, suggest that those responsible are relatively well-resourced, as security experts note the associated costs are significant.

In the immediate aftermath of the attack, IPI has taken several steps to address the incident and pursue accountability. The organization has filed a report with the cybercrimes unit of the Austrian police, providing authorities with detailed log data from the DDoS attack. IPI plans to follow up to ensure the case is being investigated and is also in the process of notifying other relevant authorities within the European Union. Furthermore, IPI intends to notify the private web hosting companies whose services and infrastructure were abused to carry out the illegal DDoS attack. The goal of this engagement is to understand what mechanisms these companies have in place to prevent the malicious use of their services and to address such activities once discovered. IPI emphasizes that private companies must have strong governance and accountability mechanisms to ensure their products and services do not contribute to human rights abuses. Additionally, IPI plans to share information and data on the attack with independent security researchers and experts to enable further investigation. The organization also aims to increase its advocacy efforts concerning digital attacks against journalists and independent media, recognizing this as a growing global challenge, and hopes to bolster its support for Hungarian independent media and other IPI members facing similar cyber threats. The leadership of IPI has stated that while the attacks have disrupted their work, they have only strengthened the organization's resolve to defend press freedom and independent journalism wherever it is threatened.