The cyberattack against the Somali Journalists Syndicate could not have come at a worse time. A distributed denial-of-service attack, known by its acronym DDoS, flooded the local press freedom group’s website with traffic in early August and knocked it offline. Days later, authorities arrested SJS staff member and Kaab TV editor Mohamed Ibrahim Osman Bulbul in connection with his reporting on alleged corruption. The tandem crises placed major strain on the organization.
“It was a very traumatic week. Sleepless. Very stressful. We could not publish our statement, the first statement of Mohamed’s detention,” SJS secretary general Abdalle Ahmed Mumin told CPJ in an interview from the U.K., where he fled earlier this year after he was repeatedly arrested by Somali authorities. “Imagine someone attacking your team, detaining one of your team, and you’re not able to communicate to the international world because your website has been taken down.”
SJS found some relief when it connected with Qurium, a Sweden-based nonprofit that began hosting SJS’s website. But a week after the initial attack, another DDoS flood hit the website. This time, Qurium was able to protect SJS from going offline. Qurium’s analysis of these additional attacks also found that a U.S. company, RayoByte, had provided the tools used in the attack.
Sprious, which owns RayoByte, told Qurium in an email, which CPJ reviewed, that it had “removed the abusive user” from its network and added the SJS site to its “blacklist” to prevent it from being targeted further.
SJS isn’t the only news outlet that has suffered a DDoS attack using RayoByte’s services. News outlets from at least five other countries — Kosovo, Nigeria, Kyrgyzstan, the Philippines, and Turkmenistan — have faced similar attacks over the last two years, according to Qurium’s analysis. These incidents provide a rare look at the mechanics of online censorship efforts and how private corporations can profit from them.
Sprious declined CPJ’s requests for an interview and did not directly answer a list of written questions. But in emailed statements to CPJ, Sprious said it was “deeply concerned” about reports that its services were “allegedly” used in DDoS attacks. “We firmly stand against any form of online harassment or harm, including cyber-attacks, especially when it concerns entities that play a crucial role in promoting press freedom and the safety of journalists,” it said.
Headquartered in Lincoln, Nebraska, RayoByte, formerly known as Blazing SEO, is one of many companies that sells clients access to Internet Protocol (IP) addresses, unique numbers assigned to internet-connected devices, for “scraping,” a method for extracting large amounts of data from websites. RayoByte’s website lists a range of prices for access to IP addresses based on variables including type and speed.
One way to conduct scraping is through repeated requests to visit a site with different IP addresses. Journalists and researchers use scraping as a research technique, but when IP requests are directed quickly and en masse toward a specific site in order to overwhelm it and knock it offline, this constitutes a DDoS attack.
CPJ has documented DDoS attacks against outlets conducting critical journalism around the world. These cyberattacks also often take place alongside other threats to journalists’ safety and press freedom.
Qurium’s analysis shows that it blocked nearly 20,000 IP addresses from hitting the SJS website with millions of requests on August 18 and 19. The largest portion of the traffic (nearly 50%) came via RayoByte and its hosting partners, the analysis said. The second half of the traffic came through several other online channels, including virtual private networks (VPNs).
“We were very effective at mitigating the attack because within a few hours we realized we had seen this type of traffic before,” Qurium’s technical director Tord Lundström told CPJ. “We have met this [attacking] infrastructure in the past…this infrastructure is no joke.”
Similar DDoS attacks began almost immediately after Kosovo-based news site Nacionale began publishing in March 2022, covering local politics and social issues, co-founder Visar Arifaj told CPJ in a recent phone interview. “Our website would be down quite often. Because we were still fresh in the news market, it really had an impact for us to reach our audiences,” Arifaj said. “For us to be down a couple of hours during the day was a huge blow.”
Qurium began hosting and defending Nacionale in September 2022, and in March and April 2023 Qurium notified Sprious that attackers had been using its services against the outlet.
In emails from March, Qurium informed Sprious of attacks lasting “several hours non-stop.” One of the attacks “sourced” millions of web requests from IP addresses “publicly advertised by Rayobyte/BlazingSEO,” Qurium said. Sprious responded that it had “blacklisted” access to Nacionale’s website and it had barred the “user” responsible – which Sprious did not name — from accessing its services, but in April Qurium again tracked a DDoS attack against Nacionale involving RayoByte. In response to Qurium’s email about the April attack, Sprious said it had “discovered an issue” with its “security controls,” and had addressed it “to prevent further traffic.”
However, RayoByte-sourced internet traffic to Nacionale’s website did not stop and featured in DDoS attacks against the outlet in July and August, Lundström told CPJ. While Kosovo police arrested and prosecuted one man in connection with the cyberattacks and Qurium has successfully prevented the continued attacks from taking Nacionale offline, Lundström told CPJ that incoming traffic shows attackers continuing to harness IPs from a combination of proxy services, VPNs, and other sources.
Alongside the cyberattacks, Nacionale’s staff have been subjected to “constant” online harassment for their work and were recently physically attacked on the job, though those attackers have been arrested, Arifaj told CPJ. “This constant pressure, even when it doesn’t get to the journalists physically and in a direct manner, you can see that it does a lot for their burnout,” he added. “It does take a toll, mentally, on everyone.”
Since 2022, Qurium has additionally tracked DDoS attacks with IPs sourced from RayoByte against four other outlets: Peoples Gazette from Nigeria, Kloop from Kyrgyzstan, Bulatlat from the Philippines, and Turkmen.news, which reports on Turkmenistan from exile. The attacks on three of the four outlets, excluding Kloop, also involved traffic via VPNs.
In its statements to CPJ, Sprious said it investigates reports of DDoS attacks using its services and takes “appropriate actions with the end user that we believe is responsible” and “steps to mitigate the reported issues, including, but not limited to, blacklisting associated domains and working diligently to remove abusive users.” The statements did not respond directly to CPJ’s requests for details of the customers responsible for these attacks and how the company responded in each case.
Lundström told CPJ that Sprious has yet to respond to Qurium’s emails concerning the attacks on Peoples Gazette, Kloop, Bulatlat, and Turkmen.news, as well as the additional attacks on Nacionale in July and August.
Proxies and VPNs have valid and important uses for ensuring internet users, including journalists, can maintain privacy online. Rights organizations, including CPJ, recommend the use of VPNs to defend against surveillance; individuals can use it to avoid state-backed online censorship, and companies use them to safeguard proprietary information. But Lundström described the use of proxy and VPN services to conduct DDoS attacks as a “weaponization” of these tools. “You’re hiding in a tool [made] for another purpose,” he said of the attackers. “I think it’s a strategic decision.”
“DDoS attacks are illegal under a section of the [U.S.] Computer Fraud and Abuse Act,” Gabe Rottman, director of the Technology and Press Freedom Project at the U.S.-based Reporters Committee for Freedom of the Press, which provides legal support to journalists, told CPJ. But he said that it is not necessarily illegal for proxy or VPN companies to provide services that are then used in DDoS attacks.
That doesn’t mean service providers can’t take actions. “You can have technology providers doing appropriate things to protect their users and others at the same time as they build their service in a way that protects privacy,” Rottman said. “If … you become aware of bad actors doing bad things, notify the authorities, stop them from using your service, mitigate the damage.”
Attacks on the SJS website have continued, Lundström told CPJ, though none of the IPs have come via RayoByte since Qurium and CPJ contacted Sprious for comment. Nevertheless, Lundström wants RayoByte’s leadership to do more to address the fact that attackers have repeatedly come to the company’s services to target media sites. “[RayoByte’s] making all the money,” he said. “And we have to do all this extra work and build new infrastructure to deal with all this shit.”
As for SJS, Abdalle remains worried about his colleague, who is still behind bars. But he says he’s confident that the press freedom group’s website will remain accessible. He still doesn’t know the identity of the person or people who launched the cyberattack, but he imagines what they might be thinking: “Now they are witnessing, they are coming into a new reality that even after the attack SJS is still resilient. SJS is still active. SJS is still available and is able to work and operate effectively both online and physically inside Somalia.”
Editor’s note: The first name and title of Qurium’s technical director Tord Lundström was added in the 11th paragraph.