The Russian autonomous news portal Meduza is confronting repeated endeavors to disrupt its digital infrastructure, as per findings by researchers.
In March, Meduza reported encountering "the most concentrated cyber campaign" in its history, preceding the presidential election in Russia during the same month. The organization attributed the distributed denial-of-service (DDoS) event to Russian authorities.
Even post the March election, which secured another six-year term for the country's authoritarian leader Vladimir Putin, assaults on Meduza’s website persist, with their frequency and diversity escalating, as indicated by a report published this week by the Sweden-based digital forensics entity Qurium. DDoS attacks inundate a website with traffic, aiming to impede or incapacitate it.
Meduza presents itself as one of the few independent media outlets in Russia whose reporting remains untouched by Kremlin control or censorship. Meduza relocated its headquarters to Latvia back in 2014, and today, individuals residing in Russia can access its website solely through a VPN.
In 2023, the Russian government branded Meduza as an “undesirable organization” within Russia, subjecting it to hefty fines and potential imprisonment for employees. The organization previously stated that Russian authorities are endeavoring to “completely obliterate” it.
In April, Meduza encountered two large-scale distributed denial-of-service (DDoS) attacks, compelling it to engage Qurium to scrutinize their origins and structure, as outlined by the researchers.
The initial attack commenced on April 15 and endured approximately 48 hours. Throughout these two days, Meduza's website was besieged by 2 billion spurious user requests, researchers disclosed. This figure is several hundred times greater than the typical number of requests generated by its audience, according to Meduza. Qurium identified nearly 6,300 IP addresses that generated these requests at varying intensities — from several million requests per hour to several thousand. Meduza described this onslaught as the most extensive in its history.
The subsequent DDoS attack, commencing on April 18, exhibited a "wholly distinct" character in terms of hackers' employed technologies and tactics, according to Meduza. Despite lasting merely one hour, this attack utilized 10 times more IP addresses than its predecessor.
Qurium indicated that the botnet orchestrating the recent assaults on Medusa likely operated via compromised routers or malware in desktop computers located outside of Europe.
During the investigation, researchers pinpointed three proxy providers associated with these attacks: Plain Proxies, Min Proxy, and RapidSeedBox. Proxy providers, whether knowingly or unknowingly, aid hackers in concealing the cyberattacks origin, complicating the target's defense or mitigation efforts.
According to Curium, two of the identified proxy providers, Plain Proxies and Min Proxy, were also implicated in last year's assaults against Hungarian media critical of the prevailing political regime.
In response to Qurium's analysis of the recent attacks, Meduza acknowledged uncertainty regarding the perpetrators but pointed fingers at the Kremlin.
"We understand that this is an exceptionally costly attack, designed not only to disrupt the functioning of our website and mobile application but to render our resources completely nonoperational. Only Russian authorities could harbor such intentions. And they will persist in their endeavors to realize them."
