A secure messaging app used by protesters to organize in Hong Kong was hit with a massive cyberattack, identifiable from offending IP addresses as coming from mainland China.
Protesters in Hong Kong took to the streets in droves in June to decry legislation that would have allowed Hong Kong citizens wanted by the Chinese government to be extradited for trial to the mainland. Using an app called Telegram, which prides itself on its security, protesters were able to coordinate one of the largest demonstrations the city has seen for years.
On June 12, a massive distributed denial of service attack was orchestrated against Telegram servers, leading to connection issues for users across the globe. Telegram CEO Pavel Durov said the IP addresses used in the attack came mostly from China. China, which has a long history of opposing free speech and restricting internet use within its borders, banned the service in the country in 2015.
Telegram alerted users of the attack and explained what was happening to their servers using a fast-food analogy.
In a distributed denial of service, or DDoS, attack, “your servers get GADZILLIONS of garbage requests which stop them from processing legitimate requests,” Telegram tweeted. “Imagine that an army of lemmings just jumped the queue at McDonald’s in front of you — and each is ordering a whopper. The server is busy telling the whopper lemmings they came to the wrong place — but there are so many of them that the server can’t even see you to try and take your order.”
In the case of the Hong Kong protests, the “garbage requests” from mainland Chinese IP addresses overwhelmed Telegram’s servers, preventing Hong Kong users from communicating with each other securely.
According to research by cybersecurity company Neustar, DDoS attacks are considered the highest threat to networks by more than 170 digital security experts. The attacks are not a new phenomenon. A 15-year-old Canadian, going by the handle “mafiaboy,” orchestrated the first “major” attack of this type back in 2000. Attackers have only gotten more sophisticated since then.
One tactic offenders have adopted is the use of botnets. Telegram continued its fast-food analogy to explain that technique, which effectively takes over insecure consumer devices such as routers and modems and uses their IP addresses against their will to exponentially increase the number of requests hitting a targeted server.
“To generate these garbage requests, bad guys use ‘botnets’ made up of computers of unsuspecting users which were infected with malware at some point in the past,” Telegram tweeted. “This makes a DDoS similar to the zombie apocalypse: one of the whopper lemmings just might be your grandpa.”
Botnets can be rented for as little as $20 per day.
Although the cyberattack was temporarily disabling, Telegram assured the public that users’ data was protected and the attack did not breach their private information.
“There’s a bright side: All of these lemmings are there just to overload the servers with extra work — they can’t take away your BigMac and coke. Your data is safe,” the company tweeted.
Durov surmised that the attack on his company was likely committed by a state actor, rather than a private entity or a lone hacker, based on its size. Telegram’s servers were overwhelmed with hundreds of gigabits worth of data requests per second from China, a country where the service is banned. A gigabit represents a transfer rate of 1 billion bits per second. Internet speeds throughout the world are mostly measured in megabits per second, and a gigabit is a thousand times greater than a megabit.
