Israeli firm Bright Data named as enabler of Philippines government DDOS attacks on opposition groups

Bright denies all in this odd tale of a leaky VPN, creepy proxy networks, 8Chan, clouds hosting wonky workloads, and Swedish digital rights org Qurium


Updated Swedish digital rights organisation Qurium has alleged that an Israeli company called Bright Data has helped the government of the Philippines to DDOS local human rights organisation Karapatan.

In July, Qurium reported that the Philippines Department of Science and Technology and Army had conducted DDOS attacks on local media critical of the nation's government, and targeted Karapatan.

Last week, Qurium reported a new wave of attacks on Karapatan, detailing a three-week campaign felt to be aimed at derailing efforts to protest extra-judicial killings – including the death of a Karapatan member.

Now the organisation has published analysis of the latest DDOS attacks, in which it alleges Israeli firm Bright Data aided the effort.

The organisation's analysis suggests that most of the DDOS traffic it detected came from mobile carriers in Russia and the Ukraine. Qurium also detected action coming from servers hosted by Digital Ocean and US-based cloud Choopa.

Qurium's analysis suggests that some of the servers used in the attacks employ proxies offered by Bright Data, which offers proxies-as-a-service.

Such services have legitimate uses to speed traffic, but can also allow creepy observation of traffic and lead to privacy abuses. Bright Data, formerly known as Luminati Networks, was accused of such creepiness in a 2018 report by security vendor Trend Micro.

That report noted that a VPN called HolaVPN had been observed – by none other than 8Chan owner Fredrick Brennan – leaking user info to Bright Data.

Trend Micro alleged that HolaVPN users became exit nodes for Bright/Luminati's services.

"If the user's machine happens to be part of a corporate network, its being an exit node may provide unknown third parties possible entry to company systems," Trend stated. "HolaVPN could enable attackers to circumvent corporate firewalls and allow them to explore the internal network of a company for nefarious purposes.

"Aside from this, HolaVPN users' bandwidths are being sold via Luminati and could end up being part of botnet activity facilitated by the network. It could also enable cybercriminals to perform different illegal or unauthorized activities on users' machines."

Back to the Philippines, and Qurium alleges that the government employed Bright Data to provide rapidly-changing IP addresses – up to 100 an hour – to target Karapatan.

"At the beginning of our research, we speculated that this behavior could be the result of a 'pay as you go' stress-testing service that allowed a maximum of one hour attack time," Qurium's post states. "After several days monitoring the web site we could determine that the traffic patterns were the result of Luminati automatically rotating their residential and mobile proxies in an hourly basis."

Qurium states it asked Bright Data for an explanation and received a response that included the following:

The IPs from the list you have attached (attaching it again) belong to Bright Data, however we did not find any of them in the requests that were sent to the reported domain.

Bright Data claims it is an ethical organisation and vets all peers, partners, and customers to ensure they use its services appropriately.

But that's just what another Israeli outfit – NSO Group – said before it was accused by Amnesty International of not doing enough to prevent abuse of its spyware.

Qurium's naming of another Israeli firm as a player in state-run naughtiness throws a little more fuel on the fire.

The Register has approached Bright Data for comment, and will update this story if substantial information becomes available. ®

UPDATE 0700 UTC August 26th - Bright Data has sent The Register the following statement.

"Bright Data had absolutely no connection to the reported incident, and the Qurium report is categorically false, unprofessional, and unethical. Qurium approached Bright Data just before they published the false report, and even though Bright Data showed Quirum’s researchers that their report was blatantly wrong, they chose to ignore Bright Data and the facts.

Qurium acted recklessly, if not intentionally, without any effort to look into the facts Bright Data presented. Moreover, they did not even sign up for Bright Data's service to see how it works. One example: the report mentions servers that are not Bright Data's and communication ports that were always blocked on Bright Data's platform. Make no mistake, their report constitutes actionable defamatory content.

One can only wonder what lies behind Qurium’s motivation to make such false accusations. We demand that Qurium retract the report and issue a public apology. We expect it to happen immediately, and we will not hesitate to go to great lengths to make this happen."

UPDATE 22:00 UTC December 5th - Bright Data has sent The Register an investigation [PDF] into its role in this incident, compiled by Night Lion Security.

In the author's opinion:

Based on the information gathered and presented in this report, it is our conclusion that there is no evidence presented in either the Qurium report, or in any analysis and investigation performed by Night Lion’s forensic team, to support claims suggesting that any attacks carried out against Karapatan.org originated from Bright Data’s network.

We shared the investigation with Tord Lundstrum, Qurium's technical director. His response included the following:

We find strange that the investigator never reached to us for further details of our research.

Night Lion has taken one-sided information coming from his client to write the report. The report lacks any real details, what methods were used, when the experiments were conducted, how the logs from Bright Data were obtained, what systems were evaluated... etc.

Similar topics

Broader topics


Other stories you might like

  • DuckDuckGo tries to explain why its browsers won't block some Microsoft web trackers
    Meanwhile, Tails 5.0 users told to stop what they're doing over Firefox flaw

    DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

    Security researcher Zach Edwards recently conducted an audit of DuckDuckGo's mobile browsers and found that, contrary to expectations, they do not block Meta's Workplace domain, for example, from sending information to Microsoft's Bing and LinkedIn domains.

    Specifically, DuckDuckGo's software didn't stop Microsoft's trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google's, are blocked.

    Continue reading
  • Despite 'key' partnership with AWS, Meta taps up Microsoft Azure for AI work
    Someone got Zuck'd

    Meta’s AI business unit set up shop in Microsoft Azure this week and announced a strategic partnership it says will advance PyTorch development on the public cloud.

    The deal [PDF] will see Mark Zuckerberg’s umbrella company deploy machine-learning workloads on thousands of Nvidia GPUs running in Azure. While a win for Microsoft, the partnership calls in to question just how strong Meta’s commitment to Amazon Web Services (AWS) really is.

    Back in those long-gone days of December, Meta named AWS as its “key long-term strategic cloud provider." As part of that, Meta promised that if it bought any companies that used AWS, it would continue to support their use of Amazon's cloud, rather than force them off into its own private datacenters. The pact also included a vow to expand Meta’s consumption of Amazon’s cloud-based compute, storage, database, and security services.

    Continue reading
  • Atos pushes out HPC cloud services based on Nimbix tech
    Moore's Law got you down? Throw everything at the problem! Quantum, AI, cloud...

    IT services biz Atos has introduced a suite of cloud-based high-performance computing (HPC) services, based around technology gained from its purchase of cloud provider Nimbix last year.

    The Nimbix Supercomputing Suite is described by Atos as a set of flexible and secure HPC solutions available as a service. It includes access to HPC, AI, and quantum computing resources, according to the services company.

    In addition to the existing Nimbix HPC products, the updated portfolio includes a new federated supercomputing-as-a-service platform and a dedicated bare-metal service based on Atos BullSequana supercomputer hardware.

    Continue reading

Biting the hand that feeds IT © 1998–2022