Israeli firm Bright Data named as enabler of Philippines government DDOS attacks on opposition groups
Bright denies all in this odd tale of a leaky VPN, creepy proxy networks, 8Chan, clouds hosting wonky workloads, and Swedish digital rights org Qurium
Updated Swedish digital rights organisation Qurium has alleged that an Israeli company called Bright Data has helped the government of the Philippines to DDOS local human rights organisation Karapatan.
In July, Qurium reported that the Philippines Department of Science and Technology and Army had conducted DDOS attacks on local media critical of the nation's government, and targeted Karapatan.
Last week, Qurium reported a new wave of attacks on Karapatan, detailing a three-week campaign felt to be aimed at derailing efforts to protest extra-judicial killings – including the death of a Karapatan member.
Now the organisation has published analysis of the latest DDOS attacks, in which it alleges Israeli firm Bright Data aided the effort.
The organisation's analysis suggests that most of the DDOS traffic it detected came from mobile carriers in Russia and the Ukraine. Qurium also detected action coming from servers hosted by Digital Ocean and US-based cloud Choopa.
Qurium's analysis suggests that some of the servers used in the attacks employ proxies offered by Bright Data, which offers proxies-as-a-service.
Such services have legitimate uses to speed traffic, but can also allow creepy observation of traffic and lead to privacy abuses. Bright Data, formerly known as Luminati Networks, was accused of such creepiness in a 2018 report by security vendor Trend Micro.
That report noted that a VPN called HolaVPN had been observed – by none other than 8Chan owner Fredrick Brennan – leaking user info to Bright Data.
Trend Micro alleged that HolaVPN users became exit nodes for Bright/Luminati's services.
"If the user's machine happens to be part of a corporate network, its being an exit node may provide unknown third parties possible entry to company systems," Trend stated. "HolaVPN could enable attackers to circumvent corporate firewalls and allow them to explore the internal network of a company for nefarious purposes.
"Aside from this, HolaVPN users' bandwidths are being sold via Luminati and could end up being part of botnet activity facilitated by the network. It could also enable cybercriminals to perform different illegal or unauthorized activities on users' machines."
- Facebook and Amazon take over Philippines-to-USA sub cable after China Mobile quits
- Philippines national ID registration portal opens, glitches out in first hour
- 30 percent of world agrees not to require onshore storage for e-commerce customer data
- Big Tech’s Asian lobby says nations shouldn’t go it alone on tech taxes
Back to the Philippines, and Qurium alleges that the government employed Bright Data to provide rapidly-changing IP addresses – up to 100 an hour – to target Karapatan.
"At the beginning of our research, we speculated that this behavior could be the result of a 'pay as you go' stress-testing service that allowed a maximum of one hour attack time," Qurium's post states. "After several days monitoring the web site we could determine that the traffic patterns were the result of Luminati automatically rotating their residential and mobile proxies in an hourly basis."
Qurium states it asked Bright Data for an explanation and received a response that included the following:
Bright Data claims it is an ethical organisation and vets all peers, partners, and customers to ensure they use its services appropriately.
But that's just what another Israeli outfit – NSO Group – said before it was accused by Amnesty International of not doing enough to prevent abuse of its spyware.
Qurium's naming of another Israeli firm as a player in state-run naughtiness throws a little more fuel on the fire.
The Register has approached Bright Data for comment, and will update this story if substantial information becomes available. ®
UPDATE 0700 UTC August 26th - Bright Data has sent The Register the following statement.
"Bright Data had absolutely no connection to the reported incident, and the Qurium report is categorically false, unprofessional, and unethical. Qurium approached Bright Data just before they published the false report, and even though Bright Data showed Quirum’s researchers that their report was blatantly wrong, they chose to ignore Bright Data and the facts.
Qurium acted recklessly, if not intentionally, without any effort to look into the facts Bright Data presented. Moreover, they did not even sign up for Bright Data's service to see how it works. One example: the report mentions servers that are not Bright Data's and communication ports that were always blocked on Bright Data's platform. Make no mistake, their report constitutes actionable defamatory content.
One can only wonder what lies behind Qurium’s motivation to make such false accusations. We demand that Qurium retract the report and issue a public apology. We expect it to happen immediately, and we will not hesitate to go to great lengths to make this happen."
UPDATE 22:00 UTC December 5th - Bright Data has sent The Register an investigation [PDF] into its role in this incident, compiled by Night Lion Security.
In the author's opinion:
Based on the information gathered and presented in this report, it is our conclusion that there is no evidence presented in either the Qurium report, or in any analysis and investigation performed by Night Lion’s forensic team, to support claims suggesting that any attacks carried out against Karapatan.org originated from Bright Data’s network.
We shared the investigation with Tord Lundstrum, Qurium's technical director. His response included the following:
We find strange that the investigator never reached to us for further details of our research.
Night Lion has taken one-sided information coming from his client to write the report. The report lacks any real details, what methods were used, when the experiments were conducted, how the logs from Bright Data were obtained, what systems were evaluated... etc.