Meduza
Image: Jon Moore via Unsplash / The Record

DDoS attacks continue, post-election, against Russian independent media site Meduza

The Russian independent news website Meduza is facing repeated attempts to disrupt its digital infrastructure, researchers have found.

In March, Meduza said that it became the target of "the most intense cyber campaign" in its history, preceding the presidential election in Russia during the same month. The organization attributed the distributed denial-of-service (DDoS) incident to the Russian authorities.

Even after the election in March, which granted the country's authoritarian leader Vladimir Putin another six-year term, the onslaughts against Meduza’s website have continued, increasing in intensity and variety, according to a report released this week by the Sweden-based digital forensics organization Qurium. DDoS attacks flood a website with traffic, with the intention of disrupting it or bringing it down.

Meduza markets itself as one of the few Russian independent media outlets whose coverage remains free from control or censorship by the Kremlin. Meduza relocated its office to Latvia back in 2014, and people living in Russia today can only access its website through a VPN.

In 2023, the Russian government designated Meduza as an “undesirable organization” in Russia, subjecting it to heavy fines and potential prison sentences for employees. The organization said in the past that the Russian authorities are trying to “completely destroy” it.

In April, Meduza faced two large-scale distributed denial-of-service (DDoS) attacks, prompting it to reach out to Qurium to investigate their origin and composition, the researchers said.

The first attack started on April 15 and lasted about 48 hours. Over those two days, Meduza's website was targeted by 2 billion fake user requests, researchers said. According to Meduza, this is several hundred times more than the typical number of requests generated by its audience.

Qurium detected nearly 6,300 IP addresses that generated these requests with varying intensity — from several million requests per hour to several thousand. Meduza said that this attack was the largest in its history.

The second DDoS attack, which started on April 18, appeared “completely different” both in terms of the technologies used by hackers and their tactics, according to Meduza. This attack lasted just one hour but used 10 times more IP addresses than the previous one.

The botnet behind the recent attacks on Meduza likely operated from compromised routers or malware in desktop computers located outside of Europe, according to Qurium.

During the analysis, researchers identified three proxy providers behind these attacks: Plain Proxies, Min Proxy, and RapidSeedBox. Proxy providers help hackers — knowingly or unknowingly — in masking the origin of the cyberattack, making it difficult for the target to defend against or mitigate it.

According to Qurium, two of the identified proxy providers, Plain Proxies and Min Proxy, were also linked to last year's attacks against Hungarian media critical of the current political regime.

Responding to Qurium's analysis of the recent attacks, Meduza said they don't know for sure who could be behind them but points to the Kremlin.

"We know that this is a very expensive attack, and its purpose is not just to disrupt the operation of our website and mobile application, but to make our resources stop working. Only Russian authorities can have such a goal. And they will continue trying to achieve it."

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.