Skip links

Israeli firm Bright Data named as enabler of Philippines government DDOS attacks on opposition groups

Looks like a case of abuse of the service and/or being careless with what your customers get up to. Swedish digital rights organisation Qurium has alleged that an Israeli company called Bright Data has helped the government of the Philippines to DDOS local human rights organisation Karapatan.

In July, Qurium reported that the Philippines Department of Science and Technology and Army had conducted DDOS attacks on local media critical of the nation’s government, and targeted Karapatan.

Last week, Qurium reported a new wave of attacks on Karapatan, detailing a three-week campaign felt to be aimed at derailing efforts to protest extra-judicial killings – including the death of a Karapatan member.

Now the organisation has published analysis of the latest DDOS attacks, in which it alleges Israeli firm Bright Data aided the effort.

The organisation’s analysis suggests that most of the DDOS traffic it detected came from mobile carriers in Russia and the Ukraine. Qurium also detected action coming from servers hosted by Digital Ocean and US-based cloud Choopa.

Qurium’s analysis suggests that some of the servers used in the attacks employ proxies offered by Bright Data, which offers proxies-as-a-service.

Such services have legitimate uses to speed traffic, but can also allow creepy observation of traffic and lead to privacy abuses. Bright Data, formerly known as Luminati Networks, was accused of such creepiness in a 2018 report by security vendor Trend Micro.

That report noted that a VPN called HolaVPN had been observed – by none other than 8Chan owner Fredrick Brennan – leaking user info to Bright Data.

Trend Micro alleged that HolaVPN users became exit nodes for Bright/Luminati’s services.

“If the user’s machine happens to be part of a corporate network, its being an exit node may provide unknown third parties possible entry to company systems,” Trend stated. “HolaVPN could enable attackers to circumvent corporate firewalls and allow them to explore the internal network of a company for nefarious purposes.

“Aside from this, HolaVPN users’ bandwidths are being sold via Luminati and could end up being part of botnet activity facilitated by the network. It could also enable cybercriminals to perform different illegal or unauthorized activities on users’ machines.”

Back to the Philippines, and Qurium alleges that the government employed Bright Data to provide rapidly-changing IP addresses – up to 100 an hour – to target Karapatan.

“At the beginning of our research, we speculated that this behavior could be the result of a ‘pay as you go’ stress-testing service that allowed a maximum of one hour attack time,” Qurium’s post states. “After several days monitoring the web site we could determine that the traffic patterns were the result of Luminati automatically rotating their residential and mobile proxies in an hourly basis.”

Qurium states it asked Bright Data for an explanation and received a response that included the following:

Bright Data claims it is an ethical organisation and vets all peers, partners, and customers to ensure they use its services appropriately.

But that’s just what another Israeli outfit – NSO Group – said before it was accused by Amnesty International of not doing enough to prevent abuse of its spyware.

Qurium’s naming of another Israeli firm as a player in state-run naughtiness throws a little more fuel on the fire.

The Register has approached Bright Data for comment, and will update this story if substantial information becomes available. ®