Somali Journalists Syndicate website shut down by cyberattack using US company RayoByte

---

The Somali Journalists Syndicate (SJS) suffered a slew of cyberattacks from people using U.S. company RayoByte. The initial cyberattack caused the SJS website to go offline just days before SJS member and anti-corruption journalist Mohamed Ibrahim Osman Bulbul was arrested by Somali authorities. 

Key Players

RayoByte, a company based in Lincoln, the Nebraska capital, provides access to IP addresses, a tool that has been used in recent years to initiate cyberattacks against several news outlets. RayoByte’s website states that it is an “award-winning proxy provider committed to reliability and ethics.” Its parent company is Sprious, a tech startup that aids companies in data collection and storage. 

The Somali Journalists Syndicate, a journalists’ trade union in Somalia, on the Horn of Africa, works to protect journalists and freedom of the press.

Qurium, a Swedish nonprofit, specializes in hosting websites of independent news organizations and protecting them from cyberattacks. 

Further Details

Gaining access to IP addresses through sites like RayoByte allows users to conduct “scraping,” a method of website data gathering through successive site visits. This can be used in a non-malicious way, but can also be utilized for distributed denial-of-service (DDoS) attacks intentionally to cause a site to go offline, a method commonly used against journalists. 

DDoS attacks occur when a network is inundated with online traffic through requests to a site’s IP address, often causing the site to shut down. While these attacks are illegal in the United States, it is not illegal to provide the tools that could be used to attack a site. 

On Aug. 11, 2023, the SJS website crashed after it was flooded with a DDoS attack. As a result, SJS was unable to publish a statement regarding Bulbul’s arrest in Somalia. Qurium began hosting the site shortly after, allowing it to come back online. However, after moving its location, the SJS experienced a second attack — this time, however, Qurium prevented a shutdown. 

Shortly afterward, a Qurium analysis revealed the use of RayoByte, finding that nearly 50% of the traffic during the incident originated from RayoByte and its partners, the remaining amount coming from other channels and virtual private networks. The total attack utilized roughly 20,000 IP addresses. 

Qurium’s report said that “residential and data center proxies have become the de-facto standard for today’s DDoS attack infrastructure.” 

Over the past two years, five other media organizations have faced similar attacks resulting from RayoByte’s services. In the case of one Kosovo news site, Qurium contacted Sprious, after which Sprious said it blacklisted the site—but attacks continued nonetheless. 

“You can have technology providers doing appropriate things to protect their users and others at the same time as they build their service in a way that protects privacy,” Gabe Rottman, director of the Technology and Press Freedom Project at the Reporters Committee for Freedom of the Press, said in an interview with the Committee to Protect Journalists (CPJ). “If … you become aware of bad actors doing bad things, notify the authorities, stop them from using your service, mitigate the damage.” 

Qurium’s technical director Tord Lundström has called on RayoByte to address its role in recent cyberattacks. “[RayoByte’s] making all the money,” Lundström said. “And we have to do all this extra work and build new infrastructure to deal with all this shit,” he told the CPJ. 

“In the face of Somalia’s dire humanitarian crisis, it is disheartening that authorities in Mogadishu are financing criminals to launch online attacks against organizations like SJS. Will they ever be held accountable for this?” Abdalle Ahmed Mumin, SJS secretary general, said. 

Outcome

RayoByte parent company decries cyberattack, next steps remain vague   

In an email, Sprious told Qurium that SJS had been added to a blacklist, and that the perpetrating user had been removed from the network. 

“We firmly stand against any form of online harassment or harm, including cyber-attacks, especially when it concerns entities that play a crucial role in promoting press freedom and the safety of journalists,” Sprious said in an emailed statement to the CPJ.

Sprious has stated that it investigates DDoS attacks, but it has not released details on any RayoByte users that may have initiated the recent cyberattacks.

SJS journalist arrested following attack

The SJS secretary of information and student rights, Mohamed Ibrahim Osman Bulbul, was arrested on Aug. 17 in connection with his recent reporting on corruption. He was interrogated about his coverage of the alleged misappropriation of European Union funds for training the Somali police, and was accused of publicizing defamatory information. 

The origin of the cyberattacks has not been confirmed, but the timing of the incident raises questions about whether actors in Mogadishu may have funded the attack. 

The SJS continues to experience cyberattacks

The SJS site has continued to be attacked, but no IP addresses have originated from RayoByte since Qurium asked Sprious for a comment on the issue.