Cloudflare Warns of DDoS Attacks Targeting Journalists and News Organizations

Cloudflare Warns of DDoS Attacks Targeting Journalists and News Organizations

Cybersecurity firm Cloudflare has issued a stark warning about the escalating threat landscape facing independent media organizations worldwide, revealing that journalists and news outlets have become the primary targets of sophisticated distributed denial-of-service (DDoS) attacks.

The company’s latest Project Galileo 11th Anniversary report exposes a dramatic surge in cyberattacks against media organizations, with over 97 billion malicious requests blocked across 315 different news organizations between May 2024 and March 2025.

Cloudflare Warns of DDoS Attacks Targeting Journalists and News Organizations
Project Galileo (Source – Cloudflare)

The attacks represent a concerning shift in the tactics used to silence independent journalism, particularly targeting investigative outlets operating in regions under government pressure, including Russia and Belarus.

Google News

Unlike traditional malware campaigns that rely on infiltrating systems through infected files or phishing emails, these DDoS attacks overwhelm news websites with massive volumes of traffic, rendering them inaccessible to legitimate readers and effectively silencing their reporting capabilities.

The scale of these attacks has reached unprecedented levels, with Cloudflare blocking an average of 325.2 million cyber threats per day—a staggering 241% increase from the previous year.

Cloudflare analysts identified the peak of this coordinated assault occurring on September 28, 2024, when attackers launched their most intensive campaign against media organizations.

The researchers noted that these attacks primarily utilize Layer 7 application-level DDoS techniques, which account for 92.88% of all mitigated traffic against journalism organizations, compared to just 5.93% of attacks attempting to exploit traditional web application vulnerabilities through the Web Application Firewall.

The sophistication and coordination of these attacks became particularly evident in the case of the Belarusian Investigative Center, an independent nonprofit newsroom dedicated to exposing corruption and debunking disinformation from authoritarian regimes.

The organization applied for Project Galileo protection on September 27, 2024, while already under attack, and subsequently faced a massive DDoS assault that generated over 28 billion requests in a single day.

This attack demonstrated the attackers’ ability to sustain prolonged campaigns, lasting four days with an average of 320,000 requests per second.

Advanced DDoS Attack Mechanisms and Evasion Techniques

The technical analysis of these attacks reveals a concerning evolution in DDoS methodology specifically tailored to target media organizations. Unlike conventional volumetric attacks that simply flood network infrastructure, these campaigns employ sophisticated Layer 7 HTTP flood techniques that mimic legitimate user behavior while overwhelming application resources.

The attackers utilize machine learning-resistant patterns that attempt to bypass Cloudflare’s behavioral analysis systems by distributing requests across multiple source IP addresses and varying request timing to appear more organic.

The attack vectors primarily focus on HTTP anomalies, representing 41.71% of Web Application Firewall mitigations, where attackers deliberately send malformed requests with missing headers, unsupported request methods, or invalid character encoding.

This technique serves a dual purpose: it consumes server resources while simultaneously probing for application vulnerabilities that could be exploited in subsequent attacks.

The distributed nature of these attacks often involves coordinating requests from compromised devices across multiple geographic regions, making traditional IP-based blocking ineffective and requiring more sophisticated detection algorithms that analyze request patterns and behavioral signatures rather than source identification alone.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.