Telegram was hit by a distributed denial of service (DDoS) attack on Wednesday (June 12). The cyber attack took place as protesters used the app to communicate during protests in Hong Kong.
The attack appears to have affected Telegram’s 200 million users across the Americas and “some other countries,” who “may experience connection issues,” the messenger firm said in a tweet on Wednesday. It confirmed that user data was safe.
A DDoS attack doesn’t usually intend to steal customer data–instead it aims to take a service offline or render it useless by flooding it with traffic so people can’t access it. Telegram compares a DDoS attack to ordering multiple McDonald’s meals at once.
“Your servers get GADZILLIONS of garbage requests which stop them from processing legitimate requests. Imagine that an army of lemmings just jumped the queue at McDonald’s in front of you–and each is ordering a whopper,” Telegram said.
It went on to explain: “There’s a bright side: all these lemmings are there just to overload the servers with extra work–they can’t take away your Big Mac and coke. Your data is safe.”
From China
But this attack does have a sinister side. Telegram founder and CEO Pavel Durov said most of the IP addresses orchestrating the attack were from China. “Historically, all state actor sized DDoS (200-400 GB/s of junk) we experienced coincided in time with protests in Hong Kong (coordinated on @telegram). This case was not an exception,” he said in a tweet.
After a weekend of peaceful demonstrations, protests had become violent in the early hours of June 10, as several hundred protesters clashed with police outside the city’s parliament.
Protests had continued through June 12 with people gathering outside government headquarters in Hong Kong to oppose a plan that would allow criminal suspects to be extradited to China for trial.
The protests were organized predominately on Telegram and similar apps including WhatsApp. Telegram is particularly useful because while it is encrypted, it allows people to create groups of up to 200,000 users and also includes the ability to broadcast to an unlimited audience.
According to the South China Morning Post, the role of Telegram in the protests was made obvious when a Telegram group administrator was arrested for conspiracy to commit public nuisance on Tuesday (June 11) night. It is alleged that the man had been communicating with 30,000 users, who were planning to charge the Legislative Council Complex and block neighboring roads.
Meanwhile, the Chinese state-backed newspaper China Daily said the protests actually took place in support of the Bill.
Behind the attack
Ian Thornton-Trump, security head at AMTrust Europe, says that if China is to blame, the tactical approach taken by attackers makes sense. “Disruption of communication and coordination services used by the protesters would be part of a tactical response. It’s all part of a standard regime response we have seen during the Arab spring.”
“Cyber weapons and techniques can be applied externally to adversaries as well as internally to control non-compliant groups inside a country,” Thornton-Trump says. “As both the protests and U.S. trade tariffs take effect it’s likely China will get even more aggressive in cyber and physical space. Public order and a growing economy are two of the most important aspects to China’s government and both seem to be deteriorating.”
If China was responsible, Thornton-Trump also suggests a more nefarious motivation for the attack: “Maybe because the Chinese government couldn’t intercept Telegram, it chose to DDoS it to force the leaders of the protest to use communication means which are less secure: ‘If you can’t intercept it, disrupt it,’.”
“The Chinese have recognized the power of cyberspace for many years and have developed a sophisticated cyber capability as part of their national defense network,” says Philip Ingram MBE, a former colonel in British Military Intelligence.
“It consists of two elements: one piece gathering information from cyberspace, cyber spying and another very capable element with an offensive capability. With Hong Kong lying outside the Chinese national firewall, there will be significant national assets targeted to ensure they have maximum 'control' over servers into and out of Hong Kong as part of a wider monitoring capability.”
Ingram says he is “not surprised that the Chinese have [allegedly] carried out a DDoS attack on the Telegram servers to try and disrupt the coordination of the protests."
It shows two things, he says: “China's resolve to deal with protests in any way they can and that China is not afraid to use offensive cyber capabilities against commercial entities to protect Chinese interests.”
