Nigeria’s leading investigative newspaper, PREMIUM TIMES, suffered intensive cyber attacks between Saturday and Tuesday while it served the world elaborate live updates about Nigeria’s 2015 presidential and national assembly elections.

The attacks were aimed at blocking genuine readers from the site and, ultimately, shutting down the platform.

On Saturday, March 28, the attackers sustained their brutal attack for an unbroken 23 hours, targeting, simultaneously, both the paper’s main website and its innovative election portal.

“The attackers gave up late Tuesday,” Musikilu Mojeed, PREMIUM TIMES managing editor, said. “Their intention was apparently to stop us from reporting the elections the way we did.”

The paper’s coverage of the elections has drawn praises from around the world, with some analysts saying the innovative and sustained approach adopted contributed in blocking rogue politicians and election officials from compromising the electoral process.

The attacks experienced during the coverage are commonly known as “Distributed Denial of Service or DDoS attacks” and included close to thousand botnet computers across Asia, Europe, America and the Middle East.

The attackers started with SYN flooding at 1.6 Million packets per second before quickly escalating to launch a layer 7 – or application layer DDoS – that lasted 23 hours and peaked at 200 Megabytes per second.

Layer 7 DDoS attacks are one of the most complicated form of attacks. It targets a certain part of a website – such as a button or a post – and repeatedly download resources hoping to exhaust the server and shut the site down. It mimics the normal human behaviour making it difficult to isolate from normal website traffic.

Our investigations traced the attacks to servers in Eastern Europe.

Despite the attacks, the website remained largely alive during the brutal onslaught, serving clean traffic to several millions of genuine readers who followed the elections from all parts of the world.

Long suffering

According to the paper’s editors, PREMIUM TIMES has remained a consistent victim of cyber attacks.

As the paper grew in influence and readership, attackers also revved up their onslaughts.

Lessons learned in the several attacks since 2012 have helped the paper to review its operation and fortify its platform. Keeping the website alive and fending off ruthless hackers have been technically demanding and expensive.

“At first, they launched attacks against us from standard computers in Abuja and Lagos. But they quickly graduated to Eastern Europe and we began receiving intense attacks from Russia and Ukraine,” Mr. Mojeed said.

He added that these same attackers, who came for the soul of the website on Election Day, had earlier launched a two-week long intensive attack to down the website in December 2014.

Mr. Mojeed said the Election Day attacks were not totally unexpected.
“The attacks usually follow a big story,” he said. “But the intensity of the election reporting attacks were shocking. Our team worked round the clock for four days monitoring and mitigating the attacks.”

Hours after the paper announced the launch of its Election Centre, three days before voting started, Nigeria’s secret police, the State Security Service, issued a stern warning to “groups” planning to publish election results ahead of the Independent National Electoral Commission, INEC.

Publishing election results as announced by INEC [not ahead of INEC] at polling units across the country was central to PREMIUM TIMES’ live blogging of the presidential and national assembly elections.

It is unclear whether the Nigerian authorities had a hand in the attacks the paper suffered in a bid to stop it from publishing results declared by INEC officials at polling units.

Attack as a service

The botnet that hit the site can be bought as a service in Russian underground forums.

The forum sells a combination of “services” including VPN – Virtual Private Network – services to hide attack locations.

Our investigations revealed that the attacks could cost at least 300 USD per day for basic types against protected sites such as PREMIUM TIMES.

The attack industry comprises of criminals who write viruses that compromise millions of machines around the world to install botnets that are used for the attacks.

Another level of criminals buy time on these compromised servers and re-sell to clients that range from businesses to governments.

Usually, clients seeking to down targeted web infrastructure outsource attacks to criminal organizations that perform attacks as a service.

The criminals, who carried out the attacks on PREMIUM TIMES, appear to have a big part of the infection in Thailand and Vietnam.

“It is not clear who is paying for these attacks, but we are certain they are not doing it for fun,” Mr. Mojeed said.