Telegram Messenger Hit by DDoS Attack Originating from China
Popular instant messaging application Telegram took to Twitter to inform its users about an ongoing Distributed Denial of Service (DDoS) attack which lead to the app partially becoming unusable. In this briefing we will briefly look at what DDoS attacks are and then focus on why Telegram was likely targeted and how the attack fits into the broader context of cyber warfare.
On June 12th 2019, Telegram released an official statement saying that they were being targeted by a large scale DDoS attack which they believed to be originating from China. The company took steps to mitigate the impact but the messenger was intermittently not available to some users.
The company implicates China in the attack since the IP addresses that the attacks originated from belong to the country. Their claim has weight to it due to the sheer amount of data consumed by the attack. While it is theoretically possible for a non-governmental criminal organization to hijack servers and perform such an attack, state actors are significantly more common at this scale.
What is a DDoS attack?
A DDoS attack sends vast amounts of requests to a server in order to overload it. In physical terms, imagine if you would want to prevent someone from receiving a letter. You could try to intercept the letter (MITM attack) or you could theoretically mail that person millions of junk letters in similar envelopes. The actual letter would be lost in the several trucks full of mail the target receives and thus effectively not reach its target. DDoS attacks are essentially this approach taken to the digital realm.
Why was Telegram targeted?
Telegram is being used heavily to coordinate the ongoing protests and riots in Hong Kong. The protests are aimed at legislation that would allow for Hong Kong citizens to be extradited to Taiwan or China. The law is widely unpopular among the population of Hong Kong. In this light, both the government of Hong Kong and China have vested interests in dispersing the protests. Blocking access to Telegram is one method to further that goal.
Where is the Cyber Warfare Line?
This DDoS attack raises an interesting question on what constitutes a regular cyber attack and what constitutes cyber warfare. This distinction is mostly of academic interest at this point in time but may well grow more important in the future.
Cutting the lines of communication of an enemy faction is a core element of warfare. Historically this has taken many forms; from intercepting messengers to cutting telegraph and telephone lines to jamming radio transmitters. Many military conflicts and putsches have been won or lost by the ability to effectively disrupt the other party’s communications.
In this light, the DDoS attack against Telegram straddles an interesting line. On one hand, it was only a mildly effective cyber attack against a messaging service. On the other hand, it was likely an attack performed by a state actor to disrupt the organization of protesters against it. Of course, Hong Kong is neither in a state of war nor in a state of putsch at this point in time but such lines are fuzzy.
As cyber warfare evolves and becomes a more and more used tool in the arsenal of state actors, we expect many actions to follow the template of this DDoS attack. Some of them will be plainly “just hacking”, some of them will be plainly “cyber warfare” and many of them will fall into the grey zone in between.