The International Press Institute (IPI) today warns that an unprecedented wave of cyber-attacks predominantly targeting independent media outlets in Hungary in recent months represents a serious and growing threat to the free flow of information in what arguably is already the European Union’s worst country for press freedom.
Since April 2023, at least 40 different media websites in Hungary have faced Distributed Denial of Service (DDoS) attacks, a form of cyber-attack which temporarily slows or crashes websites by overloading their servers with millions of simultaneous access requests, leaving readers unable to access news and information for hours at a time.
While the specific motive of these attacks remains unconfirmed, the majority of portals targeted in the DDoS attacks include many of the country’s leading independent media, including Telex, HVG, 444.hu, Magyar Hang, and Népszava, which are critical of the government of Prime Minister Viktor Orbán. International media companies hit by hackers include Forbes Hungary.
To date, no media outlet supportive of the ruling Fidesz party has been targeted in the current wave of attacks, according to IPI assessments, indicating a political or ideological motive. Index.hu, a formerly independent publication considered co-opted by, though not overtly supportive of, the government, was also targeted. In some cases, media were targeted for simply reporting on DDoS attacks against others, as in the case of Media1.
While the attacks initially appeared to be isolated incidents, the frequency and severity of the attacks increased in May and June and have caused serious damage and disruption to news websites. In addition to undermining reader’s access to news and information, DDoS attacks also result in financial losses for media companies due to diminished advertising revenue.
Many of the targeted websites were left inaccessible to readers for hours at a time, either until website administrators were able to minimize the damage or the DDoS attacks – which can require considerable costs to execute – were halted by the hackers. Waves of attacks have mostly occurred over successive weekends, when IT staff are most likely not to be working.
With more than 40 different media websites targeted, some multiple times, this campaign of DDoS attacks is understood to be one of the broadest cyber-attacks against an independent media community within a European Union member state to date, according to IPI’s analysis.
While some of the media involved have filed police reports, investigations have so far yielded no discernible progress. Police are understood to be investigating cases individually, rather than as part of a unified national investigation. The perpetrators of DDoS attacks are notoriously challenging to identify due to the variety of tools available to attackers to remain anonymous.
While no actor has claimed responsibility, the hacker or hackers appear to go by the nickname HANO – an acronym in Hungarian for a type of disorder which affects the human body. In recent months, they have also left messages in Hungarian behind in the code of attacks, indicating that they are being coordinated domestically, rather than by foreign actors. The attacker appears to demonstrate a knowledge of the Hungarian media landscape and individual journalists.
In other cases, messages were left in the code of DDoS attacks which warned of future attacks against certain media, only for those attacks to then be carried out at the precise date and time. The costs associated with this scale and duration of DDoS attacks, continuing over several months, also indicates that those responsible are relatively well-funded, according to experts.
Although IPI referred some independent media outlets in Hungary to Cloudflare’s Project Galileo – which provides cyber defences by redirecting overload attempts to its own servers – the attackers have found new ways to crash or drastically slow down websites. This further indicates the sophisticated offensive cyber capabilities of those responsible.
Major democratic and security threat
The DDoS attacks so far appear to follow a pattern of targeting critical and independent media websites and were in some cases aimed at smothering access to certain types of news reporting or investigations. In some cases, DDoS attacks began less than half an hour after the publication of reports critical of the government or entities connected to it.
Examples include a critical report about journalists from independent media not being allowed into a government press conference, or a critical report about the pro-government propaganda outlet Megafon. None of the attacks appear so far to be extortionate in nature, but rather intended to cause maximum disruption.
IPI Deputy Director Scott Griffen said the months-long DDoS campaign represented an insidious form of digital censorship and another form of pressure against critical and independent media in Hungary. He warned that while the current cyber-attacks were worrying enough for media freedom, the potential for them to be weaponized during elections in Hungary – when access to factual and independent journalism are more vital than ever – could also pose a major threat to election integrity and democracy.
“The potential for cyber attackers to cause major obstruction for citizen’s access to independent news reporting during periods like elections or protests are clear”, he said. “What we have been seeing in recent months could be the probing for weaknesses in advance of a major coordinated attack, which is why authorities need to act now to identify and put a halt to this democratic and security threat”, he said.
“IPI today calls on Hungarian law enforcement authorities to consolidate investigations into one major national probe, assisted by expert cybercrime officers and if necessary, intelligence agencies, aimed at identifying the source of these cyber-attacks, what their motive is, and how they are funded. Those responsible should face serious criminal cybercrime charges for their obstruction of free speech online and attacks on important media infrastructure.”
Griffen also called for greater international attention, particularly from the European Union, to the DDoS attacks against media in Hungary and the democratic threat they pose.
While multiple motives for the attacks were possible, he said, another theory could be that they are aimed simply at undermining business operations of independent media companies. DDoS attacks have led both to a loss of advertising revenue and forced some media to invest in stronger cyber defense capabilities, hitting balance books of the smaller news outlets in particular. Independent media in Hungary continue to face major threats to their viability.
DDoS attacks are not new to Hungary. In 2022, the website of the united opposition movement was hit with a powerful DDoS attack as it was in the process of conducting its pre-election for the nominee for Prime Minister. Around the same time, independent media platforms also faced isolated DDoS attacks. In July 2023, the website of the Budapest Pride was crashed for hours on the day it was due to hold LGTBQ+ events in the capital. In a recent attack on Hungarian outlet Media1, the attacker also left messages in the code which admitted that they were responsible for carrying out the attack on the Pride website.
In March 2022, several news websites belonging to right-wing and conservative media supportive of the government were also hit by hackers claiming to be from Anonymous, with the justification that the media were supporting Russia’s war on Ukraine. At the time, the DDoS attacks drew a strong statement from the then Justice Minister Judit Varga. By contrast, no government official has yet condemned the attacks on independent media. The perpetrators of the 2022 cyber attacks were never identified.
Although DDoS attacks affect major media companies around the world, including in Europe in recent months, the financial resources and specialized security apparatus available to larger media companies mean that such cyber attacks are frustrating but cause little disruption.
DDoS attacks are broadly aimed at identifying and then exploiting vulnerabilities in website and server systems. They work by flooding these systems with what appears to be legitimate internet traffic from multiple locations, which overwhelms bandwidth or server capacity, significantly slowing or crashing websites. Efforts to protect against DDoS generally involve blocking the IP addresses of illegitimate access requests. Often this means mitigating attacks rather than stopping them outright. Attacks can be carried out via botnets – networks of infected computers and other digital devices around the world – making it very difficult to trace the perpetrators.
Media1 has been tracking the DDoS attacks on its website. IPI has been documenting these cases on the Mapping Media Freedom (MMF) platform and the Council of Europe Platform for the Safety of Journalists.
IPI has been working with our members and other independent media organizations in Hungary in recent months to help bolster their cyber-security defences.
Click here for more of IPI’s reporting and advocacy on Hungary