
Telegram Traces Cyber Attack to China During Hong Kong Protests - JumpCrisscross
https://www.bloomberg.com/news/articles/2019-06-13/telegram-traces-cyber-attack-to-china-amid-hong-kong-protests
======
FDSGSG
While it's very likely these attacks are related to HK protests, it's simply
not true that Telegram has "traced" this attack to China.

"IP addresses coming mostly from China" accurately describes most botnets,
this tells us essentially nothing about the attackers.

~~~
wyuenho
"Historically, all state actor-sized DDoS (200-400 Gb/s of junk) we
experienced coincided in time with protests in Hong Kong (coordinated on
@telegram). This case was not an exception."

At a certain point, you have to declare the correlation is actually a
causation.

[https://twitter.com/durov/status/1138942773430804480?ref_src...](https://twitter.com/durov/status/1138942773430804480?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1138942773430804480&ref_url=https%3A%2F%2Fwww.theverge.com%2F2019%2F6%2F13%2F18677282%2Ftelegram-
ddos-attack-china-hong-kong-protest-pavel-durov-state-actor-sized-cyberattack)

~~~
FDSGSG
That doesn't really change anything I said, pointing out the correlation is
very different from tracing the attacks. A better headline for this story
would've been "Telegram Faces Cyber Attack During Hong Kong Protests"

FWIW 200-400Gb/s is mildly sophisticated teenager-sized, but perhaps that's
who the state actors are paying.

~~~
leavjenn
Correct me if I'm wrong: Telegram has been blocked in China mainland. So if
normal Chinese botnets want to DDOS Telegram, they will be blocked by GFW
first. So how these botnets succeeded? Does that mean they are "special"?

~~~
FDSGSG
GFW has many ways of blocking things, I would assume that they just aren't
blocking all traffic to telegram IPs.

~~~
parsadotsh
Pretty sure they are.

~~~
FDSGSG
Are they actually blocking outgoing packets to the IPs or injecting RSTs or
blocking incoming packets from those IPs? I don't have a Chinese connection to
test from right now.

~~~
brianpgordon
My understanding is that it's a heterogeneous system that does different
things for different people at different times.

Looks like Wikipedia has some technical details-

[https://en.wikipedia.org/wiki/Great_Firewall#Blocking_method...](https://en.wikipedia.org/wiki/Great_Firewall#Blocking_methods)

------
tomglynch
I run a group of telegram bots for helping to moderate these large telegram
groups. A quick look through the logs shows mostly a lot of marijuana for sale
in Dutch and a heap of cryptocurrencies preventing spam attacks. Having said
that, as the bots are used in hundreds of groups I wonder what analysis I
could do on the data.

~~~
Robadob
When I visited Ukraine, a friend pointed out lots of graffiti advertising
people that sell drugs on Telegram.

~~~
kzzzznot
Don’t these methods of selling drugs mean the police can really easily
infiltrate/perform a ‘sting’ operation? How do they verify the buyer and
protect themselves from this?

~~~
wp381640
In Ukraine and Russia dead-drops as a method of delivery is common. They also
use the postal system just like regular dark web markets, what Telgram groups
and contacts replace is the actual market part, reputation scoring and escrow

~~~
onemoresoop
Interesting. I didn't know what dead-drops were. Here's the wikipedia entry:
[https://en.wikipedia.org/wiki/Dead_drop](https://en.wikipedia.org/wiki/Dead_drop)

------
majia
You can probably "trace" most cyber attacks to China. Among all countries, it
is comparatively easy for hackers to build a large botnet in China and use it
to attack third parties because there are many unsophisticated Chinese
internet users.

China could be behind this attack, but tracing IP address is really
meaningless here.

~~~
supertiger
Bloomberg is growingly anti China. Rigorous political-unbiased journalism is
hard to find even in the US.

------
tomglynch
On another note, did any other services go down or have trouble during this
period? What other methods of communication are people on the ground in Hong
Kong using?

~~~
threeseed
More interesting question is how many of those popular services in HK had good
availability during the protests.

Because it would be a pretty good indicator of which ones the Chinese
government had already intercepted.

~~~
spacehunt
WhatsApp, Facebook, Gmail etc were all working fine without issue yesterday.
The local TV stations were all livestreaming on Facebook and I set up a
monitor with Chromecast in the office for my colleagues to keep up to date
throughout the day.

Hong Kong isn't inside the GFW.

------
fabioyy
200-400 gigabit/s is not that huge.

