On October 9th, 2024, the nonprofit Internet Archive, home to the famous Wayback Machine and a vast digital library, found itself under siege. The organization announced on social media that its website was suffering the effects of a devastating distributed denial-of-service (DDoS) attack that had begun the previous day.
The attack didn’t just impact the main archive.org website – the Internet Archive’s other free services, including the Wayback Machine and Open Library, were also inaccessible, returning a “503 Server Unavailable” error. In a message posted to his Twitter account, Brewster Kahle, the founder and digital librarian of the Internet Archive, acknowledged the ongoing attack, stating: “Yesterday’s DDOS attack on Internet Archive repeated today. We are working to bring archive.org back online.”
The news of the outage quickly spread across the internet, with one user on the r/DataHoarder subreddit posting a screenshot of the archive.org website showing only a black screen, commenting: “Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened.”
The user’s comment referenced the website Have I Been Pwned (HIBP), where individuals can check if their personal information has been compromised in a data breach. This raised concerns that the attack on the Internet Archive may have involved more than just a simple DDoS, potentially leading to the theft of user data.
As the situation unfolded over the following days, a complex and multi-faceted attack on the Internet Archive began to emerge, involving not just a crippling DDoS, but also a website defacement and a breach of user credentials.
The Anatomy of the Attack
The attack on the Internet Archive appears to have consisted of three main components:
1. Distributed Denial-of-Service (DDoS) Attack
The initial phase of the attack was a large-scale DDoS assault, overwhelming the Internet Archive’s servers with bot-driven traffic to the point where the website became inaccessible. This is a common tactic used by cybercriminals and hacktivists to disrupt the operations of their targets.
2. Website Defacement
While the DDoS attack was underway, the attackers also managed to deface the Internet Archive’s website, injecting malicious JavaScript code that displayed a warning message to visitors. This type of attack, known as a “defacement,” is often used by hackers to deliver a political or ideological message and to demonstrate their ability to compromise the target’s systems.
3. Data Breach
In addition to the DDoS and website defacement, the attackers also managed to breach the Internet Archive’s user database, stealing usernames, email addresses, and encrypted passwords. This type of data theft is a common goal of many cyber attacks, as the stolen information can be used for further malicious activities, such as identity theft or targeted phishing campaigns.
The Attackers: SN Black Meta
Responsibility for the attack was claimed by a group or individual calling themselves “SN Black Meta.” In a series of lengthy posts across various social media platforms, SN Black Meta stated that the attack was “retribution for a genocide that is being carried out by the terrorist state of Israel.”
The group’s statements attempted to justify the attack by claiming that the Internet Archive, despite being a nonprofit organization, is “tied to the American government” and “created specifically to conduct mass surveillance.” They also cited the legal battles between the Internet Archive and several major publishing houses as further evidence of the organization’s alleged ties to the U.S. government and corporate interests.
However, these claims appear to be largely unfounded and seem to be an attempt by the attackers to provide a political or ideological motivation for their actions. The Internet Archive is a widely respected and independent digital library that has long been a target of criticism and legal action from the publishing industry, but there is no evidence to suggest it is a front for government surveillance or American imperialism.
Connections to Anonymous Sudan
As the investigation into the attack progressed, researchers began to uncover potential links between SN Black Meta and a previously active hacktivist group known as Anonymous Sudan.
According to a report by the cybersecurity firm Cyber CC, there are several striking similarities between the two groups, including:
– The modus operandi of the groups, which both engage in DDoS attacks, website defacement, and data breaches
– The use of broken English, Russian, and sometimes Arabic in their communications
– The visual style and heavy use of artificially generated images in their posts
– The claim of originating from Russia, which may or may not be true
The report goes as far as suggesting that SN Black Meta is a “blatant rebranding” of Anonymous Sudan, with the two groups potentially sharing the same core members and leadership.
Anonymous Sudan was a notorious hacktivist group that gained attention for several high-profile attacks, despite its name suggesting an origin in Sudan. In reality, the group started off as a Russian collective and maintained close collaborations with other Russian hacker groups, such as Killnet.
As Anonymous Sudan’s activity began to wane, SN Black Meta started to emerge, raising the possibility that the two groups are one and the same, with the latter serving as a rebranded and more active iteration of the former.
The Motivations Behind the Attack
While SN Black Meta has attempted to frame the attack on the Internet Archive as a response to perceived injustices and political grievances, the true motivations behind the assault may be more complex and multifaceted.
One possible factor is the ongoing legal battles between the Internet Archive and several major publishing houses. In 2020, four publishing giants – Penguin Random House, Hachette, HarperCollins, and Wiley – sued the Internet Archive over its digital lending practices, which the publishers claimed were a violation of copyright law. Last year, the music industry behemoths Universal Music Group, Sony Music, and Concord also sued the Internet Archive for $621 million in damages for copyright infringement.
These legal conflicts may have provided a convenient pretext for the attackers to target the Internet Archive, even if their stated political grievances were not the primary driver behind the assault. By framing the attack as a response to the organization’s perceived ties to the American government and corporate interests, the hackers may have been seeking to garner attention and support from sympathetic activists and online communities.
Another potential factor is the growing trend of “attention-seeking” cyber attacks, where the primary goal is not necessarily to cause lasting damage or disruption, but rather to generate publicity and boost the profile of the attackers. As cybersecurity researcher Cyber U eloquently put it, “This is about information manipulation and reputation building way more than it ever was about conducting the attack.”
In the days following the attack, SN Black Meta faced significant ridicule and criticism for its convoluted and often incoherent justifications. However, the group did not back down, continuing to post lengthy explanations and conspiracy theories to defend their actions. This suggests that the attackers may have been more interested in generating controversy and drawing attention to themselves than in actually disrupting the operations of the Internet Archive.
The Impact and Aftermath
The attack on the Internet Archive had a significant impact on the organization’s operations and the broader digital preservation community. While the Internet Archive’s data was ultimately not corrupted, the DDoS assault and website defacement disrupted the organization’s services for several days, preventing users from accessing the Wayback Machine and other vital resources.
In the aftermath of the attack, Brewster Kahle provided updates on the situation, confirming the three-pronged nature of the assault: the DDoS attack, the website defacement, and the breach of user credentials, including salted and encrypted passwords.
The Internet Archive worked quickly to restore its systems, with the Wayback Machine coming back online in a provisional read-only mode within a few days. However, the full functionality of the website was not expected to be restored for some time, as the organization needed to upgrade its internal systems to address the vulnerabilities exploited by the attackers.
The data breach, in particular, was a major concern, as the stolen user information could potentially be used for further malicious activities, such as targeted phishing campaigns or identity theft. The Internet Archive urged users to change their passwords and be vigilant about any suspicious activity related to their accounts.
Beyond the immediate impact on the Internet Archive, the attack also raised broader concerns about the vulnerability of digital libraries and archives in the face of increasingly sophisticated cyber threats. The Internet Archive, which serves as a vital resource for researchers, historians, and the general public, is just one example of the critical infrastructure that is at risk of such attacks.
The incident also highlighted the complex and often murky world of hacktivist groups, where political or ideological motivations can sometimes serve as a cover for more self-serving agendas. The potential links between SN Black Meta and the previously active Anonymous Sudan group suggest that these types of actors are constantly evolving and rebranding, making it challenging for cybersecurity professionals and law enforcement to track and mitigate their activities.
Conclusion
The cyber attack on the Internet Archive serves as a stark reminder of the threats facing digital institutions in the 21st century. While the motivations behind the assault remain murky, the multi-faceted nature of the attack, involving a crippling DDoS, website defacement, and data breach, underscores the sophistication and tenacity of modern cyber threats.
As the Internet Archive works to recover and strengthen its defenses, the broader digital preservation community must continue to prioritize cybersecurity and resilience. The protection of vital online resources, such as the Wayback Machine and other digital archives, is crucial for safeguarding the collective memory and knowledge of our increasingly digital world.
The lessons learned from this incident will undoubtedly shape the future of digital library security, as organizations strive to strike a balance between accessibility and robust protection against malicious actors. In an era where information is power, the battle to defend our digital institutions has never been more important.
