Overview of Project Galileo

As the world moves online — a factor accelerated by COVID-19 — access to powerful cybersecurity tools is a critical aspect for organizations around the world. For those who work in areas such as human rights, journalism, independent media, education and social justice, the security of information, accessibility of online platforms and ability to stay online against powerful enemies can be of utmost importance. Our goal at Cloudflare is to help build a better Internet. Part of that goal is helping those who are disproportionately targeted by cyberattacks due to their critical work.

We started Project Galileo in 2014 to provide free services to vulnerable groups on the Internet who might otherwise be in danger of being silenced by cyberattacks. Every year, we celebrate the anniversary of Project Galileo with updates on how the project has grown and share the latest insights and trends in an effort to create best practices so that organizations can be safer online. Since we operate one of the largest global networks, we have the ability to provide organizations and those who work in supporting these groups on the types of attacks that they face with the hope of better securing them online. To learn more about some of these stories, visit our Project Galileo 7th anniversary blog post.

Highlights of the past year

• There are five times as many cyberattacks against all Project Galileo sites compared to our update last year, with 13 billion attacks between August 2020 and March 2021. This is an average of 53 million cyber attacks per day in the past eight months.
• Journalism, human rights and health organizations saw significantly more attempts at exploiting security vulnerabilities compared to distributed denial of service traffic.
• In the past year, we have seen that hackers continue to run their tools to attack websites protected under Project Galileo with a majority of attacks exploiting SQL injection vulnerabilities, user agent anomaly, and fake search engine bots.
• For human rights organizations, we saw that 53% of attacks mitigated by the Web Application Firewall were by attackers trying to exploit SQL injection vulnerabilities.

Global Coverage of Project Galileo

In the past year, we have seen a 50% increase of those protected under the project with more than 1,500 organizations in 111 countries. Currently, we have 40 civil society partners who we work with to identify in-need, at-risk websites that look to Cloudflare for inclusion in the project.

Traffic Trends

Last year, we reported a sevenfold increase in traffic to independent media and journalism websites under Project Galileo, with a steep increase at the beginning of the COVID-19 pandemic. This year, we wanted to see if there were similar traffic trends and if there were trends when it came to the different types of organizations we protect. For many organizations, the events of the past year have opened a new world of public engagement as planned in-person events shifted to online, allowing organizations to truly open up a global conversation and reach new audiences. For others, it puts a strain on them with already small and limited IT resources in remote areas of the world. This year, we see these spikes in traffic to a range of groups, as a majority of them moved their operations online.

Since we protect a range of organizations, we wanted to identify three categories of organizations to gain a better understanding of traffic trends and attacks they experience. We chose journalism, human rights and health organizations due to their essential role in reporting on events of the past year, providing direct support to those in need as well as how they shape the response to public health emergencies.

Cyberattacks against organizations under Project Galileo

Application layer attacks or layer 7 (L7) DDoS attacks are particularly effective due to their consumption of server resources in addition to network resources. Denial of service attacks are simple to perpetrate and enable attackers to take websites offline so that legitimate users cannot access them. Malicious denial of service attacks are prevalent, but also unexpected influxes of traffic to these websites from legitimate users. For example, a journalism site that publishes a story on government corruption attracting millions of visitors to the website, can cause the site to crash. For organizations that may not have the resources or expertise to combat these large scale attacks, that is where Cloudflare can help. Cloudflare automatically detects and mitigates DDoS attacks across its global network using its autonomous edge DDoS detection and mitigation engine. In the graphs below, we provided the percentage of the total number of Layer 7 DDoS traffic requests for each group.

Independent media and journalism organizations make up a majority of the domains protected under the project, as they are targeted due to their work in ensuring a free and informed society and can take many forms around the world. In March 2020, the Cybersecurity & Infrastructure Security Agency (CISA) in the United States classified "workers who support radio, television, and media service, including, but not limited to front-line news reporters, studio, and technicians for newsgathering, and reporting, and publishing news" as essential critical infrastructure workers. As many people turn to local news outlets, especially in the time of crisis, it is important for these groups to have a reliable platform to distribute real time updates and trends on the ongoing pandemic and governments' COVID response around the world.

Over the last nine months there were more than seven billion cyberattacks against Project Galileo journalism and media sites, equating to over 30 million attacks per day against this group. We see these attacks as attempts to both exploit security vulnerabilities and as distributed denial of service attacks. The goal of a denial of service attack is to make the website inaccessible for legitimate users rather than steal or modify sensitive information. We see both tactics used against organizations protected under the project in the past 240 days on journalism sites.

In the health sector, the global pandemic and vaccine distribution put organizations that provide accurate information related to COVID-19, testing areas and symptom tracking at the forefront. In the past five months, Cloudflare has mitigated one billion attacks on these organizations, an average of 10 million cyber attacks per day. As we identified the types of attacks against health organizations, we found there were significant requests that were blocked by the web application firewall that provide automatic protection from security vulnerabilities.

For human rights organizations, who work on the front lines to promote and protect human rights, privacy and digital security is crucial for their safety and operations. In the past eight months we have seen 400 million cyber attacks on human rights organizations. One factor that we found revealing is that many of the categories we focused on for this analysis (journalism, health and human rights) saw significant attempts at exploiting security vulnerabilities.

Attack Methods

Cyberattacks that aim to repress vulnerable voices by taking them offline can cause havoc for organizational operations. Many times, attackers attempt to steal sensitive information related to civil society operations or human rights groups. This can bring reputational damage and create a sense of mistrust if these platforms are not reliable and secure. While there are dozens of different types of attacks, we identified many similar threats against organizations protected under Project Galileo that were blocked by Cloudflare’s web application firewall. A WAF helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. The Cloudflare WAF is one of the most valuable products that is provided to organizations under Project Galileo, due to the ability to automatically block known malicious threats, but also protect against exploiting known security vulnerabilities.

The most common types of attacks we see against organizations protected under Project Galileo:

• SQLi injection: Structured Query Language (SQL*) Injection is a code injection technique used to modify or retrieve data from SQL databases. A successful SQL injection exploit can allow hackers to access sensitive data from the database, make changes to the data and issue commands to the operating system.
• User agent anomaly: A user agent is a “string” that identifies the browser and operating system to the web server. For Cloudflare, we categorize user agent anomalies as attacks that we deem suspicious and work in conjunction with the Browser integrity check and look for common HTTP headers abused most commonly by spammers. We know that most of these “strings” conform to agreed upon conventions (such as browser based user agents, crawlers, etc) so we can easily tell when requests are sent that do not look like what we would expect. At a high level, we look at these types of attacks as the lazy hacker using tools to send HTTP traffic without a user agent that is commonly used by abusive bots, crawlers, or visitors.
• Fake Search Engine bot: These requests claim to be good bots on the Internet. We have verified search crawlers like Google and Bing, but attackers will try to blend fake bots posed as good ones to scan for vulnerabilities or flood the site with traffic. At times, this bot traffic can be malicious, but we also see organizations use this for search engine optimization as a way to test how a verified bot would crawl and index a site on the web.