Overview of Project Galileo

Cloudflare started Project Galileo in 2014 due to the unsettling trend of cyberattacks against organizations that work in human rights, democracy building, journalism, art and media. We saw this with our analysis last year, and for the 8th anniversary this year, we want to share updated insights into trends we've identified against important groups.

For this dashboard, we analyzed data from July 1, 2021 to May 5, 2022 from 1,900 organizations. Project Galileo is a global project, so we separate the dashboard into region-based attack trends for the Americas, Asia Pacific, Europe and Africa/Middle East. Afterwards, we examine the top three types of organizations we protect, community building and social welfare groups, human rights, and journalism/media to understand the threats against these groups and security tools used to mitigate attacks.

Finally, due to the Russian invasion of Ukraine on February 24, we wanted to share insights into attacks we have seen against organizations based in Ukraine that we protect under the project. In a year full of new challenges for so many, we hope that analysis of attacks against these vulnerable groups provides researchers, civil society, and targeted organizations with insight into how to better protect those working in these spaces.

Highlights of the past year

• We continue to see cyberattack activity increase, with nearly 18 billion attacks between July 2021 and May 2022. This is an average of nearly 57.9 million cyberattacks per day over the last nine months, an increase of nearly 10% over last year.
• Mitigated DDoS traffic targeting organizations in Ukraine reached as much as 90% of total traffic during one significant attack in April.
• After the war in Ukraine started, applications to the project increased by 177% in March 2022.
• Journalism and media organizations in Europe and the Americas saw traffic grow ~150% over the last year.
• We see a range of unsophisticated cyberattacks against organizations that work in human rights and journalism. Up to 40% of WAF mitigated requests were classified as HTTP Anomalies, the largest of any WAF rule type, a type of attack that can be damaging to unprotected organizations but is automatically blocked by Cloudflare.
• From July 2021 to May 2022, organizations based in Europe consistently accounted for half to two-thirds of request traffic out of all the regions covered under the project.

Global Coverage of Project Galileo

Snapshot of Region Based Traffic and Attacks

As we have a range of organizations around the world protected under Project Galileo, we wanted to understand if regions have similar traffic and attack trends. We found that organizations based in Europe consistently account for half to two-thirds of request traffic.

Under Project Galileo, we provide Cloudflare's free Business level services, which includes the web application firewall (WAF). The WAF is a valuable tool for organizations as it helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.

On a regional basis:

• For organizations in the Americas, WAF mitigated traffic was generally less than 2% of daily traffic, though an attack on February 11 reached 52%.
• For organizations in Asia Pacific, WAF mitigated traffic was generally less than 3% of daily traffic. An attack on July 24 reached 21%.
• For organizations in Europe, WAF mitigated traffic was generally less than 2% of daily traffic, although some spikiness in March & April pushed it to 5-7%. An attack on September 16 reached 14%, another on December 15 reached 22%, and one on March 13 reached 19%.
• For organizations in Africa/Middle East, WAF mitigated traffic was very active between the end of July and the end of October, reaching as much as 12% of traffic. Otherwise, during quieter periods, it accounted for less than 1% of total traffic.

For DDoS attacks, we classify this as traffic determined to be part of a Layer 7 (application layer) DDoS attack. Such attacks are often malicious request floods designed to overwhelm a site with the intention of knocking it offline. We block the requests associated with the attack, ensuring that legitimate requests reach the site, and that it stays online.

Through March 2022, mitigated traffic generally accounted for well under 1% of daily traffic. However, with the onset of the Russian invasion of Ukraine and the onboarding of additional customers from Ukraine, this has reached as much as 10% of aggregate traffic over the last few months. A DDoS attack on September 27 drove DDoS mitigated traffic to reach 41% of overall daily traffic, another on December 29 accounted for 58%, and one on April 19 amounted to 45% of total daily request traffic.

On a regional basis:

• For organizations in the Americas, DDoS mitigated traffic remained well below 1% of daily traffic. The primary exception was an attack on September 27 where it reached just under 70%.
• For organizations in the Asia Pacific, DDoS mitigated traffic remained well below 1% of daily traffic. The primary exception was an attack on March 30 where it reached just over 10%
• For organizations in Europe, DDoS mitigated traffic remained well below 1% of daily traffic until late February and the onset of the war in Ukraine. Since then, it has regularly spiked to as much as 10%, reaching as high as 57% on April 19.
• For organizations in Africa/Middle East, DDoS mitigated traffic has remained well below 1% of daily traffic.

When calculating the change in traffic, we are using the average daily traffic (number of requests) of the first two weeks of July 2021 as the baseline. For traffic change to domains under Project Galileo, aggregated across all regions, we see the average traffic has grown ~20% over the last year.

On a regional basis:

• For organizations in the Americas, average traffic was flat throughout the back half of 2021, and dropped by about 40% December through March. It picked back up again in April.
• For organizations in Asia Pacific, average traffic volumes have dropped by around 30% over the last year.
• Average traffic volumes for organizations in Europe were up about 20% ahead of the start of the war in Ukraine. Due to rapid onboarding of organizations in Ukraine and neighboring countries due to the Russian invasion, it pushed traffic growth to nearly 2x baseline at the beginning of March. It has since settled to 25-30% above baseline.
• Traffic volumes for Africa/Middle East displayed a long-term cyclical pattern, increasing into late August, then dropping into late November, and then gradually increasing again over the last six months.

Attack Methods based on Region

Across the Americas, Asia Pacific, Europe, and Africa/Middle East regions, the largest fraction (28%) of mitigated requests were classified as "HTTP Anomaly", Other top mitigation types were SQL injection attempts (with 20% of mitigated requests) and attempts to exploit specific CVEs, at nearly 13%. CVEs are publicly disclosed cybersecurity vulnerabilities. Cloudflare monitors new vulnerabilities and quickly determines which require additional rulesets to protect our users.

Requests for Web content (HTTP requests) have an expected structure, set of headers, and related values. Some attackers will send malformed requests, including anomalies like missing headers, unsupported request methods, using non-standard ports, or invalid character encoding. These requests are classified as "HTTP anomalies". These anomalous requests are frequently associated with unsophisticated attacks, and are automatically blocked by Cloudflare's WAF.

Across organizations in the Americas, the largest fraction (24%) of mitigated requests were classified as attempted SQL injection. SQL injections can be particularly malicious to organizations under Project Galileo, especially in the case of those who host a database with sensitive information such as refugee data or confidential information such as the whereabouts of activists who have fled authoritarian regimes.

SQLi is an attack technique designed to modify or retrieve data from SQL databases. By inserting specialized SQL statements into a form field, attackers attempt to execute commands that allow for the retrieval of data from the database, modification of data within the database, the destruction of sensitive data, or other manipulative behaviors.

Across Asia Pacific customers, the largest fraction (22%) of mitigated requests were classified as attempted SQL injection, with nearly 18% as attempts to exploit specific CVEs, and 16% as Cross-Site Scripting attacks.

Cross-site scripting (XSS) is an exploit where the attacker attaches code onto a legitimate website that will execute when the victim loads the website. The Cloudflare WAF enforces rules that prevent cross-site scripting.

Across Europe organizations, the largest fraction (36%) of mitigated requests were classified as HTTP Anomaly, with 18% of mitigated requests tagged as SQL injection attempts and nearly 13% as attempts to exploit specific CVEs.

Across Africa/Middle East customers, the largest fraction (28%) of mitigated requests were classified as "HTTP Anomaly", with 22% of mitigated requests tagged as SQL injection attempts and 17% mitigated due to classification as bot traffic.

Attacks Methods based on Organization

We protect a range of organizations under Project Galileo. For this dashboard, we categorized them into six groups: community building/social welfare, education, environmental/disaster relief, human rights, and journalism. To help understand threats against these groups, we broke down the types of attacks we saw that were mitigated by the web application firewall. A majority of the mitigated traffic is from HTTP anomalies and SQLi.

• Community building/social welfare organizations were most targeted by attempted SQL injection attacks, responsible for 29% of WAF mitigated requests.
• Education organizations were most targeted by HTTP Anomaly attacks, accounting for 26% of WAF mitigated requests.
• Environment/disaster relief organizations were most targeted by attempted SQL injection attacks, responsible for 20% of WAF mitigated requests.
• Health organizations were most targeted by attempted SQL injection attacks, responsible for 30% of WAF mitigated requests.
• Human rights organizations were most targeted by HTTP Anomaly attacks, accounting for 41% of WAF mitigated requests.
• Journalism organizations were most targeted by HTTP Anomaly attacks, accounting for 40% of WAF mitigated requests.

Deep dive into threats against organizations in community building and social welfare

Under Project Galileo, we protect organizations that we classify as community building and social welfare. A majority of these organizations are non-profits that work to improve the lives of children, raise money for specific causes in the community or provide services to low-income families. Many of these organizations are small, with limited IT staff and budgets for sophisticated security tools.

Organizations in the Americas were responsible for most of the traffic through October 2021. From December onwards, organizations based in Europe drove most of the traffic.

The largest volumes of traffic determined to be malicious and blocked by Cloudflare’s firewall were driven by organizations in the Asia Pacific and Africa/Middle East regions.

There was very little traffic that was classified and mitigated as DDoS, but Asia Pacific organizations have been responsible for the most spikes, while the largest spikes (by traffic percentage) were related to organizations in the Americas and Europe.

Traffic to community building organizations remained consistent, but we observed some significant regional traffic spikes. For organizations in Europe, we saw a traffic spike that reached 26x above baseline at the end of December 2021, after which traffic remained 2-3x above baseline.

Deep dive into threats against human rights organizations

Human rights organizations make up a large percentage of organizations protected under the project. These organizations advocate for human rights through collection of evidence on human rights violations by governments and other actors, as well as promoting respect for these rights in their countries and abroad. Most of the traffic for human rights organizations was associated with organizations in Europe, and to a lesser extent, in the Americas. Organizations in Asia Pacific and Africa/Middle East saw very little traffic.

Although responsible for a minimal amount of traffic overall, organizations in Africa/Middle East had the highest percentage of traffic mitigated by the WAF, ranging between 30-80% between August to October 2021. There was another period of increase to 30% in January and February 2022.

Mitigated traffic identified as DDoS was unpredictable over the last year, representing brief but targeted attacks. Organizations in the Americas saw DDoS attacks reach as high as 30% of traffic. In Europe, we saw fewer spikes, but the attacks that did occur were as much as 35% of traffic.

Traffic to Asia Pacific organizations remained relatively consistent, although it did experience a brief spike to nearly 4x above baseline in November.. In Africa and the Middle East, traffic changes were fairly spiky between July 2021 to October 2022, reaching as high as 4.7x above baseline, but leveled out between October 2021 to January 2022. Traffic again grew to as much as 2x above baseline in January and February before leveling out again in the subsequent several months.

Deep dive into threats against journalism organizations

One of our goals with Project Galileo is to protect free expression online. Journalists and media under the project cover topics such as war and government corruption, and it makes them vulnerable to aggression both online and offline. We found that journalism organizations in Europe were responsible for more than half of the traffic over the last year, with a particular bump noted in late February at the start of the war in Ukraine.

Overall, we see similar trends for each region when examining requests mitigated by the web application firewall, including significant but infrequent spikes in the percentage of traffic that was mitigated by the WAF. Notably, a spike in the Americas in February reached 69% of traffic mitigated. In Europe, we saw two major spikes, one in December reaching just under 30%, and one in March reaching nearly 26%.

For mitigated traffic identified as DDoS traffic, there is a clear increase in this traffic starting in March 2022 for organizations in Europe. This is concurrent with the onboarding of additional customers related to the start of the war in Ukraine. Over the last several months, these organizations have seen frequent DDoS attack activity, often reaching 10-20% of traffic, and spiking to as much as 71% of traffic in April 2022.

Overall, traffic to journalism and media was relatively flat through February. Since then, it has been at ~50% above baseline. Interestingly, traffic for organizations in the Americas has remained relatively flat through March, but there was a significant increase in April and is now ~150% above baseline. Similarly, organizations in Europe saw traffic grow to ~150% above baseline at the end of February, but has declined since then and is now ~30% higher.

Protecting organizations in Ukraine

As the war started in Ukraine, we saw an increase in applications for participation in Project Galileo from organizations looking for our assistance. Many came in while under DDoS attack, but we also saw sites subject to large influxes of traffic from people on the ground in Ukraine attempting to access information on the ongoing war. While traffic from organizations in Ukraine was largely flat before the start of the war, since that time, traffic increases primarily have been driven by organizations that work in journalism and media.

Ahead of the war, organizations that work in community building/social welfare, such as those who provide direct assistance to refugees, or provide donation platforms to support those in Ukraine were responsible for what little traffic that was mitigated by the web application firewall (WAF). However, after the war began, journalism organizations saw the most WAF mitigated traffic, with frequent spikes, including one on March 13 representing 69% of traffic. During this period of increased WAF-mitigated requests that started in late February, the majority of the attacks were classified as SQLi. WAF mitigated traffic for human rights organizations increased in mid-March, growing to between 5-10% of traffic

Mitigated DDoS traffic for organizations in Ukraine was concentrated in the mid-March to May timeframe, with rapid growth in the percentage of traffic it represents. The first spikes were in the 20% range, but rapidly grew before receding, including an attack on April 19 that accounted for over 90% of traffic that day.

Since the start of the war, growth in traffic from protected organizations has varied across the categories. Traffic among Health organizations increased by 20-30x over baseline between late March and later April. Setting aside attack spikes, traffic from Journalism organizations was generally up 3-4x over baseline. Growth in the other categories was generally below 3x.

For traffic mitigated by the web application firewall (WAF), the most frequently applied rule was HTTP Anomaly, associated with 92% of requests. As previously mentioned, these anomalous requests are frequently associated with unsophisticated attacks, and are automatically blocked by Cloudflare's WAF.

With the ongoing war, we continue to onboard and provide protection to organizations in Ukraine and neighboring countries to ensure they have access to information. Any Ukrainian organizations that are facing attack can apply for free protection under Project Galileo by visiting www.cloudflare.com/galileo, and we will expedite their review and approval.