Project Galileo 9th Anniversary report

The Project Galileo anniversary gives us the opportunity to shed light on the day-to-day challenges organizations face when it comes to keeping their websites online and internal data secure from malicious actors looking to silence them.

We protect a range of organizations across Project Galileo, with 2,200+ domains in 111 countries. These organizations work in areas that include promoting and protecting human rights, assistance and protection for victims of armed conflicts, investigative journalists in authoritarian countries, environmental conservation advocates, nonprofits that promote youth development, and more. We have shared many of their stories in the past but want to dive deeper on the types of attacks we see against these groups with the hope of better equipping researchers, civil society, and organizations with best practices for safeguarding their online presence.

This year we focused on organizations at the center of public debate due to their work. Specifically, organizations that support LGBTQ+ rights, civil society, reproductive rights and health groups, and in Ukraine.

Our main findings:

• Between July 1, 2022, and May 5, 2023, Cloudflare mitigated 20 billion attacks against organizations protected under Project Galileo. This is an average of nearly 67.7 million cyber attacks per day over the last 10 months.
• For LGBTQ+ organizations, we saw an average of 790,000 attacks mitigated per day over the last 10 months, with a majority of those classified as DDoS attacks.
• Attacks targeting civil society organizations are generally increasing. We have broken down an attack aimed at a prominent organization, with the request volume climbing as high as 667,000 requests per second. Before and after this time the organization saw little to no traffic.
• In Ukraine, spikes in traffic to organizations that provide emergency response and disaster relief coincide with bombings of the country over the 10-month period.

In this report, we focus on two approaches to attack mitigation: DDoS mitigation and our Web Application Firewall (WAF). DDoS mitigation includes traffic determined to be part of a Layer 7 (application-layer) DDoS attack. Such attacks are often malicious request floods designed to overwhelm a site with the intention of knocking it offline. We block the requests associated with the attack, ensuring that legitimate requests reach the site and that it stays online.

Organizations protected under Project Galileo receive free access to Cloudflare's Business-level services, including our Web Application Firewall, which is a powerful tool to protect web applications from common vulnerabilities, such as SQL injection attacks, cross-site scripting, and more. The WAF is a valuable tool for organizations as it helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.

Organizations that support LGBTQ+ rights

LGBTQ+ organizations have been at the forefront of advancing human rights and include advocacy, awareness and education, community outreach, and mental health services. Due to the sensitive nature of their work, LGBTQ+ organizations are often the target of online harassment and hate speech that can be damaging to individuals and the community as a whole.

In the last year, we have seen multiple anti-LGBTQ+ measures proposed into law around the world. The ACLU reported that in the United States, over 120 bills restricting LGBTQ+ rights were introduced as of January 19, 2023. These proposals limit the rights of LGBTQ+ individuals, aim to curtail their freedom of speech, and jeopardize the safety of transgender people, specifically younger generations. There have been similar policies in Uganda, Ghana, Zambia, Hungary, Afghanistan, Mauritania, and Somalia with the goal of restricting the rights of LGBTQ+ people.

Cloudflare protects numerous LGBTQ+ organizations under Project Galileo, including the Trevor Project and Drag Queen Story Hour. To determine the types of online threats experienced by these organizations, Cloudflare analyzed 50 LGBTQ+ organizations around the world, with a majority based in the Americas and Europe.

The protected sites belonging to these organizations see a daily average of 4.93 million requests across all regions, which include Africa/Middle East, Americas, Asia Pacific, and Europe. From July 1, 2022, to May 5, 2023, we found that these groups protected under Project Galileo saw an average of 790,000 attacks each day, the majority of which we categorized as DDoS traffic.

We have two categories when we analyze this data — requests that are considered part of a DDoS attack and requests that were mitigated by Cloudflare’s Web Application Firewall.

Despite these persistent attacks, all of the organizations participating in Project Galileo were protected automatically, and were able to remain online. We operate a reverse proxy service, which means that all traffic to your website or application is first routed through Cloudflare's network, where it is inspected and filtered for potential threats. This is important for organizations protected under Project Galileo, as many do not have the expertise, time, or resources to dedicate to a full security team.

Cloudflare found that a majority of the attacks that we saw against these groups were mitigated by our automated DDoS mitigation, with a spike of 69.5 million mitigated requests on November 18, 2022.

Protecting human rights defenders and other civil society organizations

Numerous governments, multi-stakeholder initiatives, and non-governmental organizations have increased their attention on protecting vulnerable voices online, particularly human rights defenders and other civil society activists. In the United States, the Cybersecurity and Infrastructure Security Agency created the Joint Cyber Defense Collaborative (JCDC) with a focus to improve collaboration and information sharing for cyber security across government, private sector, and international partners. We have worked with JCDC in the past on the Athenian Project, dedicated to state and local governments running elections, and were featured in JCDC’s Cybersecurity Toolkit to Protect Elections.

JCDC expanded their efforts in March 2023 to recognize the need for collaboration with private sector and government agencies on ways to enhance cyber security protections for high-risk communities, which include civil society organizations, human rights defenders, advocacy groups, and more. On the advocacy side, there are efforts aimed at promoting policies and regulations that protect civil society groups from digital threats and ensure that their rights to privacy and freedom of expression are respected.

In Europe, we have seen efforts by the European Commission to promote the protection of human rights defenders online with the EU Action Plan on Human Rights and Democracy and partnerships with governments to focus on identifying and mitigating threats faced by human rights defenders online.

We have been protecting civil society organizations since the beginning of Project Galileo in 2014, with many of our civil society partners receiving our protection, as well as collaborating on how we can extend these tools to at-risk organizations. Overall, the nature of the work that civil society organizations engage in, combined with their limited resources and potential for human error, makes them vulnerable to a range of cyber attacks.

We analyzed traffic to 305 civil society organizations across the Americas, Africa/Middle East, Europe, and Asia Pacific. From July 1, 2022, to May 5, 2023, we saw a daily average of 10.95 million attacks against civil society organizations protected under Project Galileo, comprising a combination of DDoS traffic and application-layer attacks mitigated by the Web Application Firewall. We saw a similar volume of requests identified as DDoS traffic and traffic blocked by the Web Application Firewall, with DDoS mitigations averaging 5.03 million per day, and WAF-mitigated traffic averaging 5.92 million per day over the surveyed period.

The relevance of a March 2023 cyberattack

As we reviewed the data, we noticed an interesting attack against an organization related to international law that shows the importance of having security tools in place, even if you do not believe you may be at risk. In this case, the attack took place between March 17 to March 18, 2023. On March 17, an international arrest warrant was issued for Russian President Vladimir Putin and Russian official Maria Lvova-Belova for an alleged scheme to deport Ukrainian children to Russia.

Prior to and after the attack, this organization’s website had little to no traffic. On March 17, traffic requests increased from fewer than 1,000 requests per second to around 100,000 requests per second in a span of four hours, peaking at 19:00 UTC, with a majority of the traffic being mitigated by the Web Application Firewall. Another spike was observed on March 18, peaking at 09:45 UTC at over 667,000 requests per second, nearly all of which were mitigated as DDoS attacks (both of these are represented in the chart, below). During March 18, Cloudflare blocked a total of 844.4 million requests mitigated as application layer DDoS attacks.

This attack highlights a theme that we see everyday with Project Galileo. Many organizations may not be aware of the risks of a cyberattack until their website is knocked offline by a DDoS attack. In this case, the organization stayed online during the entirety of the attack and most likely didn’t notice the increase in traffic until after the attack, as traffic returned to normal.

Organizations that support reproductive rights and health groups

Pro-choice advocacy groups and health organizations that support reproductive rights have been the latest groups to see an increase in attacks, both physical and online. Although the focus on security for these groups has largely been physical, with violence and threats on the rise before the US Supreme Court's decision to end federal protections for abortions in the United States, there is a growing fear of the online threats to these groups. Due to this unsettling trend, we partnered with Digital Defense Fund, an organization that works to provide digital security tools for the abortion access movement, to extend Project Galileo services to those that support access to safe and legal abortion services and advocacy organizations that work to protect and expand reproductive freedom.

For the report, we sampled 98 organizations, all based in the United States. From July 1, 2022, to May 5, 2023, Cloudflare mitigated 471 million attacks, an average of 1.52 million per day over this 10-month period. Cloudflare’s Web Application Firewall mitigated the majority of the attacks; the balance was handled by other mitigation techniques.

Organizations in Ukraine

We have reported on cyber attacks and Internet resilience in Ukraine for nearly a year and a half now, over the course of the Russian invasion. For Project Galileo, we have seen an increasing number of organizations looking for our help to protect their websites and internal networks from cyber attacks.

Our analysis looked at 81 organizations based in Ukraine, with the majority of them onboarded after the ongoing Russian invasion that began in March 2022. The majority of these organizations are engaged in journalism, independent media, and human rights advocacy. From July 1, 2022, to May 5, 2023, we observed an average of 10.76 million attacks per day against organizations in Ukraine protected under Project Galileo. We classified a majority of these attacks as DDoS, with an average of 7.06 million mitigated daily, with the remaining 3.7 million mitigated by the Web Application Firewall.

When examining mitigated attacks, we see two spikes, both classified as DDoS attacks, that occurred on September 5, 2022, and April 1, 2023. September 5 saw a peak of over 1.6 million requests per second, mitigated as DDoS attacks. During this time, Russia announced that they would shut down the Nord Stream pipeline unless Western sanctions were lifted. On April 1, we saw a peak of nearly 293,000 requests per second mitigated as DDoS attacks. On this day, Russia took over the presidency of the UN Security Council, sparking backlash from the international community.

A development for Project Galileo is the onboarding of organizations that work to provide emergency response services, such as search and rescue operations, emergency medical care, and distribution of essential supplies like food, water, shelter, and medicine in Ukraine. We see spikes in traffic that coincide with bombings across cities in Ukraine by Russian forces.

If you are an organization looking for protection under Project Galileo

We know too well that organizations that work to support democracy, accountability, and human rights face an increased rate of cyber attacks because of the sensitive nature of their work. As we celebrate the 9th anniversary of Project Galileo, we want to thank our civil society partners that we work with to offer our protection and engage in ongoing collaboration to keep the vulnerable secure online. With this, we encourage organizations looking for provided by Project Galileo, we invite you to apply at cloudflare.com/galileo/