The International Press Institute (IPI) warns that an unprecedented wave of cyber-attacks predominantly targeting independent media outlets in Hungary in recent months represents a serious and growing threat to the free flow of information in what arguably is already the European Union’s worst country for press freedom.

Since April 2023, at least 40 different media websites in Hungary have faced Distributed Denial of Service (DDoS) attacks, a form of cyber-attack which temporarily slows or crashes websites by overloading their servers with millions of simultaneous access requests, leaving readers unable to access news and information for hours at a time.

While the specific motive of these attacks remains unconfirmed, the majority of portals targeted in the DDoS attacks include many of the country’s leading independent media, including Telex, HVG, 444.hu, Magyar Hang, and Népszava, which are critical of the government of Prime Minister Viktor Orbán. International media companies hit by hackers include Forbes Hungary.

To date, no media outlet supportive of the ruling Fidesz party has been targeted in the current wave of attacks, according to IPI assessments, indicating a political or ideological motive. Index.hu, a formerly independent publication considered co-opted by, though not overtly supportive of, the government, was also targeted. In some cases, media were targeted for simply reporting on DDoS attacks against others, as in the case of Media1.

While the attacks initially appeared to be isolated incidents, the frequency and severity of the attacks increased in May and June and have caused serious damage and disruption to news websites. In addition to undermining reader’s access to news and information, DDoS attacks also result in financial losses for media companies due to diminished advertising revenue.

Many of the targeted websites were left inaccessible to readers for hours at a time, either until website administrators were able to minimize the damage or the DDoS attacks – which can require considerable costs to execute – were halted by the hackers. Waves of attacks have mostly occurred over successive weekends, when IT staff are most likely not to be working.

With more than 40 different media websites targeted, some multiple times, this campaign of DDoS attacks is understood to be one of the broadest cyber-attacks against an independent media community within a European Union member state to date, according to IPI’s analysis.

While some of the media involved have filed police reports, investigations have so far yielded no discernible progress. Police are understood to be investigating cases individually, rather than as part of a unified national investigation. The perpetrators of DDoS attacks are notoriously challenging to identify due to the variety of tools available to attackers to remain anonymous.

While no actor has claimed responsibility, the hacker or hackers appear to go by the nickname HANO – an acronym in Hungarian for a type of disorder which affects the human body. In recent months, they have also left messages in Hungarian behind in the code of attacks, indicating that they are being coordinated domestically, rather than by foreign actors. The attacker appears to demonstrate a knowledge of the Hungarian media landscape and individual journalists.

In other cases, messages were left in the code of DDoS attacks which warned of future attacks against certain media, only for those attacks to then be carried out at the precise date and time. The costs associated with this scale and duration of DDoS attacks, continuing over several months, also indicates that those responsible are relatively well-funded, according to experts.

Although IPI referred some independent media outlets in Hungary to Cloudflare’s Project Galileo – which provides cyber defenses by redirecting overload attempts to its own servers – the attackers have found new ways to crash or drastically slow down websites. This further indicates the sophisticated offensive cyber capabilities of those responsible.

The DDoS attacks so far appear to follow a pattern of targeting critical and independent media websites and were in some cases aimed at smothering access to certain types of news reporting or investigations. In some cases, DDoS attacks began less than half an hour after the publication of reports critical of the government or entities connected to it.

Examples include a critical report about journalists from independent media not being allowed into a government press conference, or a critical report about the pro-government propaganda outlet Megafon. None of the attacks appear so far to be extortionate in nature, but rather intended to cause maximum disruption.