IPI renews call for investigation by Hungarian cybercrime police into DDOS attacks | #cybercrime | #infosec

• 
  

The International Press Institute (IPI) today renews its call for a systematic investigation by the Hungarian National Police’s Cybercrime Department into illegal cyber attacking activities against independent media outlets which growing evidence suggests stem from the same Hungarian-connected hacking group.

IPI calls on the Hungarian specialised cybercrime unit, which is part of the National Bureau of Investigation (NNI), to provide detailed updates on the status of its investigations into a wave of Distributed Denial of Service (DDoS) attacks which targeted media outlets in Hungary and Germany in recent years.

The call comes in the wake of a new report by German daily newspaper Die Tageszeitung (taz) – itself the target of a major DDoS attack on the day of the 2025 German federal election – revealing how that attack appears to have derived from the same source of the attacks in Hungary.

In 2023, IPI documented how more than 40 Hungarian media had been hit by DDoS attacks, a form of cyberattack which crashes websites by overloading their servers with millions of simultaneous access requests, leaving readers unable to access news for hours or days at a time. Independent media critical of the government were targeted multiple times, while pro-government media were left unscathed.

Shortly after the publication of that report, IPI was itself targeted with a major DDoS attack starting on September 1 which kept the website offline for three days while IT teams fought to repel waves of attacks. An in-depth forensic analysis conducted by Qurium, a non-profit based in Sweden, confirmed IPI’s initial assessment that the attack was linked to its press freedom work in Hungary.

After it reported on the attack on IPI, the German newspaper taz was then hit by a similar attack a week later, mirroring a pattern of reprisal attacks for media or organisations which reported on other attacks. On 23 February 2025, Taz was then hit by an even larger and more sophisticated DDoS attack which crashed its website for more than two hours and undermined its reporting on the day of the German federal election

Analysis of technical logs from the attacks on taz and IPI both show how the hacker used the nickname Hano – an acronym in Hungarian for a disorder which affects the human body. During many attacks, messages were left behind in the code, such as #HanoHatesU. The same message was left in the code of attacks on Hungarian media outlets, which continued in 2024. IPI believes the use of Hungarian, as well as how the attacker appeared to demonstrate detailed knowledge of the Hungarian media landscape and individual journalists, suggests the attacks were coordinated domestically, or at the very least with the support of Hungarian actors.

In its new report, taz reports how its own investigation and interviews with cybersecurity experts suggests that although Hano is probably not a large group, evidence points to it operating from Hungary, or that it is probably financed from there. Experts taz spoke to unofficially classified Hano as an Advanced Persistent Threat (APT) – defined by the German Cybersecurity Agency as a well-trained, usually state-sponsored attacker who targets a system over a long period of time.

Despite the serious and persistent threat posed by the hacking group to media outlets and the free flow of information, Hungarian law enforcement authorities have so far achieved no discernible results in their investigations. Though many of the affected Hungarian media outlets filed police reports at the time, investigations yielded no discernible progress. IPI understands that police were investigating cases individually, rather than as part of a unified national investigation. The perpetrators of DDoS attacks are notoriously challenging to identify due to the availability of anonymity tools.

Neither the Hungarian National Police nor the Cybercrime Department responded to IPI after our organisation contacted them following the cyber-attack in 2023. Taz reported that its inquiries to the Hungarian Ministry of the Interior, Office of the Prime Minister and the Cybercrime Department also went unanswered.

In the wake of the taz report, IPI renews its call for the Hungarian law enforcement authorities to provide updated details about the scope, duration and progress of its investigation into the cyber-attacks on more than 40 Hungarian media outlets, as well as what steps it has taken to address evidence of the involvement of Hungarian actors in attacks on German media, and against IPI – all of which appear to have come from the same Hungarian-connected source.

 

If you are a media outlet in need of support in repelling DDoS attacks, IPI can provide referrals to cybersecurity organisations to provide enhanced defences free of charge. Please contact IPI for more information.

More of IPI’s press freedom work on Hungary

 

 

This statement was coordinated by IPI as part of the Media Freedom Rapid Response (MFRR), a Europe-wide mechanism which tracks, monitors and responds to violations of press and media freedom in EU Member States, Candidate Countries, and Ukraine. The project is co-funded by the European Commission.