Durov took to Twitter to hint that Beijing tried to take Telegram offline to disrupt the Hong Kong protests.

The chief executive of secure messaging app Telegram is pointing the finger squarely at China as the culprit responsible for the distributed denial of service (DDoS) attack that it suffered on Wednesday.

The company announced the attack on Twitter, warning that users may be experiencing connection issues as a result of “a powerful DDoS attack.”

Founder and CEO Pavel Durov later tweeted that the traffic overload was “mostly” emanating from Chinese IP addresses, and noted that it was a state actor-sized DDoS attack that “coincided in time with protests in Hong Kong.” The unrest in Hong Kong was coordinated on Telegram, he added – hinting at what he sees as the motivation for the attack.

IP addresses coming mostly from China. Historically, all state actor-sized DDoS (200-400 Gb/s of junk) we experienced coincided in time with protests in Hong Kong (coordinated on @telegram). This case was not an exception. — Pavel Durov (@durov) June 12, 2019

Hundreds of thousands of protesters have taken to the streets of Hong Kong in the last few days, opposing Beijing’s plan to allow extraditions from the city, which is designated as a special administrative region (SAR). SARs, under the “one country, two systems” principle, possess their own political freedoms and a market economy, independent of the mainland. According to the Center for Strategic and International Studies (CSIS), this includes “a mini-constitution of Basic Laws and a semi-independent government of three branches: a legislature elected by the people, an independent judicial system, and a chief executive elected by an elite 1,200-member group meant to represent the diversity of constituent interests and opinions in Hong Kong.”

Also, as part of the terms of the handover of the former British colony back to China in 1997, Beijing promised that “the current social and economic systems in Hong Kong will remain unchanged, and so will the lifestyle” for 50 years, according to CSIS. Thus, the extradition plan is seen by the protesters as overreach.

Bloomberg backed up Durov’s claim that the protests were organized via Telegram, which is an encrypted peer-to-peer messaging service that in theory offers a higher level of user privacy and protection from governmental surveillance. The outlet reported that Telegram and a similar service, FireChat, are top-trending apps in Hong Kong’s Apple store. Taking Telegram offline would thus theoretically place a roadblock in front of protester organization.

Richard Hummel, ASERT threat research manager at NETSCOUT, noted that attribution is not cut-and-dried, however. The firm saw attacks against Telegram during the time frame in question that were sourced from more than 100 countries.

“During these attacks, it is common practice for attackers to use spoofed source IP address to conceal their own infrastructure as was this case in these particular attacks,” he said via email late Wednesday. “At this time, we have yet to uncover the motivation or attacker behind the activity. We observed only [a] single spoofed IP address issuing the attack commands and will continue to research any other leads.”

Roland Dobbins, principal engineer at NETSCOUT, told Threatpost that “because these attacks leverage compromised/misconfigured devices, it is extremely difficult to determine the original source(s) of the attack.”

Telegram said that the attack had been remediated by 8 p.m. Hong Kong time on Wednesday. Hummel offered a few technical details of the attack, explaining that it was a reflection/amplification attack, which uses a large number of misconfigured devices to launch attacks at a targeted IP address.

“NETSCOUT has observed multiple DDoS attacks targeting the Telegram instant messaging service from June 11 to June 12,” he said. “Observed attack vectors included memcached, NTP, SSDP and CLDAP reflection/amplification attacks of more than 350Gbps and 150 million packets per second. This series of attacks took place over a span of approximately 16 hours; A secondary attack with an observed bandwidth of more than 120Gbps also occurred on June 11, lasting approximately six hours.”

Telegram meanwhile offered a much less technical – but entertaining – explanation for DDoS attacks to help users understand what was happening:

A DDoS is a “Distributed Denial of Service attack”: your servers get GADZILLIONS of garbage requests which stop them from processing legitimate requests. Imagine that an army of lemmings just jumped the queue at McDonald’s in front of you – and each is ordering a whopper. (1/2) — Telegram Messenger (@telegram) June 12, 2019

Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.