ELECTIONS IN KYRGYZSTAN 2017 – EXPOSING SAMARA, A FRAUDULENT VOTER MANAGEMENT SYSTEM

cyber

EXECUTIVE SUMMARY

One day before the presidential elections in Kyrgyzstan (15 Oct 2017), an activist with the nick name “suppermario12” leaked a video and forensic information about a fraudulent “voter management system” (also known as samara.kg) to be used to influence the elections.

Qurium together with the editors of Kloop.kg, carried out a forensic investigation and found evidence that strongly suggests that a government operated server in Kyrgyzstan contained a non-state website created to influence voters during the presidential election.

The video released by “suppermario12”, shows how he is accessing an online system containing a large database of voters. According to the video, the Samara system was used to track voters’ intentions, and influencing their decisions by means of bribes and threats. “suppermario12” claims that samara.kg was a system for managing the agitation campaign of pro-government candidate Sooronbai Jeenbekov. The editorial office of Kloop.kg has received testimonies from several agitators from the headquarters of candidate Sioronbai Jeenbekov, who confirm that they used samara.kg for registration and control of votes. Access to a government server with such data can seriously impact the campaign of any presidential candidate, and the election results as a whole. Sioronbai Jeenbekov won the presidential election on October 15. He gained 54% of the votes, only 4% from a second round.

Kyrg authorities deny that samara.kg was ever operating from a government server, while our forensic evidences suggests otherwise.

Background

During the presidential elections in Kyrgyzstan (Oct 2017)  we were hinted by the local media outlet  Kloop.kg that an activist with the nick name “suppermario12” had leaked a video and extra information about a fraudulent “voter management system”: “IVM”.

The video released in the site bulbul  shows how “suppermario12” using someone else credentials got access to an online system that contained a big database of voters. Similar release of information was made available in the “Diesel Forum”.

According to his report, the “IVM system” was used to track vote intentions and those that were susceptible of receiving bribes or threatened to vote for one candidate. The “IVM” system was designed to “manage” such setup including special “curator” accounts responsible of influencing a certain group of voters.

According to the leaked data, the domains samara.kg and mls.kg were used to host such web application and the portal was hosted in the government IP space.

Was samara.kg and mls.kg used to host the IVM system?

In order to verify his claim, we focused all our efforts to record any forensic evidence related to the domains samara.kg
and mls.kg.

We also worked in rebuilding the timeline of events to verify if forensic evidence is consistent with “suppermario12” claims.

The following pieces of evidence were collected:

  1. Google Cache copies of the content of samara.kg and mls.kg during the period 10-16 October 2017 (Google Cache)
  2. Passive DNS records (RiskIQ, DNSDB)
  3. Historical Whois data (DomainTools, RiskIQ, Domain.kg (KG Whois))
  4. Built with: Track sites using the same technology that IVM System (NerfyData, Google)
  5. Infrastructure Mapping (Maltego)
  6. What did we found?

    • Google Cache: We retrieved copies of the contents of samara.kg and mls.kg the 14-15th of October. Both cache copies show a “Authentication Page” based on JSF2 (JavaServer Faces). The cache copies of mls.kg and samara.kg are identical.
    • Passive DNS: We retreived passive DNS records of both domains from four sources: DNSDB, RiskIQ, Dyn and CIRCL.  Two of the sources recorded a passive DNS record of samara.kg  pointing to IP 212.112.124.142. Once of the sources also recorded that mls.kg was hosted in the same IP the 14th of October. Passive DNS records reveal that the websites moved from the IP network 176.126.165.0/24 to the network 212.112.124.0/24 before (samara.kg) and during the election day (mls.kg). DNSDB historical records are included in the Section “Extra Resources”.

 

To read the original articel: https://www.qurium.org/alerts/kyrgyzstan/kyrgyzstan-election

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Next Post

Traditional AV solutions shown ineffective in real-time global heat map

It’s no secret that antivirus technology (AV) has faced increased scrutiny in the tech industry for quite some time. With signature-based detection methods, traditional AV solutions are simply weak against unknown malware and other malicious content. Meanwhile, consumers and businesses continue to trust AV solutions to protect their devices. So, how ineffective […]