Special Report: Election Monitoring in Kyrgyzstan

February, 2005
Last Updated: April 15, 2005

Contents:
- 1. Kyrgyz Websites subject to unexplained failure and hacking during the Parliamentary Elections
- 2. Network-based Attacks on Kyrgz ISPs Continue
- 3. Information War Intensifies as Unrest in Kyrgyzstan Continues - Motives Remain Unclear as Disruptions Increase
- 4. Kyrgyz Elections Monitor Interim Findings: No filtering, but effective use of Computer Network Attack forced ISPs to silence opposition media

Kyrgyz Websites subject to unexplained failure and hacking during the Parliamentary Elections

Bishkek, 28 February 2005 (ONI). Websites belonging to political parties and independent media were subject to unexplained technical failures and deliberate hacking during Kyrgyzstan's recent Parliamentary elections. Researchers from the Open Net Initiative documented a pattern of failures that suggest a deliberate attempt to interfere with the functioning of the Internet during election period.

Attacks included flooding journalist e-mail accounts with large amounts of spam, and spoofing of e-mail from Kyrgyz websites located in the US. Several political websites were deliberately defaced. In one case, a domain address belonging to an opposition group was apparently de-registered as a result of the organization having no legal status under Kyrgyz electoral law.

On February 26th an apparent Distributed Denial Of Service Attack (DDOS) temporarily disabled all websites hosted by major Kyrgyz ISPs (Elcat and AsiaInfo). These ISPs host the websites of many Kyrgyz political parties, media outlets and NGOs. The spike in traffic associated with the failure of Elcat's and AsiaInfo's hosting services led upstream ISPs in Russia and Europe to block access to Elcat's and AsiaInfo's IP addresses, so that web sites hosted by these ISPs are no longer accessible outside of Kyrgyzstan.

Despite the low penetration of the Internet and cell phones in Central Asia, these technologies are increasingly important in the election process. Civil society actors often to do not have access to the mass media and increasingly turn to the Internet as way of making their message heard. The Internet is also an important source of information and news.

The Internet and cell phones were important to civil society actors during the recent "Rose Revolution" in Georgia and "Orange Revolution" in Ukraine. These technologies allowed actors to organize strikes and opposition ultimately forcing electoral re-runs. Awareness of the strategic importance of these technologies has not been lost on some governments of the CIS region. During the October 2004 referendum in Belarus', there were unverified reports of alleged technical difficulties causing interruptions in cell phone and ISP services during the street protests in the capital Minsk.

Fears that hackers can disrupt the Internet at critical political moments are not limited to the CIS region. During the final week of the 2004 US Presidential election, US ISP blocked access to georgebush.com to requests originating from IP addresses outside of the North America. The US military's Internet domain (.mil) was also blocked during the run up to the 2003 invasion of Iraq.

Technical data gathered by Open Net Initiative researchers will be analyzed, so as to seek to determine the cause of the recent failures and investigate the source of attacks. The results will be published in the next two weeks. Unlike neighboring Central Asian states Uzbekistan and Kazakhstan, the Kyrgyz government does not have a history of filtering or otherwise restricting access to the Internet

Network-based Attacks on Kyrgz ISPs Continue

Bishkek, 2 March February 2005 (ONI). Sustained Distributed Denial of Service attacks (DDOS) continue to affect the operations of Kyrgyzstan's' leading ISPs. Three days of attacks are seriously affecting web hosting servers at Elcat and Asiainfo and overloading their international connections to the Internet. Traffic volumes generated by the attacks have forced the ISP to temporarily filter all web-requests from outside of Kyrgyzstan. So far the only solution to combating the DDOS attacks offered by upstream Internet providers in Russia and Europe is to turn off the international channels, effectively cutting off all traffic into and out of Kyrgyzstan.

A group calling itself "Shadow Team" is claiming responsibility for the attacks. In an e-mail message sent to the ISPs, and obtained by ONI, the group threatens to continue the attacks until specific websites hosted by the ISPs are closed down or removed. Elcat and Asiainfo are facing intense pressure to comply, as the persistence of the attacks is affecting their ability to supply hosting services to a large number of clients in Kyrgyzstan that include NGOs, businesses and international organizations.

ONI experts together with their partners from the Civil Initiative for Internet Policy (Kyrgyzstan) are examining ISP log files and assisting staff from the affected Kyrgyz ISPs with responding to the attacks.

Information War Intensifies as Unrest in Kyrgyzstan Continues - Motives Remain Unclear as Disruptions Increase

Bishkek, 5 March February 2005 (ONI). The Kyrgyz Internet is becoming a battleground as unrest triggered by last week's inconclusive parliamentary vote spreads. Two leading Internet Service providers are embattled from an alleged hacker attack and pressure to remove information about growing unrest in the country. A series of e-mails from a hacker(s) calling himself "Shadow Team" posted to Elcat and Asia Info and obtained by ONI, claimed responsibility for the attacks and demanded that the service providers remove the websites of two Kyrgyz newspapers <www.msn.kg> and < www.respublica.kg>. "Shadow Team" also sent e-mail to a popular regional news site < www.centralasia.ru>, demanding that it stop publishing all information about the situation in Kyrgyzstan. Respublica's ISP, Elcat, complied with the hackers' demands and temporarily suspended publishing the newspapers website. The decision to suspend the website appears to have been agreed to by Elcat and the publishers of the newspaper, as Elcat also hosts many Kyrgyz NGOs, international organizations and other civil society groups.

The attacks claimed by "shadow team" have proven disruptive to the Kyrgyz Internet at a critical time for political authorities. The identity of the hacker(s) remains unknown, and "shadow team" may itself be taking credit for others' work, or in at least one case, for the operation of a more general computer worm (variants of the W32/Bagle.dldr). Ongoing investigations by ONI researchers suggest that there are two simultaneous DDOS events occurring. The first is a result of a computer worm that is affecting Elcat servers but may not have any link to the elections. The second smaller attack maybe a DDOS caused by "shadow team". ONI research suggests that "shadow team" may be an independent CIS-based hacker working without any clear political motive.

The lack of a clearly defined motive for the attacks, or clarity if it is indeed an attack, opens the question of whose interest the hackers are ultimately serving - if anyone's. The attacks have not affected the ability of the Kyrgyz newspaper to publish or distribute paper copies of their newspapers. Likewise, sites like centralasia.ru can easily circumvent DDOS attacks by mirroring on multiple IP addresses. The specific tool and vulnerability used in the attacks appears to be well known, so it is only a matter of time before the attack loses effectiveness.

Some opposition leaders have seized on the attacks claiming that the Kyrgyz government is launching an on-line censorship campaign. According to unconfirmed reports , government officials appear nervous about the perception that they are seen to be responsible for putting pressure on ISPs to close the newspaper sites. Sources claim that they have requested that Elcat reinstate the sites.

The denial of service attacks appear to be adding to the political unrest in Kyrgyzstan. The seriousness with which the ISPs, the government and the opposition are treating this matter suggests that the Internet is an increasingly important new battleground. An estimated 300,000 out of a total population of around 5 million in this post-Soviet republic have access to the Internet, and information obtained from the Internet is circulated widely to those without direct access. The rising concern among the government, ISPs and the opposition suggests that everyone has a stake in keeping the Internet open, while deflecting blame to "third parties" for circumstances leading to its closure.

The ONI will release a detailed report covering Internet access during the Kyrgyz election in the weeks following the second round of voting scheduled for 13 March.

Further background information about Kyrgyzstan can be found at the following sites:

http://www.eurasianet.org/resource/kyrgyzstan/index.shtml

http://www.alertnet.org/thefacts/countryprofiles/217261.htm

Kyrgyz Elections Monitor Interim Findings: No filtering, but effective use of Computer Network Attack forced ISPs to silence opposition media

ONI, Bishkek, 15 April 2005. The OpenNet Initiative's comprehensive monitoring of the Internet in Kyrgyzstan concludes this week revealing damaging effects of Computer Network Attacks (CNAs), but no deliberate filtering by Kyrgyz ISPs. The ONI conducted extensive testing and monitoring of the Kyrgyz Internet during recent Parliamentary elections and the immediate post election period. Data was collected from five leading Kyrgz ISPs -- ElCat, Asiainfo, Saima Telecom, Kyrgyz Telecom, Transfer -- and analyzed for any deliberate attempts to limit or deny access to Internet content. The results were verified to exclude naturally occurring network failures or traffic congestion.

Analysis of the results obtained yield the following initial conclusions:

  • No Systematic attempts to filter access by ISPs or the Kyrgyz Government. ONI testing did not reveal any systematic attempt on the part of Kyrgyz ISPs to block or filter access to any website during the period of the elections. No indications of deliberate technical filtering of website (or information) were detected on the Kyrgyz Internet during the election or post –election period.
  • Kyrgyz ISPs were subject to a sophisticated Computer Network Attack leading to the removal of key information sites. During the election period, two Kyrgz ISPs (Elcat and Asiainfo) were subject to massive, effective, and sustained CNAs. These attacks constituted de facto censorship by forcing the temporary inaccessibility to the websites of two major Kyrgz media outlets www.msn.kg, and www.respublica.kg . These attacks were claimed by a group calling itself "shadow team" which in a series of e-mail messages obtained by the ONI took responsibility, and demanded that the Kyrgyz ISPs remove two web sites: www.msn.kg, and www.respublica.kg (which they hosted). A third website hosted outside of Kyrgyzstan was also affected by the CNAs. However, ONI research indicates that the attack on fergana.ru was not part of the same attack that affected MSN and Elcat, even though the same group -- "shadow team" -- claimed responsibility for both attacks.
  • Professional "Contract Hackers" appear to be behind the attacks. The CNA was sophisticated and appears to be the work of hackers specifically contracted for the job. The attacks employed a large network of infected computers (known as a BOT-net). While the exact computer code used to generate the attack is unknown at this time, its effect was to flood the ISPs with long requests that overwhelmed their webservers, consumed available bandwidth and processor capacity. Three websites were on the target list for this BOT network: respublica.kg, msn.kg and a website located in the US (unrelated to the political situation in Kyrgyzstan). Evidence currently being analyzed by ONI researchers suggests that the hackers modified their attack against the US site several times -- adjusting to countermeasures used by US based specialists -- indicating that they were as interested in removing the US site from service as they were the Kyrgyz websites. Actions by actors in the US ensured that the BOT-network was taken out of service on Sunday 12 March.
  • The hackers controlling the attacks appear to be based in Ukraine. Evidence obtained by ONI researchers suggests that the attacks may be the work of Kiev based hackers. The computer used to control the attacks was located in the US, but registered to a Kiev address. Similarly, an e-mail address in Ukraine appears to be the source of the e-mails sent by "shadow team" to Elcat and fergana.ru.
  • No clear technical evidence of who ordered the attacks. ONI research has not uncovered any technical or other evidence suggesting who was responsible for ordering the attacks. Both pro-government and pro-opposition forces could have benefited from the attacks and the popular coverage they received.

A comprehensive technical and policy report covering entire monitoring period -- 15 February to 8 April -- is presently being completed by ONI researchers and will be available at the end of April 2005.