The editors of Kloop.kg and the Swedish digital forensics found evidence that one of the government servers of Kyrgyzstan contained a non-state website created to influence voters during the presidential election.
Briefly: what is the investigation about?
- For a whole month, a non-state site samara.kg was kept on one of the most important servers of the Kyrgyz government. This server belongs to the State Registration Service, and through it you can access personal data of all Kyrgyz citizens: passport numbers, TIN numbers and biometric data.
- The authorities deny that samara.kg was kept on a government server, but all digital tracks show that they either tell a lie, or do not know what is happening on their servers.
- An anonymous activist hacked this site one a half days before the election of the president of Kyrgyzstan and conveyed information about him to journalists. He claims that samara.kg was a system for managing the agitation campaign of pro-government candidate Sooronbai Zheenbekov.
- The editorial office of Kloop.kg received the testimonies of several agitators from the candidate’s headquarters, Sooronbai Zheenbekov, who confirmed that they used «Samara» for registration of voters and control over votes.
- Access to a government server with such data can greatly facilitate the course of the campaign of any presidential candidate and jeopardize the security of personal data of Kyrgyz citizens.
- Sioronbai Zheenbekov won the presidential election, gaining more than 54% of the vote. Only 4% separated him from the prospect of the second round.
Part 1. How to break the «Samara»
When in September 2017 in Kyrgyzstan agitation began before the presidential elections, cardinal changes occurred with the little-known site samara.kg.
From the page of the real estate agency, it turned into a management system with personal data of citizens of Kyrgyzstan.
The key change occurred on September 13, the fourth day of the election campaign – on that day the domain samara.kg was sent from the hosting site of the private company «Hoster.kg» to the server with the ip-address 184.108.40.206.
The log of changes in DNS settings «Samara»: the domain moves to the government server 220.127.116.11, and then returns back.
This server belongs to the State Registration Service (SRS) – an agency that processes personal data of all residents of Kyrgyzstan.
It is used for a number of state projects, among them – the e-government program «Taza Coom», the favorite brainchild of President Almazbek Atambayev and Prime Minister Sapar Isakov.
A month later, just over a day before the election, an activist under the pseudonym of suppermario12 cracked the site samara.kg and sent out letters about Samara’s activities to several news publications, including Kloop.kg.
According to the activist, «Samara» was a management system for campaigning using an administrative resource-they collected voters’ data on the website and noted those who would vote for the candidate from the presidential party of Social Democrats Sioronbai Zheenbekov.
President of Kyrgyzstan Almazbek Atambayev in the center of personification of the population at the state-owned company «Infocom» April 29, 2017. Photo: Presidential Press Service
In the letter, the anonymous activist confessed of hacking the site and wrote that it contained data of 2 million voters. As the person responsible for the creation of this system, suppermario12 called the former Minister of Economic Regulation Uchkunbek Tashbaev, to which this domain was registered.
«This gentleman (Tashbaev – editorial note) on behalf of the state oversees the process of buying votes from voters. Today, October 15, on election day, on this domain site, of course, all information has already been changed, and if you visit it now, you will see that this site provides a service for cleaning carpets», – he wrote then in his letter to the means mass information.
In support of his words suppermario12 published a video in which he explained the principle of the system:
Despite the fact that suppermario12 posted this video in an open access, it did not attract the attention of the media and ordinary users – no one even left comments under it, and the video did not score even thousands of views.
But in this video there was a lot of curious. For example, it followed that one of the pages of the site samara.kg was a table with columns «Chain», «PIN», «Last Name», «First Name», «Patronymic», «Passport Number», «Phone», «PEC», «Status» and «Actions», which were filled with relevant data.
In the «Chain» column, the names of those responsible for work on each voter were indicated, in the «Status» the voter was «approved» or not, in «Actions» – the function of editing data on the voter.
The video also shows that voters in this system were divided into «kissed» and «not kissed». Suppermario12 believes that thus tagged bought or intimidated voters.
On the video you can see the URL’s of the pages (the journalists of Kloop.kg were convinced of their reliability), which are designed in accordance with their purpose:
- samara.kg/ivm/view/voter/controlAgitator.xhtml (voter/control Agitator);
- samara.kg/ivm/view/voter/voterList.xhtml (voter/voter List);
- samara.kg/ivm/view/voter/voterVisitor.xhtml (voter/voterStakeholder).
Part 2. How was the connection with the government
Immediately after the letter from suppermario12, the editorial office of Kloop.kg began to check its information for authenticity and to contact those he called involved in this system – this is at least 47 people, the phone was provided by the anonymous activist himself.
With the help of digital forensics from the Swedish fund Qurium, which provide services for secure hosting, journalists Kloop.kg found evidence that the site samara.kg was actually on the server of the GDS in the period from September 13 to October 13.
See the Qurium report by reference.
The main evidence is in the history of the settings of the domain «Samara», which can be viewed using the Farsight DNSDB Service.
This history shows that for a month the domain samara.kg was sent to a government server. Interviews with users, screenshots, saved in Google pages prove that the site has been functioning all this time.
Qurium is a Swedish IT team that deals with the digital protection of independent media in more than 20 countries.
For example, they proved that DDoS-attacks on independent Azerbaijani media were connected with local government infrastructure.
An explanation for specialists (if you are not an expert, you can skip):
DNS monitoring services (Farsight DNSDB service) recorded changes to DNS records on NS servers. The samara.kg domain’s A-record was changed to the IP address of the government server 18.104.22.168. At the same time, the WHOIS data itself remained unchanged in the registrar of the Kyrgyz «Asia Info» domains.
The editorial office of Kloop.kg collected evidence – cached versions of the site, observations of users and journalists – that the site samara.kg continued to work after these changes, although it displayed completely different content. This indicates that the changes to work with the domain samara.kg were made on the side of the government server 22.214.171.124.
After suppermario12 cracked the site on the night of October 14, he got control of the samara.kg domain and redirected it to his own server – so, for about the next 10 hours, people who visited this site saw the same explanatory video from an anonymous activist.
The owners of the system noticed interference in the work of «Samara», and late on October 14 they redirected another private domain, mls.kg, to the same governmental server.
On election day, October 15, it was mls.kg that performed the functions of «Samara» in registering voters, so the suppermario12 plan to eliminate the system failed.
After the election, both the domain – and samara.kg, and mls.kg – returned to their servers and began to look innocent again. Only samara.kg turned into a carpet cleaning service site, and mls.kg became a real estate agency.
Owners of «Samara» called their IVM system – this name was on both sites samara.kg and mls.kg, when they were on a government server.
«Based on all these facts, we have found enough evidence that the IVM system can exist and operate at [government] address 126.96.36.199, and that the video published by suppermario12 should cause a deeper investigation» the digital forensics from Qurium wrote in his report.
Part 3. As the statements of the authorities do not agree with the facts
GDS Chairman Dastan Dogoyev in an interview with journalist Kloop.kg categorically denied the connection of his agency with «Samara». According to him, the sites samara.kg and mls.kg could not be hosted on a government server, and the system itself was never «hacked».
«Neither samara.kg nor mls.kg has any relation to the GDS system and can not have. I declare responsible this to you. Any third parties or parties have no physical or remote access to our server», he said.
According to Dogoyev, he personally oversees all projects in the GDS system, so he would have known about the existence of these sites on the government server, if their service worked on them.
Dastan Dogoyev shows Almazbek Atambaev a biometric passport on April 29, 2017. Photo: Press service of the President of Kyrgyzstan
But according to the information that journalists Kloop.kg and researchers from Qurium have found, Dogoyev either speaks untruth, or still does not know what is happening to the servers of his department.
In any case, what the chairman of the GDS said to journalist Kloop.kg, does not agree with the facts.
Dogoev did not deny that he knew about the existence of these sites before meeting with the correspondent of Kloop.kg, because he watched the video published by suppermario12 on the Internet. However, the GDS did not conduct an official investigation, because, according to Dogoyev, «I did not find any reason for this».
«These data could not be taken from us. I personally control this issue and can responsibly assure that we have not had a leak or a break-in. Therefore, we did not initiate any internal investigation», said Dogoyev.
The Chairman of the SRS believes that «Samara» received the data of people from open sources and from the voters themselves. According to Dogoyev, his service stores data on 19 separate databases, direct access to which no one has.
«None of our system, any public resource directly access to the database does not have and cannot have in terms of security», he assures.
Technical director Qurium Tord Lundström finds it strange that the GDS did not start an official investigation after the publication of the explanatory video from suppermario12.
«It does not matter what kind of data protection mechanisms (GDS) they have in current applications. If a new application is created and connected to the same database, then it can easily bypass any restrictions on the frequency of access to the database», says Lundström.
Answering questions of journalists Kloop.kg, Dogoyev did not explain how samara.kg worked for a month with DNS aimed at the government server.
Part 4. As Tashbaev «does not know anything»
Former Minister of Economic Development and ex-head of the State Agency for Geology Uchkunbek Tashbaev confirmed to journalist Kloop.kg that the domain samara.kg is registered in his name.
He claims that he knows nothing about using the samara.kg domain in the election campaign management system of a pro-government candidate, and that he did not do agitation at all. According to the former official, he did not rent out his domain, and besides him, several other employees have access to it.
«I did not have anything of the kind. In general, in my opinion, this is a god-forgotten site, which was visited by three people», he said.
Uchkunbek Tashbaev (right)
Tashbaev also said that he knew nothing about the connection of his domain with the government server – he called this information «delirium» and added that he has no connection with the GDS.
«I will not be allowed to go there for a cannon shot. You read my biography», he said.
Probably, Tashbaev meant that in 2012 he was sentenced to five years in prison in a colony-settlement on charges of abuse of office as a head of the state agency for geology.
According to the former official, he uses the domain samara.kg for his «startup» – carpet cleaning. He calls his business «unsuccessful», because, according to him, for all the time, only a few people applied to him.
Tashbaev said that no one is currently administering the site samara.kg, and he does not remember who developed it.
Part 5. As the site administrator has got confused in the indications
The journalists of Kloop.kg found the administrator of the site samara.kg – he was a colleague of Tashbaev, a 20-year-old employee of the construction company «Ihlas» Denis Povazhny.
Talking with reporters, Povazhny told a lot of things that no one had ever confirmed, from which there are big doubts about the veracity of his words.
For example, the placement of the domain samara.kg on a government server, he explained by «breaking» the Internet provider «AsiaInfo», from which the domain was purchased.
«They simply redirected [the samara.kg domain] to other servers. We called them, they returned them back, then, after an interval of time, they again redirected the DNS […] At first, even redirected to some Russian server, I remember I looked at the IP addresses. Then to our some local, then there was a moment that he was generally unavailable. Then there was the moment that for four hours Pornhab opened. That is, they changed as they wanted», – so Povazhny described this «hacking» to journalist Kloop.kg.
These words are not confirmed by the DNS-servers tracking services – redirects to Pornhab, about which Povazhny says, was fixed, for example, was not.
The director of the company «AsiaInfo» Alexander Samoilenko said that they did not have any hacking in the autumn of 2017. «Nobody hacked us. That this friend was going on sites, I, frankly, find it difficult to comment», he says.
Povazhny made several more controversial statements. For example, he claims that the owner of the site samara.kg wrote a statement to the police on the company «AsiaInfo», but in the Ministry of Internal Affairs the journalist Kloop.kg was told that they did not receive any statements.
Povazhny also said that he was called «from state agencies», asked questions and asked not to leave the country until after the «investigation». The State Committee for National Security and the Ministry of Internal Affairs deny the existence of any investigation.
Finally, Povazhny said that samara.kg from the beginning of summer of 2017 was a carpet cleaning service site, but these words do not agree with the facts – experts from Qurium found out on digital tracks that until the middle of September the site samara.kg told about the real estate agency, connected with the construction firm «Ikhlas».
Part 6. How curators worked
The editorial office of Kloop.kg was able to contact suppermario12 on election day, October 15.
In a short letter he said that he was able to download from Samara only the data of one polling station – PEC # 1260.
He added that he could not download data about all 2 million people from this base, because he «had a bit of trouble» and «did not know about the pitfalls».
«Serious people are involved in this, and I kind of hacked them, so [communication] only through this mail», the activist wrote, and then stopped answering the journalists’ letters.
However, suppermario12 managed to transfer to the Kloop.kg editorial board a table with detailed data of more than 600 voters at PEC # 1260 – basically they were teachers of the Kyrgyz State Technical University (KSTU), as well as students of the same university who came to Bishkek for training from other regions. At the same time, it is not known which of these 600 voters was «kissed» and who is not.
A student of KSTU named Talent told a journalist Kloop.kg that he does not know how his data got into the table. According to him, he filled out such detailed information about himself only when he passed through his university form No. 2 – an application that all those who planned to vote not in the place of residence registration should fill in.
Talent said that teachers were not forced, but «hinted that students should vote for pro-government candidate Zheenbekov. He also added that along with this, other candidates also agitated in the university.
On election day, journalists Kloop.kg under the guise of «curators» phoned some students from the list of suppermario12 and asked if they voted like «agreed».
Some students answered positively and said that they voted «for number nine», that is, for Zheenbekov. The remaining students answered that they also voted «as agreed», but for other candidates – for example, Omurbek Babanov.
Sooronbai Zheenbekov, then prime minister of Kyrgyzstan, at the international conference «Taza Coom» on May 30, 2017. Photo: Press Service of the Government of Kyrgyzstan
The journalists of Kloop.kg also managed to talk in detail with several agitators of the staff of Zheenbekov, who used «Samara».
They confirmed the existence of the system, but, fearing for their safety, they wished to remain anonymous.
According to them, each agitator had his own account in the «Samara» system and added there passport data of the voters that they collected manually. The collected data was then checked at the candidate headquarters for credibility.
Verification of the data for reliability could be significantly facilitated by the fact that Samara was on a government server with access to data of all citizens of Kyrgyzstan.
«[Staff operators] take, check first whether they are [collected voter passports], whether they have biometrics. If there is biometrics, if the address and city permit, then they take this passport, check it, drive it into their Samara. Who do not have biometrics, or who do not pass through city registration, they just return the passport, and [the voter] does not fit, «the agitator told the journalist Kloop.kg.
The agitator’s words are confirmed by a video published by the publication «Chyndyk» in a few days of elections – on it the operators of Zheenbekov’s headquarters are discussing the payment to the agitator and asking whether he added the attracted voters to «Samara».
– How many voters do you have? The staff member asks.
«I still have five», the girl in the video says.
– Have you added to Samara?
«No, they just did not give me access».
Part 7. As the SDPK did not hear anything
The staff of the pre-election headquarters of the pro-presidential Social Democratic Party of Kyrgyzstan (SDPK) could not comment on the use of Samara. They explained this by the fact that the elections were over and the staff was dismissed – now there is no one who has the right to give comments.
Former employee of the PR department of the headquarters Nurai Mars said that she can not comment on how the campaign was conducted, because «the work of the headquarters has already ended».
The material is corrected: In its original version we indicated the name of Nuria Tashbolotova instead of Nurai Mars. We apologize!
Other staff members also refused to talk, because they no longer work on the election campaign.
SDPK member Benazir Nurlanova promised to find out at the headquarters whether someone could talk about how the campaign was going on, but in the end nobody wanted to talk with the journalist.
«I tried it, sent it to ours, but no one answered. In general, no one answers», Nurlanova said.
Press secretary of Sooronbai Zheenbekova Tolgonai Stamalieva in a conversation with a journalist Kloop.kg said that she knew nothing about «Samara».
«What kg? Excuse me, what is this? Let me clarify, I do not know, I was away», she told the journalist when asked about «Samara».
In the next conversation, Stamalieva said she was trying to get an answer from those who worked with journalists and partners of the headquarters, but at that time no one answered her.
The head of the headquarters Farid Niyazov did not answer the calls of the journalist Kloop.kg, but reacted to the message in the messenger – Niyazov wrote «what is this site?» And did not contact anymore.
Farid Niyazov (right), former adviser to President Atambaev, was the head of the pre-election headquarters of Sioronbai Zheenbekov. Photo: Press service of the President of Kyrgyzstan
Former employee of the Zheenbekov staff in Kochkor district Bakyt Beyshenbekov said that they did not use any site in the work and did not hear about «Samara». He added that there were problems in their area with the Internet, so their headquarters could not use the site, but entered voters’ data into a document on the computer.
«We cannot use such a system because in the villages many people do not know how to use the Internet and we can say that there is no Internet here», he said.
Only the number of those who agreed to vote for Zheenbekov sent people to the central headquarters of Beyshenbekov, and, according to him, the voters’ data remained in their regional headquarters.
Summary from the authors of the investigation. How could this all affect the election?
Numerous observers at the last presidential election in Kyrgyzstan have announced the use of an administrative resource. What does it mean? This means the state probably played along with one of the candidates, that he had such opportunities that his competitors did not have.
For a candidate profitable to the government, people (including not always in legal ways) were under the control of the government: teachers of universities, teachers, doctors, other state employees.
It would seem, how wonderful, it is not necessary to find an army of agitators – tens of thousands of people are already at your disposal. They are dependent on you, which means they will not let you down.
Correctly? Not at all. Let’s look at the situation through the eyes of a candidate who uses an administrative resource.
How to make tens of thousands of people, using their dependence, do what you want? The task is not so simple.
The problem is that the conditional pro-rector on the economic part of a conditional university should somehow persuade the students of this university to vote for the right candidate.
He also needs to convince visiting students to register on the site, which is located on the territory of the university, then he needs to convince or intimidate to vote in the right way, then he needs to control the turnout.
How much can all go wrong in this complicated process!
For example, a pro-rector can simply score on an errand, he can talk with an insufficient number of students, students may not register on the site or come to the polls, and so on.
Therefore, our conditional pro-rector should have an auditor who will run a random selection of students and check that the pro-rector really talked to them.
Also, the examiner should have the maximum amount of personal data about each student in order to be sure that the pro-rector simply did not invent non-existent people and to check the fact of registration at the desired site.
Still, ideally, the examiner should have photos and a biometric description of intimidated voters to check the fact of appearance on the site.
(It’s good that the GDS will never provide its databases to those wishing to use the administrative resource … Oops!).
If we scale it all across the country, we get a complicated logistical task: hundreds of conditional pro-rectors-curators, hundreds of inspectors, tens of thousands of intimidated students and state employees.
To cope with all this, we need a system that works on the Internet, through which the curators will be able to report on agitation, intimidation and bribery; and verifiers – about the results of inspections, registration and appearance.
For maximum effectiveness, this system should have access to extensive databases containing information about voters, preferably with photographs and biometric data.
Is Samara similar to such a system? Yes very. Can we assert that «Samara» was used effectively and helped win Zheenbekov? Not yet.
But, at least, we know for sure that it existed and was kept on the government server for a month.
And we also know that the Kyrgyz authorities for some reason deny all this and do not recognize it.
The response of the editorial office of Kloop.kg and the authors of the investigation about «Samara» to accusations from the GDS
If you know anything else about how «Samara» worked and how it could affect the results of the presidential election, write and call us:
- + 996-772-67-08-15
Authors: Rinat Tukhvatshin, Alexandra Lee, Marina Skolyysheva
Contributor: Aidai Erkebaeva
Editors: Eldiyar Arykbayev, Bektur Iskender
Nesting: Dmitry Motinov