- Global Voices - https://globalvoices.org -

Russia: Election Day DDoS-alypse

Posted 5 December 2011 1:50 GMT 1 · Written by Alexey Sidorenko

Categories: Eastern & Central Europe, Russia, Breaking News, Citizen Media, Digital Activism, Elections, Freedom of Speech, Media & Journalism, Politics, Protest, Technology, RuNet Echo

This post is part of our special coverage Russia Elections 2011 ^[1].

Election day in Russia has come. And with it, DDoS attacks and falsifications.

Oppression before the elections

The crackdown on independent websites began several days before the elections. Part of the campaign against the Election Violation Map ^[2], DDoS attacks began against LiveJournal, Golos.org (an election monitoring association) and KartaNarusheniy.ru (a crowdsourced election violation map). Up until late night of December 3, 2011, these websites were functional, but on election day, December 4, their defenses were broken.

On December 2, Alexey Sochnev, an editor of Besttoday.ru (a site that accumulates blog posts, tweets, and social media) was arrested. The police broke in without a court order, arrested Sochnev and searched his apartment. Sochnev was also a representative of Eduard Limonov ^[3]‘s campaign headquarters. On December 11, Limonov had been planning to announce his decision to run for president of the Russian Federation. Several other people were arrested along with Sochnev: Nikolay Avdyushenkov, Andrei Gorin, Nina Silina, and Maria Zinchenko. They were all accused under Article 282 ^[4] of the Russian Criminal Code – “Incitement of National, Racial, or Religious Enmity.” Marina Litvinovich, head of Besttoday.ru tweeted ^[5] [ru] that the police had also searched the apartment of the website's chief programmer.

Late at night on December 3, Lilia Shibanova, head of the association Golos.ru was detained ^[6] at Moscow's Sheremetyevo Airport. Border security service would not let Shibanova out for 12 hours, until she finally agreed to surrender her laptop, which was suspected to contain “a dangerous piece of software.” Twitter followers recommended changing all passwords immediately, but expect to eventually see the contents of Shibanova's inbox on some “-leaks” website.

Not only members of the Russian opposition were affected. The website of a pro-Kremlin showman Sergey Minaev was hacked ^[7] [ru] and its content deleted. Kommersant.ru, the website of a popular daily newspaper, was hacked and defaced ^[8] [ru].

^[8]

"Their time is over. People's rally against fake elections." Screenshot by roem.ru

DDoS Day

It turned out these were just the preparations for a massive DDoS attack against most of the digital platforms seeking to provide independent coverage of the elections.

One by one, they fell. A wave of requests with traffic of more than 10 gigabytes per second swept the blogosphere:

18:50 (Moscow time, here and further on), December. 1 – the attack began on the St. Petersburg version of Novaya Gazeta, lenizdat.ru, and zaks.ru (a popular political website in St. Petersburg). All three websites were down ^[9] [ru] by 14:00 December 2. Zaks.ru moved to a special blog ^[10] [ru] at Echo of St. Petersburg.
23:18, December 3 – an attack against KartaNarusheniy.ru (Election Violation Map) and Golos.org was reported. On election day, the Election Violation Map was not accessible. Golos had exported it's materail to a number of Google spreadsheets ^[11] [ru], which were updated on the go.
“Around midnight,” December 3 – the Russian News Service reported ^[12] [ru] an attack and a subsequent blackout.
02:57, December 4 – pryaniki.org, a popular portal in Tula, was taken down ^[13] [ru]. Pryaniki moved to LiveJournal ^[14] [ru] and Twitter ^[15] [ru].
06:40, December 4 – Echo of Moscow radio station (echo.msk.ru) became inaccessible ^[16] [ru]. Echo tripled its content on GoogleDocs ^[17] [ru], on Google+ ^[18] [ru] and at a special ‘temporary blog ^[19]‘ [ru] hosted by another DDoS-ed medium, Novaya Gazeta. It is important to note that Novaya Gazeta had installed a rather good security system following the previous attacks ^[20] and now was able to provide a safe haven for another indepenent news outlet.
11:05, December 4 – LiveJournal became temporarily inaccessible for Russia-based users.
12:05, December 4 – Slon.ru, Ridus.ru, Bolshoi Gorod (bg.ru), ikso.org (the election commission of Sverdlovsk region), Golos.org, and NewTimes.ru were reported inaccessible ^[16] [ru]. Slon.ru, while inaccessible, used Storify.com to keep track of the elections. Ridus.ru became accessible again around 16:08. A report ^[21] [ru] written by a Slon.ru journalist, Zlata Nikolaeva, in Russian, appeared on Storify.com's home page.
12:21, December 4 – Kreml.tv reported ^[22] [ru] an attack and moved into basic mode.
15:00, December 4 – the website of the Communist Party's Novosibirsk branch, kprfnsk.ru, went down ^[23] [ru].

The DDoS-wave was over several minutes before the end of the elections in central Russia (where most of the voters live):

19:43, bg.ru began functioning again
19:50, attack against kreml.tv stopped ^[24] [ru]
21:18, echo.msk.ru started working ^[25] [ru]

An Echo of Moscow reporter Vladimir Varfolomeev wrote ^[25] [ru]:

А вот и сайт Эха вроде заработал. Сразу после окончания выборов. Конечно, это совпадение, правда, Владислав Юрьевич?

And Echo's website is working again. Right after the end of the elections. It is a coincidence? Of course, isn't it, Vladislav Yurievich [addressing Vladislav Surkov ^[26], First Deputy Chief of Staff of the Russian President].

Ilya Sachkov, director of a cybercrime investigation company, IB Group, described ^[27] [ru] the nature of the attack against Echo of Moscow:

Атака ведется с крупного ботнета, рассредоточенного по всему миру – множество атакующих компьютеров находятся на территории США, Китая и других стран. Российских IP-адресов мало. Мы также фиксируем нечто похожее на атаку в адрес “Голоса”, но здесь преимущественно российские IP-адреса и адреса стран ближнего зарубежья

The attack is being conducted from a big botnet [a network of infected computers] distributed all around the world – a lot of attacking computers are located in the United States, China, and other countries. There are only a few Russian IP addresses. We're also witnessing something that is close to an attack against Golos, but here are mainly Russian IP addresses and those from the [countries of the former Soviet Union].

Silencing “The Voice”

The persecution of Golos.ru (‘golos’ means ‘voice’ in Russian) and Gazeta.ru did not end with election day.

On December 4, Mikhail Kotov, editor-in-chief of Gazeta.ru (a media partner of the Election Violation Map) was invited ^[28] [ru] to Roskomnadzor, a Russian regulatory body for the mass media, for a talk about their map, during which Gazeta.ru was accused ^[29] [ru] of illegal electioneering and a biased attitude towards the United Russia party.

In the middle of the day a fake twitter account, @goIos_org, was launched in order to confuse readers. At 19:47, Twitter user @deniskin reported hashtag spamming for #охотанажуликов ^[30] (‘crooks hunt’) and #наблюдатель ^[31] (‘observer’). Both were being used to coordinate the work of election observers.

This post is part of our special coverage Russia Elections 2011 ^[1].