As the political crisis in Venezuela continues to unfold, several major websites are facing destructive technical tampering and censorship.
Since February 12, the website of Venezuela's opposition-controlled National Assembly has been intermittently inaccessible on all networks; opposition-aligned humanitarian aid site VoluntariosxVenezuela, suffered a DNS spoofing attack; and multiple Google services including YouTube have been intermittently inaccessible on CANTV, the country's state-owned internet service provider.
Digital rights organizations and human rights activists monitoring the online disruptions are alert and alarmed, as they expect more attacks in the days ahead.
Observers have seen an overall rise in disruptions of media sites and social media services since a major wave of protests took place on January 23, when opposition leader Juan Guaidó invoked the Constitution‘s Article 233, to declare he was entitled to take presidential powers and call for new elections (and was soon after recognized by the United States, United Kingdom, Canada, and most Latin American states).
The move has sent the country into a new cycle of its longstanding political crisis, as the country's military continues to support president Nicolás Maduro, who has been in office since 2013.
Censorship and DDoS attacks targeting opposition and independent media sites are not a new tactic in Venezuela — they have occurred in the past, typically during protests or in other moments of high political tension. But the recent power struggle marks the biggest political challenge for Nicolás Maduro's government yet, and perhaps appropriately, has brought some of the most sophisticated and high-impact internet disruptions in recent memory.
With broadcast media almost entirely controlled by or at the mercy of state authorities, and print media all but non-existent, the internet is an essential space for communication and information for all Venezuelans, regardless of their political leanings.
A standoff over humanitarian aid
A unique and technically sophisticated attack this week targeted VoluntariosxVenezuela's site, put in place to helps volunteers organize themselves to deliver food and medicine to people in need.
Why would anyone want to undermine this work? Because everything in Venezuela — even humanitarian aid — has become political.
The country's astronomical inflation levels and crumbling trade relations have led to a deep economic crisis, claiming lives inside of Venezuela for lack of medicine and food, and driving more than three million people to leave the country. The numbers of those affected by the humanitarian emergency are difficult to estimate, given the lack of official data and the complexity of the crisis. According to the UN's World Food Program director, only on the border with Colombia, 1.2 million people have arrived “starving […] with no money, no food, no medicine.”
But where there is need, there is often political opportunity. On February 5, Juan Guaidó announced that a shipment of food and medical supplies was on its way from Colombia, a US ally. Both countries have recognized Guaidó as Venezuela's interim leader.
For Maduro and his supporters, accepting humanitarian aid from any state or agency on these terms would be equivalent to opening the gates to military intervention. In short order, Maduro's military placed an oil tanker and two massive shipping containers on the major roadways that connect the two countries, effectively blocking the aid shipment. Soon thereafter, opposition activists created VoluntariosxVenezuela, so that people could organize teams to deliver the supplies on foot and by other means.
Food and medicine are scarce, but phishing is ample
On February 12, people trying to access the site over Venezuela’s state-owned internet service provider, CANTV, found that when they entered the accurate URL for the site [voluntariosxvenezuela.com], they were automatically redirected to voluntariovenezuela[dot]com, a clone or imitation of the real thing.
Technical evidence gathered and reported by internet researcher Andres Azpurúa at VESinFiltro indicated that the redirect resulted from a DNS spoofing maneuver, with the likely objective of “phishing” or collecting the personal data of people interested in opposition activities. The clone URL was no longer working as of February 14.
This type of technical manipulation goes above and beyond tactics that researchers have previously seen in the country, as it requires the exploitation of domain name servers, a key component of internet functionality. Attackers with these capabilities could theoretically apply this tactic to all kinds of websites, effectively undermining people's abilities to use any web service to communicate or access information. Experts fear this may signal a new level of sophistication and determination on the part of those seeking to squash the opposition online.
Azpurúa also assessed the block on YouTube, which technical researchers proved to have taken place during a public speech by Guaidó, referencing the aid effort:
Confirmed short-lived #block of @youtube affecting other google properties like Drive and Gmail .#venezuela again blocks #youtube when @jguaido gives public speeches, stops when it ends. #KeepItOnhttps://t.co/NAAbWVKzZC pic.twitter.com/LqM1DijBNB
— Andres Azpurua (@andresAzp) February 14, 2019
Researchers also confirmed that multiple other general use and information websites and social media services suffered similar attacks, that again appeared to have been designed to “phish” or obtain private information from users. José Luis Rivas explains through a thread on Twitter how they were able to see some of the traces:
El phishing del chavismo no se limita a voluntariosxvenezuela.
Gmail, Twitter, Instagram, Facebook, Hotmail.
Se descuidaron y se cayeron con los kilos.
Ya les voy a mostrar. (Se viene hilo)
— Jose-Luis Rivas (@joseluisrivas) February 13, 2019
Chavismo's phishing doesn't stop with “Voluntarios x Venezuela”. [It includes] Gmail, Twitter, Instagram, Facebook, Hotmail. They were careless and they were caught with their pants down. Let me show you (See thread bellow)
Venezuelan free speech NGO Espacio Público published an analysis of this attack and other similar incidents that have been taking place since mid-2018. The group condemned the use of the DNS spoofing technique and placed blame on the Maduro government:
La información verificada implica que el gobierno de Nicolás Maduro está robando información personal de usuarios en Internet desde al menos, septiembre de 2018. El Estado….utiliza fondos públicos para violar la privacidad de quienes ingresan a servicios de correo electrónico y redes sociales.
The information verified [by researchers] implies that the government of Nicolas Maduro has been stealing personal information of internet users since at least September 2018. The state….is using public funds to violate the privacy of those who log into email and social media services.
UPDATE: This story was updated shortly after publication to acknowledge that Colombia has recognized Guaidó as Venezuela's interim leader.