EXECUTIVE SUMMARY

One day before the presidential elections in Kyrgyzstan (15 Oct 2017), an activist with the nick name “suppermario12” leaked a video and forensic information about a fraudulent “voter management system” (also known as samara.kg) to be used to influence the elections.

Qurium together with the editors of Kloop.kg, carried out a forensic investigation and found evidence that strongly suggests that a government operated server in Kyrgyzstan contained a non-state website created to influence voters during the presidential election.

The video released by “suppermario12”, shows how he is accessing an online system containing a large database of voters. According to the video, the Samara system was used to track voters’ intentions, and influencing their decisions by means of bribes and threats. “suppermario12” claims that samara.kg was a system for managing the agitation campaign of pro-government candidate Sooronbai Jeenbekov. The editorial office of Kloop.kg has received testimonies from several agitators from the headquarters of candidate Sioronbai Jeenbekov, who confirm that they used samara.kg for registration and control of votes. Access to a government server with such data can seriously impact the campaign of any presidential candidate, and the election results as a whole. Sioronbai Jeenbekov won the presidential election on October 15. He gained 54% of the votes, only 4% from a second round.

Kyrg authorities deny that samara.kg was ever operating from a government server, while our forensic evidences suggests otherwise.

Background

During the presidential elections in Kyrgyzstan (Oct 2017) we were hinted by the local media outlet Kloop.kg that an activist with the nick name “suppermario12” had leaked a video and extra information about a fraudulent “voter management system”: “IVM”.

The video released in the site bulbul shows how “suppermario12” using someone else credentials got access to an online system that contained a big database of voters. Similar release of information was made available in the “Diesel Forum”.

According to his report, the “IVM system” was used to track vote intentions and those that were susceptible of receiving bribes or threatened to vote for one candidate. The “IVM” system was designed to “manage” such setup including special “curator” accounts responsible of influencing a certain group of voters.

According to the leaked data, the domains samara.kg and mls.kg were used to host such web application and the portal was hosted in the government IP space.

Was samara.kg and mls.kg used to host the IVM system?

In order to verify his claim, we focused all our efforts to record any forensic evidence related to the domains samara.kg

and mls.kg.

We also worked in rebuilding the timeline of events to verify if forensic evidence is consistent with “suppermario12” claims.

The following pieces of evidence were collected:

Google Cache copies of the content of samara.kg and mls.kg during the period 10-16 October 2017 (Google Cache) Passive DNS records (RiskIQ, DNSDB) Historical Whois data (DomainTools, RiskIQ, Domain.kg (KG Whois)) Built with: Track sites using the same technology that IVM System (NerfyData, Google) Infrastructure Mapping (Maltego)

What did we found?

Google Cache: We retrieved copies of the contents of samara.kg and mls.kg the 14-15th of October. Both cache copies show a “Authentication Page” based on JSF2 (JavaServer Faces). The cache copies of mls.kg and samara.kg are identical.

Passive DNS: We retreived passive DNS records of both domains from four sources: DNSDB, RiskIQ, Dyn and CIRCL. Two of the sources recorded a passive DNS record of samara.kg pointing to IP 212.112.124.142. Once of the sources also recorded that mls.kg was hosted in the same IP the 14th of October. Passive DNS records reveal that the websites moved from the IP network 176.126.165.0/24 to the network 212.112.124.0/24 before (samara.kg) and during the election day (mls.kg). DNSDB historical records are included in the Section “Extra Resources”.

Historical Whois : Historical whois data of the domains show that samara.kg was registered by Ташбаев Учкунбек Азизбекович, using the email uchkunbek@gmail.com That the late night of 13th of October, “suppermario12” changed the “whois” records of samara.kg and redirected the site to a new hosting provider 31.31.196.253 including a simple HTML page redirecting to the video site.

:

<iframe src=”http://bulbul.kg/video:52106?embed” width=”640″ height=”390″ frameborder=”0″ webkitallowfullscreen=”true” mozallowfullscreen=”true” allowfullscreen=”true”></iframe>

That this redirection is still visible by placing DNS requests to the server ns1.hosting.reg.ru for the domain samara.kg that returns the IP 31.31.196.253 Whois records also show that the domain mls.kg is run by денис поважный daftking11@gmail.com /d.povazhnyy@gmail.com that acts as the webmaster of ihlas.org



IVM Technlology: One very distinctive watermark of the “IVM System” was that the developer(s) used the technology JavaServer Faces (JSF2). A search for the code /ivm/javax.faces.resource/theme.css.xhtml?ln=primefaces-aristo in websites inside .kg helped us to identify that the “IVM” site had lots of similarities with a few governmental sites. The next screenshot shows a video capture of the “IVM” system (left) and our own rendering (right) of the page using the cached content we obtained from “Google Cache” and JS and the CSS objects obtained from a similar application available in a governmental site.

Infrastructure Mapping: With all the information obtained we have summarized our findings in this graph.

Timeline

Mon Jun 05 2017, 14:03:30 - samara.kg hosted at 176.126.165.51 Sat Aug 19 2017, - samara.kg is a real estate website connected to mls.kg / IHLAS (Google Cache) Wed Sep 13 2017, 15:39:11 - samara.kg moves to 212.112.124.142 Fri Oct 13 2017, 23:03:29 - samara.kg Whois records are changed to suppermario12 Sat Oct 14 2017, 11:19:34 - samara.kg one cache copy in google show IVM System Sat Oct 14 2017, 20:33 - VIDEO RELEASE http://bulbul.kg/video:52106 is published with account uchkuntashbaev Sat Oct 14 2017, 17:56 - mls.kg moves to 212.112.124.142 Sun Oct 15 2017, 05:28 - samara.kg site is moved away by suppermario12 to 31.31.196.253 where iframe with video is served Sun Oct 15 2017, 13:42 - mls.kg cache copies in google show IVM System Sun Oct 15 2017, 14:03 - mls.kg cache copies in google show IVM System Sun Oct 15 2017, 15:10 - samara.kg shows iframe pointing to video in IP 31.31.196.253 Sun Oct 15 2017, 14:29 - samara.kg moves back to 176.126.165.51 as "carpet cleaning company" Sat Oct 15 2017, 18:25 - Supper Mario releases the same statement in the Diesel Forum Archived Version "Что творится в Кыргызстане? (Админы, перенесите эту тему в "Политика и Общество")"

Samara.kg Evolution

This two screenshots shows samara.kg in August 2017 (up) as a real estate company connected with mls.kg and ihlas.kg and as a “carpet cleaning company” (down) from the day of the election.



In August 2017, the samara.kg websites includes a about section with the text: “Multiservice is the largest real estate base in Bishkek and in the suburbs of the capital. Here you can find the most profitable offers for the sale of apartments, houses and commercial real estate. We also consult on legal aspects and help you evaluate and sell your property at the best prices.“. Samara.kg’s site refers to Multiservice (MLS.KG).

The website seems to be a copy of the website perfec1.kz as shown in this diff file: perfect1.kz_samara.kg_DIFF

Conclusions

Based on the information that we found we have strong evidence that:

That the domain samara.kg was originally registered by uchkunbek@gmail.com Ташбаев Учкунбек Азизбекович and that for three months in 2017 also controlled the domain ihlas.kg That mls.kg and ihlas.kg are controlled by d.povazhnyy@gmail.com or daftking11@gmail.com денис поважный that works as webmaster for IHLAS. That at least during the 14 and 15 of October 2017, samara.kg and mls.kg were moved from their normal locations in the 176.126.165.0/24 network to the government network IP 212.112.124.142 were sites like srs.kg or infocom.kg are hosted. That during those days we could obtain Google Cache copies of a portal with the name “IVM” built in JSF2. That the website samara.kg moved to the government network IP 212.112.124.142 the 13th of September 2017 and stayed there until it was compromised by “suppermario12” That before hosting the IVM system samara.kg was a real estate website associated to mls.kg That we have managed to rebuild the Cache copy using CSS and JS files available from other government sites. That the person that leaked the information (suppermario12) got control of the samara.kg domain and changed the whois information and re-allocated the domain to the IP 31.31.196.253 where he served the video http://bulbul.kg/video:52106 in a iframe.

Based on all these facts, we have found enough evidence to believe that such “IVM” system might exist and was running in the address 212.112.124.142 and that the video released by “suppermario12” should trigger a deeper investigation.

Выводы

Основываясь на найденной нами информации, мы имеем убедительные доказательства того, что:

1. домен samara.kg был первоначально зарегистрирован на имя Ташбаева Учкунбека Азизбековича uchkunbek@gmail.com и что в течение трех

месяцев в 2017 году им также контролировался домен ihlas.kg

2. домены mls.kg и ihlas.kg контролируются Денисом Поважным(d.povazhnyy@gmail.com или daftking11@gmail.com) который работает вебмастером в IHLAS.

3. по крайней мере, в течение 14 и 15 октября 2017 года, samara.kg и mls.kg были перемещены из их обычных мест в сети 176.126.165.0/24 в

правительственную сеть IP 212.112.124.142, где находятся такие сайты как srs.kg или infocom.kg

4. мы могли получить копии из кеша Google этих порталов с именем IVM построенных на фреймворке JSF2

5. сайт samara.kg был перемещен 13 Сентября 2017 в правительственную сеть на адрес 212.112.124.142 где он и находился там пока не был скомпрометирован suppermario12

6. до размещения системы IVM samara.kg был сайтом агенства недвижимости связанным с mls.kg

7. нам удалось восстановить копию из кеша, используя CSS и JS файлы, доступные на других правительственных сайтах.

8. Человек, который опубликовл эту информацию (suppermario12) получил контроль над доменом samara.kg и изменил информацию whois и переместил домен на адрес 31.31.196.253 где размещалось видео http://bulbul.kg/video:52106 в iframe.

Основываясь на всех этих фактах, мы нашли достаточно доказательств того, что система “IVM” может существовать и работала по адресу 212.112.124.142 и что видео опубликованное “suppermario12” должно инициировать более глубокое расследование.

Extra resources

** The Supper Mario Videos ** https://www.youtube.com/watch?v=jtYjazR42wY (Original Version) https://www.youtube.com/watch?v=mEImBRT8Q00 (with English Subtitles) ** Cache copies of IVM System ** Domain: mls.kg Time: 15 Oct 2017 02:03:17 GMT Cache: http://webcache.googleusercontent.com/search?q=cache:O7R8DnckMFwJ:mls.kg/ivm/view/user/login.xhtml+ Archive: http://archive.is/qlpBf -- Domain: mls.kg Time: 15 Oct 2017 01:42:01 GMT Cache: http://webcache.googleusercontent.com/search?q=cache:vPNH6HecE5MJ:mls.kg/+ Archive: https://archive.is/l912X -- Domain: samara.kg Time: 14 Oct 2017 11:19:34 GMT Cache: http://webcache.googleusercontent.com/search?q=cache:dkrndZiRxk4J:samara.kg/+ Archive: http://archive.is/JILWr Domain: samara.kg Time: 8 aug 2017 17:16:47 GMT Cache: http://webcache.googleusercontent.com/search?q=cache:aHVjtDjbhgMJ:samara.kg/kontakty/kapitel.html Archive: https://archive.fo/23SXq **** Passive DNS **** ** mls.kg ** 2014-12-19 10:56:27 -0000, 2015-07-31 04:49:20 -0000,mls.kg. , IN A 176.126.167.110 2014-12-19 10:56:27 -0000, 2016-06-25 17:15:28 -0000,mls.kg. , IN NS ns7.hoster.kg. 2014-12-19 10:56:27 -0000, 2016-06-25 17:15:28 -0000,mls.kg. , IN NS ns8.hoster.kg. 2014-12-19 10:56:27 -0000, 2016-08-16 18:34:14 -0000,mls.kg. , IN NS ns7.hoster.kg. 2014-12-19 10:56:27 -0000, 2016-08-16 18:34:14 -0000,mls.kg. , IN NS ns8.hoster.kg. 2015-01-01 16:57:20 -0000, 2015-08-01 13:56:12 -0000,www.mls.kg. , IN A 176.126.167.110 2015-08-03 07:08:11 -0000, 2016-06-25 17:15:28 -0000,mls.kg. , IN A 176.126.167.118 2015-08-06 00:32:10 -0000, 2016-06-22 15:02:26 -0000,www.mls.kg. , IN A 176.126.167.118 2015-10-29 03:51:09 -0000, 2016-05-06 03:58:51 -0000,mls.kg. , IN SOA beta.hoster.kg. root.hoster.kg. 2014070602 10800 3600 604800 86400 2016-08-18 03:30:43 -0000, 2017-10-18 00:51:31 -0000,mls.kg. , IN NS ns5.hoster.kg. 2016-08-18 03:30:43 -0000, 2017-10-18 00:51:31 -0000,mls.kg. , IN NS ns6.hoster.kg. 2016-08-18 03:30:45 -0000, 2017-10-18 00:15:59 -0000,mls.kg. , IN A 176.126.165.15 2016-08-18 03:30:45 -0000, 2017-10-18 00:15:59 -0000,mls.kg. , IN NS ns5.hoster.kg. 2016-08-18 03:30:45 -0000, 2017-10-18 00:15:59 -0000,mls.kg. , IN NS ns6.hoster.kg. 2016-08-21 00:56:03 -0000, 2016-08-21 00:56:03 -0000,www.new.mls.kg. , IN A 176.126.165.15 2016-08-28 15:34:26 -0000, 2017-10-05 02:57:18 -0000,www.mls.kg. , IN A 176.126.165.15 2016-09-12 11:42:23 -0000, 2016-10-25 09:52:28 -0000,mls.kg. , IN SOA evo.hoster.kg. help.hoster.kg. 2016081610 3600 3600 604800 86400 2016-10-04 08:25:17 -0000, 2016-11-12 13:13:10 -0000,new.mls.kg. , IN A 176.126.165.15 2016-10-31 23:37:50 -0000, 2016-11-10 04:41:10 -0000,mls.kg. , IN SOA evo.hoster.kg. help.hoster.kg. 2016081619 3600 3600 604800 86400 2016-11-15 03:55:05 -0000, 2017-01-27 18:22:19 -0000,backend.mls.kg. , IN A 176.126.165.15 2016-11-15 16:36:33 -0000, 2016-11-15 16:36:33 -0000,mls.kg. , IN SOA evo.hoster.kg. help.hoster.kg. 2016111402 3600 3600 604800 86400 2016-11-16 12:39:33 -0000, 2016-11-26 06:46:49 -0000,mls.kg. , IN SOA evo.hoster.kg. help.hoster.kg. 2016111409 3600 3600 604800 86400 2016-11-26 20:08:45 -0000, 2016-12-05 02:04:44 -0000,mls.kg. , IN SOA evo.hoster.kg. help.hoster.kg. 2016111411 3600 3600 604800 86400 2016-12-16 12:27:01 -0000, 2016-12-18 13:02:33 -0000,mls.kg. , IN SOA evo.hoster.kg. help.hoster.kg. 2016111425 3600 3600 604800 86400 2016-12-23 20:19:01 -0000, 2016-12-23 20:19:01 -0000,mls.kg. , IN SOA evo.hoster.kg. help.hoster.kg. 2016111429 3600 3600 604800 86400 2016-12-27 11:47:08 -0000, 2017-02-17 17:45:32 -0000,mls.kg. , IN SOA evo.hoster.kg. help.hoster.kg. 2016111431 3600 3600 604800 86400 *2017-03-03 06:59:16 -0000, 2017-03-25 21:24:07 -0000,ihlas.mls.kg. , IN A 176.126.165.15 2017-03-07 09:54:53 -0000, 2017-10-05 02:57:18 -0000,mls.kg. , IN SOA evo.hoster.kg. help.hoster.kg. 2016111433 3600 3600 604800 86400 2017-03-14 04:19:17 -0000, 2017-10-17 05:55:26 -0000,mls.kg. , IN MX 10 emx.mail.ru. *2017-10-14 17:56:08 -0000, 2017-10-15 10:22:13 -0000,mls.kg. , IN A 212.112.124.142 2017-10-15 05:19:31 -0000, 2017-10-15 07:00:45 -0000,mls.kg. , IN SOA evo.hoster.kg. help.hoster.kg. 2016111434 3600 3600 604800 86400 Note: SOA counter changes from 2016111434 to 2016111440 that indicates that DNS zone update took place but we have no samples. 2017-10-16 01:41:18 -0000, 2017-10-17 15:27:43 -0000,mls.kg. , IN SOA evo.hoster.kg. help.hoster.kg. 2016111440 3600 3600 604800 86400 *2017-10-16 01:41:18 -0000, 2017-10-17 15:27:43 -0000,mls.kg. , IN A 176.126.165.15 ** samara.kg ** 2017-06-23 00:02:32 -0000, 2017-06-27 21:35:18 -0000,www.samara.kg. , IN A 176.126.165.51 2017-06-23 00:02:32 -0000, 2017-10-18 03:13:57 -0000,samara.kg. , IN NS ns5.hoster.kg. 2017-06-23 00:02:32 -0000, 2017-10-18 03:13:57 -0000,samara.kg. , IN NS ns6.hoster.kg. 2017-06-23 00:02:32 -0000, 2017-10-18 05:31:47 -0000,samara.kg. , IN NS ns5.hoster.kg. 2017-06-23 00:02:32 -0000, 2017-10-18 05:31:47 -0000,samara.kg. , IN NS ns6.hoster.kg. 2017-09-13 03:51:16 -0000, 2017-10-09 19:05:12 -0000,samara.kg. , IN SOA evo.hoster.kg. help.hoster.kg. 2017071704 3600 3600 604800 86400 *2017-09-13 15:39:11 -0000, 2017-10-14 06:09:41 -0000,samara.kg. , IN A 212.112.124.142 *2017-10-15 05:28:21 -0000, 2017-10-15 05:28:21 -0000,samara.kg. , IN A 31.31.196.253 *2017-10-15 05:28:21 -0000, 2017-10-15 05:28:21 -0000,samara.kg. , IN NS ns1.hosting.reg.ru. *2017-10-15 05:28:21 -0000, 2017-10-15 05:28:21 -0000,samara.kg. , IN NS ns2.hosting.reg.ru. *2017-10-15 14:29:44 -0000, 2017-10-18 03:13:57 -0000,samara.kg. , IN A 176.126.165.51 ** list of sites hosted at 212.112.124.142 ** address.infocom.kg. api.srs.kg. auth.srs.kg. biometrika.srs.kg. data.srs.kg. demoprava.srs.kg. dev.infocom.kg. do.gov.kg. e.srs.kg. grs.gov.kg. infocom.kg. kadry.infocom.kg. med.okmot.kg. mls.kg. <------- 15th October: Election Day nagrada.srs.kg. nomer.srs.kg. opendata.srs.kg. pobeda.srs.kg. portal.srs.kg. portal.tazakoom.kg. prava.srs.kg. reestr.srs.kg. samara.kg. <------- From 13th September services.srs.kg. shailoo.srs.kg. srs.kg. testasb.srs.kg. tizme.srs.kg. visa.infocom.kg. www.data.srs.kg. www.demoprava.srs.kg. www.e.srs.kg. www.infocom.kg. www.nomer.srs.kg. www.pobeda.srs.kg. www.portal.srs.kg. www.prava.srs.kg. www.services.srs.kg. www.shailoo.srs.kg. www.srs.kg. www.tizme.srs.kg. www.uslugi.srs.kg. ** Pages in the IVM system (URLS) **

ivm/view/user/login.xhtml

ivm/view/voter/voterList.xhtml

ivm/view/voter/voterVisitor.xhtml

ivm/view/voter/pchecker.xhtml

ivm/view/voter/controlAgitator.xhtml

ivm/view/operator/voter.xhtml

Transcript of the video released vi suppermario12 (From Russian)

There is a voter registration system created to monitor the presidential elections. All public servants and state employees: teachers, doctors, students are intimidated. By being able to check this system, they will know for whom they voted on October 15 and in case of not voting for the pro-government candidate they will be threaten to be fired from work or expelled from the school. The owner of the system samara.kg is Uchkunbek Tashbaev who works in the construction company IHLAS. As curator of the universities was appointed: Abisybek Azizbek Anarbekovich. Responsible for the KSTU (Technical University) Razakova, Bekboev Altimish Rysalievich. If you look closely, you will see that they are supporters of the SDPK, although the teaching staff is prohibited by law from engaging in political activities. And this is just one example of a distributed system of voting control. For each area there is an assigned responsible: higher education, hospitals, medical institutions... The tax payer number of some curators contains such numbers as: 1995, 1997, 1999 which means that they are students from the first to the fifth courses. Our young generation is under pressure from the authorities this is an open proof of using an administrative resource, with a bad feeling for the bright future of our country. How can our youth be proud of their State if they are intimidated by their own authorities? Access to this system is through the site samara.kg Each responsible person is given a personal login and password and so they can check whom to punish by dismissal or whom to reward with a "kiss". Each voter from the list in this system has the status of "kissed" or "not kissed". A "KISS" is a coded process of "BRIBERY" or "INTIMIDATION". "Kissed" - "the network of controlling agitators". The authorities promised fair elections, and so as the people of Kyrgyzstan support clean and transparent elections, many people responsible for this system do not support it with their hearts gave us their passwords and access to this system. We hacked it and threw a virus, so on October 15 (election day). It will not work. Our firm goal is that no one will encroach on your right to "Free Vote". Dear citizens vote with your heart, do not let anyone take away from you a bright future. No one will be able to check the system will NOT work Vote with you HEART No one will be able to check the system will NOT work Vote with you HEART