Special Coverage #4: Kyrgyz Elections Monitor Interim Findings

Kyrgyz Elections Monitor Interim Findings: No filtering, but effective use of Computer Network Attack forced ISPs to silence opposition media

ONI, Bishkek, 15 April 2005. The OpenNet Initiative’s comprehensive monitoring of the Internet in Kyrgyzstan concludes this week revealing damaging effects of Computer Network Attacks (CNAs), but no deliberate filtering by Kyrgyz ISPs. The ONI conducted extensive testing and monitoring of the Kyrgyz Internet during recent Parliamentary elections and the immediate post election period. Data was collected from five leading Kyrgz ISPs -- ElCat, Asiainfo, Saima Telecom, Kyrgyz Telecom, Transfer -- and analyzed for any deliberate attempts to limit or deny access to Internet content. The results were verified to exclude naturally occurring network failures or traffic congestion.

The ONI's series of special reports on election monitoring in Kyrgyzstan can be accessed here.

Analysis of the results obtained yield the following initial conclusions:

* No Systematic attempts to filter access by ISPs or the Kyrgyz Government. ONI testing did not reveal any systematic attempt on the part of Kyrgyz ISPs to block or filter access to any website during the period of the elections. No indications of deliberate technical filtering of website (or information) were detected on the Kyrgyz Internet during the election or post –election period.

* Kyrgyz ISPs were subject to a sophisticated Computer Network Attack leading to the removal of key information sites. During the election period, two Kyrgz ISPs (Elcat and Asiainfo) were subject to massive, effective, and sustained CNAs. These attacks constituted de facto censorship by forcing the temporary inaccessibility to the websites of two major Kyrgz media outlets www.msn.kg, and www.respublica.kg . These attacks were claimed by a group calling itself “shadow team” which in a series of e-mail messages obtained by the ONI took responsibility, and demanded that the Kyrgyz ISPs remove two web sites: www.msn.kg, and www.respublica.kg (which they hosted). A third website hosted outside of Kyrgyzstan was also affected by the CNAs. However, ONI research indicates that the attack on fergana.ru was not part of the same attack that affected MSN and Elcat, even though the same group -- “shadow team” -- claimed responsibility for both attacks.

* Professional “Contract Hackers” appear to be behind the attacks. The CNA was sophisticated and appears to be the work of hackers specifically contracted for the job. The attacks employed a large network of infected computers (known as a BOT-net). While the exact computer code used to generate the attack is unknown at this time, its effect was to flood the ISPs with long requests that overwhelmed their webservers, consumed available bandwidth and processor capacity. Three websites were on the target list for this BOT network: respublica.kg, msn.kg and a website located in the US (unrelated to the political situation in Kyrgyzstan). Evidence currently being analyzed by ONI researchers suggests that the hackers modified their attack against the US site several times -- adjusting to countermeasures used by US based specialists -- indicating that they were as interested in removing the US site from service as they were the Kyrgyz websites. Actions by actors in the US ensured that the BOT-network was taken out of service on Sunday 12 March.

* The hackers controlling the attacks appear to be based in Ukraine. Evidence obtained by ONI researchers suggests that the attacks may be the work of Kiev based hackers. The computer used to control the attacks was located in the US, but registered to a Kiev address. Similarly, an e-mail address in Ukraine appears to be the source of the e-mails sent by “shadow team” to Elcat and fergana.ru.

* No clear technical evidence of who ordered the attacks. ONI research has not uncovered any technical or other evidence suggesting who was responsible for ordering the attacks. Both pro-government and pro-opposition forces could have benefited from the attacks and the popular coverage they received.

A comprehensive technical and policy report covering entire monitoring period -- 15 February to 8 April -- is presently being completed by ONI researchers and will be available at the end of April 2005.

The OpenNet Initiative (ONI) is a partnership between the Advanced Network Research Group, Cambridge Security Programme at Cambridge University, and the Citizen Lab at the Munk Centre for International Studies, University of Toronto, and the Berkman Center for Internet & Society at Harvard Law School. In the CIS region, the ONI works in partnership with the Eurasian i-Policy Network. ONI reports and bulletins covering the CIS are published in English and Russian at http://opennet.net and http://www.internetpolicy.kg.

The ONI's series of special reports on election monitoring in Kyrgyzstan can be accessed here.