What do the attacks on Time.mk and the State Election Commission (SEC) made on the Election day and the attack on the Innovation Fund website two weeks before the elections have in common? How did the protection of the SEC fail? What were the security institutions doing during the attack? Was the goal to defocus or to achieve a full penetration into the system? The Investigative Reporting Laband "Samo Prasaj" reconstruct the key events before and after the election process.
The US Public Security Bureau website shows how protection of the election infrastructure looks like and what the bodies of the system do in order to maintain maximum security on the Election day. The United States and European countries have procedures and rules for protection of the election process.
That infrastructure, in addition to protection of the polling stations and the like, also includes protection of the critical digital infrastructure, that is, websites and applications for voting and monitoring of the election process.
The Macedonian Public Security Bureau does not have its own website. The hacker attack on the State Election Commission website on Election day, as well as the allegations of technical weaknesses in the application, raised questions about the way the institutions protect the election process. We never received answer to the question submitted by IRL to the Ministry of Interior, asking what are the security protocols for the Election day.
In discussion with all stakeholders and relevant institutions, as well as with cyber security experts, IRL and “Samo Prasaj” reconstructed the key events before and after the Election day that raise suspicions of institutional flaws and a lack of concern for security of the election process.
What really happened on the day of the elections?
Election Day, 15 July
21:10 hours - The first attack
The website of the State Election Commission, which is the main source for monitoring of the election results, failed. For hours, the journalists and the public are unable to obtain any information from the SEC.
"The site simply stopped working. We were unable to know if it was a technical problem or an attack. Things started to get weird when Time.mk announced that it was targeted by a hacker attack. We really did not know what happened to the site at all and whether it was an attack or simply a technical omission until the next day, which left a lot of room for speculators who, on behalf of various centers of power, would take advantage of this opportunity to undermine the credibility of the election results", says Marija Mitevska from Radio Free Europe.
21:15 hours – SEC reports the incident to Duna Computers
The SEC reported the incident to Duna, which is the company responsible for the electronic system for input and transmission of election statistics, under the assumptions that the problem was in the application. Duna replied that the website had crashed. While the SEC officials panicked to "Duna", no one noticed that the problem is actually with the whole website of the SEC, and not only with the election results page which works as a separate platform.
This means that if it was only the application that crashed, the rest of the site content would still be available, and only the platform with the results would be unavailable. There was a huge panic in the SEC, and no one knew exactly what to do.
Duna says that they tried to explain to them that the problem is in their server. The application where the election results are entered into is located in a separate network from the one seen by the public, independent of the SEC website, and such placement was made by the "Duna" company. They instruct them to check their servers.
The SEC operates its own servers which are $200,000 donation from two international donors – USAID and the International Federation of Electoral Systems (IFES). The new servers were put into use about 2 months ago.
"We immediately told them that it was an attack and it had nothing to do with the application". This was followed by a phone call by A1 from Austria to report the unusually high traffic per second", says Aleksandar Pajkovski from Duna Computers.
21:40 hours - The attack was stopped by A1 Austria, the SEC protection failed
Although SEC has subscription to protection supposed to quickly repel such attacks if they occur and re-establish the operation of the hacked server as soon as possible, the attack was stopped at the moment when the international telecommunication company A1 Austria intervened.
"Following the unsuccessful attempt of A1 Macedonia to deal with the issue, A1 Austria were the ones that reacted and blocked the attack", says Vlado Vasiljevski, Head of the Information Technology Unit at SEC.
22:10 hours – Time.mk is back, SEC is not
Just one hour after the ballot boxes were closed, the whole procedure for digitally entering the votes was slowed down due to the attacks. The focus of the citizens and the media has completely changed after, what all political parties called, a peaceful and successful Election day, despite the challenge of holding elections in a pandemic situation.
The tweet by Time.mk with which they are the first to reveal to the public what exactly happened to them is spreading very fast on the social media. At the same time, at a press conference, the SEC President Oliver Derkovski will just say: "We are under hacker attack", while the founder of Time.mk, Igor Trajkovski, will explain in his tweet what that attack is.
"We are under DDoS attack, IP addresses from all over the planet". This is how the founder of the news aggregator Time.mk will inform about the attack on their website. In his statement given for IRL, he describes that same attack as one of "the most aggressive attacks that ever happened to them."
Под DDOS сме— Igor Trajkovski (@mkrobot) July 15, 2020
The Time.mk news aggregator was attacked with more than 20 million IP addresses. But by now it has already recovered and is available to the users. The SEC website did not work for the next 12 hours of the next day. The results were delayed, the ballots were counted manually and the final results were shared with the reporters via Google folders.
SEC and Time.mk use the same protection and servers on a same network
"Due to the nature of the attack, our Cloudflare security system completely fails to detect the attack", said Vasiljevski from SEC. When asked why Time.mk manages to return the normal functionality of their website, and SEC failed in that, Vasiljevski accused that it is due to technical flaws with the application. In contrast, the SEC President Oliver Derkovski says the application worked flawlessly.
"That is not true, the application was operational," he said in an appearance on Alpha TV yesterday.
Both servers - Time.mk and SEC – are connected to the telecommunication network of A1 Macedonia, which was confirmed to IRL by these two parties. Using special digital tools for verifying information on domains and servers, IRL found that both Time.mk and SEC use the same protection against DDoS attacks from the well-known American company Cloudflare.
SEC did not know to answer what kind of protection they purchased, because there are different degrees of security that that company is selling.
16 July, day after the elections
12:30 hours - SEC reports the incident to the police after the Ministry of Interior asked them when they will report
The State Election Commission reported the attack to the police only the following day, after the Ministry of Interior called to ask them if and when they would report the incident, and this was confirmed to IRL by the Ministry of Interior.
The SEC did not answer why they waited so long to report the incident to the police.
The allegations of election irregularities and the party objections are overshadowed by the SEC cyber scandal.
Expensive and dangerous attack that can be bought on the "Dark Web"
The IRL consulted all the parties involved in the institutions and companies that were target of this attack. We wanted to determine the nature of the attack. With the help of two cyber security experts, we wanted to find out what this attack might mean and how it was carried out. The names of these people will remain known to the newsroom for security reasons.
What is “DDoS” or Distributed Denial of Service Attack?
There are various computer attacks, but this particular attack is called "DDoS" - Distributed service denial attack. This attack has one purpose - to burden the system with requests to access the server.
This attack happens when the hackers try to flood the servers behind the targeted website in order to generate as much traffic as possible until the website cannot stand it and becomes inaccessible to the users. The DDoS attacks usually work through a network of bots - a large group of distributed computers that act together and at the same time spam a website or service provider from which they request data.
How was this attack made?
There are two ways: with your own infrastructure which should include your own bot network; or this service can be bought on the "Dark Web". This is a location on the internet for those who wish to remain anonymous and is often used for illegal activities. For example, there you can buy a hacked Netflix premium account, you can buy bots, trade in weapons and even order a hacker attack. The payment is in crypto currencies and such transactions are difficult to track.
Our analysts say they have no doubt that this attack was purchased because it takes a lot of resources to build such infrastructure, and services like these are offered on the Dark Web in abundance. The cost of such service depends on the extent and duration of the attack and varies from just a few hundred to hundreds of thousands of dollars.
They say that, usually, cyber attacks are engaged with a purpose to penetrate the server in order to make certain changes or to download data. However, with a DDoS attack, you can do nothing but disable the site or, as it is popularly called, to crash it. This is done in order to disable a particular website in order to prevent access to the services. The second objective is to create chaos or defocus so that another operation can be performed in the background.
Igor Trajkovski says that the attack on Time.mk was so aggressive that they are still working to recover and for the second day in a row the company's resources are focused only on repairing the infrastructure
The attack may have been preceded by a test
Just 15 days before the Election day, on 30 June the Fund for Innovation and Technological Development will report а hacker attack to the Cybercrime Department of the Ministry of Interior.
"The website of the Fund for Innovation and Technological Development fitr.mk was target of a hacker attack in the late evening of 28 June (Sunday) and in the morning hours of 29 June (Monday)", says FITR in a statement, which is reported and transmitted by only one information portal.
The IRL Fund confirmed that it was the same cyber attack as the one on the Election day.
"The attack was of the same type, or "DDoS" attack, as the attack on Time.mk and the one on SEC. "We did not wait, we repaired it ourselves and quickly re-introduced the functionality, and we reported it immediately to the police", it is said from FITR.
From the day of reporting until today, nobody from the police has contacted the Fund and they have not received any feedback regarding the investigation.
The institutions are silent
Apart from the investigation of the Ministry of Interior, which was opened one day after the day of the elections, there are no other institutional reactions and official explanation to the citizens.
The State Public Prosecutor Office told IRL that it monitors the cases related to the attack, but did not say whether, in a situation of allegations of foreign attacks that some individuals and media outlets call ‘terrorist’, there are others that use the situation to challenge the legality and legitimacy of the election.
The Ministry of Interior did not answer the IRL questions. The Head of the Computer Crime Department at the Ministry of Interior, Marjan Stoilkovski, said that both investigations were ongoing – the one for SEC and the one for Time.mk, but refused to discuss other topics and referred us to the Public Relations Office of the Ministry of Interior, who also did not answer the questions raised by IRL and ‘Samo Prasaj’.
The controversy over the software procurement: The second issue of the Election day
The crash of the SEC website also opened other problematic issues, such as the procedure for procurement of the software for election results application of the State Election Commission. The day after the elections, the media reported that the procurement was disputable, it was made without open competition but only with an invitation to two companies. Duna Computers managed to beat “I Vote” in the second software tender which was announced on 19 June and ended on 8 July 2020, a week before the election, when the appeal of “I Vote”, the company with which the SEC has been working since 2006, was rejected. The same procurement was first carried out at the beginning of this year when the elections were scheduled for 12 April. The same two companies applied but the procurement was suspended after the Appeals Commission accepted the remarks filed by “I Vote”, that Duna did not meet the technical criteria. This was followed by allegations of non-transparent awarding of the tender and lack of serious approach in the process of preparation of SEC for the elections.
By: Saska Cvetkovska, David Ilieski
Graphs: Luka Blazhev
This content was made by Research Reporting Laboratory, in cooperation with the Institute of Communication Studies and the ‘Samo Prasaj’ online platform, as part of the Connect the Dots project: Improved policies through civic participation project funded by the British Embassy in Skopje.