Assessing Attribution, Motive, and Impact of Zimbabwe’s 2018 Election Cyberattacks

Arthur Gwagwa
Aug 31, 2018 · 14 min read

Abstract

The process of identifying and establishing attribution and motive in both cyber-attacks and counter attacks is often a problematic/challenging process. This is largely due to events often being un-documented and unverified, because of the uncertainty regarding their timing, extent, cause, and specific mechanisms of execution. Yet such attacks can upend critical infrastructure and impair their ability to avail key information for during crucial national events such as an election. The very borderless nature of cyberspace means that adversaries could be “thousands of miles away or in the very next cubicle at work, or both!” Cases that pertain to hacking should, therefore, pay special attention to the unknown hackers operating from both the outside and inside and play close attention to both domestic and international realms in their lines of inquiry. A targeted organization’s insiders are a much greater threat and can do far greater damage as they already have some level of access, means, and opportunity to hack. They can directly contribute to increased vulnerability, in a myriad of ways, including the creation of backdoors in systems which they can then exploit when stakes are high. By drawing upon Zimbabwe’s 2018 election as a case study, this paper painstakingly attempts to connect the dots between seemingly disparate cyber threats that took place on 1 August 2018 and to provide an analysis that positions them in their appropriate context in order to establish a connection, attribution, and motive. It also assesses the impact such events had on the election outcome. This will contribute to an evidence-based threat model which examines multiple attack vectors like data weaponization and white hat hacking for political reasons in the context of censorship and resistance in cyberspace. While the paper does not generate definitive conclusions on the events that occurred in Zimbabwe, the systematic analysis opens up new lines of inquiry in understanding the Zimbabwean attack vectors and related situations elsewhere.

Introduction

On 1 August three disparate cyber threats were reported in Zimbabwe:

  • Bitcrack cyber Security reported increased malicious traffic into Zimbabwe on its Twitter handle @bitcrack_cyber. This was based on the “analysis of traffic coming to many distributed systems they had visibility to along with certain undisclosed exploits they had seen”. We immediately raised an alert for a potential DDOs attack due to our previous experience as victims of such attacks. However, the attack did not materialize.
  • The website of Zimbabwe’s election management body (ZEC) was defaced. According to the Qurium Forensic Report, the attacker had access to the site probably by a backdoor that he left days before. The attacker left the name “zim4thewin” in the page that Quarium deposited in fo.
  • The UK-based website com which enabled ordinary Zimbabweans — for the first time ever — to independently audit the voter’s roll for anomalies” was rendered inaccessible.

Before an analysis of the above-mentioned events, we are setting out the research method we used and setting out the rationale for this study in the context of the project Sub Saharan Africa Cyber Threat Modeling.

Methodology

The rationale of the method: Although we were in Zimbabwe documenting the events in this report, we take a reflexivity approach in order to avoid subjectivity in our analysis. We, therefore, by and large, rely on data science secondary reports done by colleagues at Qurium and the Open Observatory for Network Interference (OONI) software to test the accessibility of websites and messaging apps. We placed the technical data in context through human intelligence gathering and legal approaches to evidence collation. In combining both technical data and local human intelligence, we took a cue from Deibert and Rohohinski’s caution that not all incidents can be picked up, let alone understood from technical measurements which ought to be supplemented by local knowledge.

Evidence gathering Process: On receiving a tip/information from a colleague regarding the censorship events, especially the hacking into the ZEC website, we contacted OONI who immediately put us in touch with Virtualroad to whom we presented the concerning evidence for an analysis. Coincidentally, Virtualroad was already seized with the hacking of the ZEC website and documenting the attack- how it took place and collating all the forensic material. They had also externally audited the site and identified the vulnerabilities, including a backdoor in the system that could have contributed to the hacking. We contacted colleagues working in human intelligence who had also become aware that the ZEC website had been hacked. We followed this by a painstaking process of piecing together various pieces of evidence and grounding it in our granular understanding of the local political context. The process benefited from my experience of dealing with more or less similar issues during the Kenyan 2017 election. In respect of the third incident –the blocking of the Zimelection.com website, we relied on the work of OONI whose measurements of the website zimelection.com consistently presented TCP/IP anomalies after multiple tests from the government-owned TelOne ISP. The website owners and other fellow Zimbabweans confirmed to OONI of the website inaccessibility. All in all, the process benefitted from an international multidisciplinary effort.

The rationale for the study

The Zimbabwe Election Commission is a constitutional body that serves the civic interests of Zimbabwean citizens. The confidentiality, integrity, and availability of its data implicate a number of civil rights and political rights both under Zimbabwe’s constitution and international and regional norms. It plays a central role in social, political, and civic processes; consequently, it is a gatekeeper of consequence in these diverse realms.

On the other hand, Zimelection.com is a UK-based website run by a citizen-led organization. The website has been instrumental in encouraging citizens of Zimbabwe to vote by disseminating election-related information and news, as well as voter education. It enabled ordinary Zimbabweans — for the first time ever — to independently audit the voter’s roll for anomalies” or/as well as to mention the privacy concerns.

At a conceptual level, this study accords with but also extends The Citizen Lab’s broad approach to information controls which they view as a broad term used to define all actions that governments, the private sector, and other actors take through the Internet and other information communications technologies, for example, to secure (e.g., encryption) information for political ends.’

We argue that controls through denial are dynamic depending on context. In Zimbabwe’s case, while the adversaries could have been “thousands of miles away” they could also have been inside. Attention should not only be paid to the unknown hackers from the outside, but should also be directed toward insiders, who pose a much greater threat, and can do far greater damage as they already have some level of access, means, and opportunity to hack.

Reconstructing the connection between the parties and events chronology

In this analysis, we seek to ascertain the connection, if any, between the parties and these events in an attempt to establish the motives behind the attacks.

Piecing together the relationships and events

  • Zim4thewin aka xⒶzy is a digital activist active in Africa that claimed to have attacked the ZEC website on 1 August (2nd hack). By way of background, he also previously claimed responsibility for the denial of service attacks against the South African SABC back in 2016 to ban the filming of violent protests. More details about @zim4thewin and Anonymous Africa can be found here and here A archived copy of the @zim4thewin twitter account is here (Qurium).
  • Upon further investigations, we found that zim4thewin has a Germany email domain although we cannot establish direct links to Germany.
  • The hacker also attributed the attack to Team Pachedu.-a civil society interdisciplinary team that has raised concerns about the 2018 voters’ roll. Their reports are available at the site http://www.teampachedu.organd https://thiscitizen.org/. It is unclear what connection @win4thewin has with the Team Pachedu but it is likely that the defacer is just endorsing their work rather than being a formal member.
  • The zimelection.com is owned by Pachedu. However, the current website does not mention its link to Team Pachedu. The name Pachedu was a nickname of the late MDC leader, Roy Bennet, and in light of that connection, to what extent is Pachedu independent from the MDC?
  • In July The ZEC Chair claimed that a UK-website had leaked the voter’s roll by hacking into its site (1st hack)
  • The website the Chair refers to is apparently Zimelection.com
  • A government minister warned Zimelection.com before the blocking took place.
  • TelOne, which blocked zimelection.com is an Internet Service Provider (ISP) wholly owned by the Zimbabwean government. However, the website is not blocked on Netone, government-owned mobile ISP.
  • 100% unverified claim through a contact asserted that the MDC says the hack of the ZEC website on 1 August was a fake one and done by ZEC itself in order to claim that the site was compromised.
  • The MDC had also claimed that the first alleged 1st hack that led to the disclosure of personal information was a fake one.
  • How, it remains unclear if Bitcrack Cyber Security is connected to any of the above parties. It seems to be offering a service, for example, it says, “If you suspect you have been, or will be, breached contact us for further assistance” and its message is directed to media and financial institutions and not to civil society and political parties. However, according to OONI, the ZEC 2nd hack could also be due to content removal, a domain takeover, or technical issues triggered, for example, by too much traffic towards the website or some malicious activity (hacking). This may lend credibility to Bittrack’s claim of an increased traffic
  • However, the minister of ICTs did not invoke his powers by instructing other ISPs to render Zimelection.com inaccessible.

Chronology of events

July 2018

  • Judge Chigumba issued a press statement that the 2018 elections could not be rigged as the country’s voting system is “tamper-proof’
  • Voters received targeted campaign text messages from the ruling ZANU PF party, leading to further allegations that the commission had selectively availed the voters’ database to the ruling party.
  • The commission responded to the accusation by stating that its database was hacked. This admission contradicts its earlier claim that its database was tamper- proof.
  • The Minister for Information Communications Technology and Cybersecurity issues a statement that, in part, threatened the website Zimelection.com for making the Zimbabwean voters’ roll available online.

1 August 2018

01/08/2018 18:01 Zimelection.com tweets that its website access has been blocked by Telone, confirmed by OONI around 20.00 hours

01/08/2018: 18.20. The ZEC website hacked and its pages change

0//08/2018: 18:31 The Juice @lizweC posts about the hack

01/08/2018: 18:32 Zim4thewin retweet first

01/08/2018: 18:31 ZEC incredibly claims to have pulled down the site & cleaned it up in 11 minutes.

03/08/2018 The defacement remained hosted in the website with the name “indexhacked.php“

Findings on attribution and motive

The above relationships and chronology of events are so close to each as to suggest a symbiotic relationship of attack and counter-attack and given the prior hostile interactions, the probability of chance occurrence is very remote.

Professional findings

ZEC Website second hack

During the 1st of August 2018, Qurium monitored and recorded how Zimbabwe Electoral Commission (ZEC) website was defaced. The defacement was widely reported in the local media and social media. Their report concludes that:

  • The motivation of the attack was to protest against the military violence on the streets of Harare which lead to the death of three protesters.
  • The intruder did most probably exploit the very poor security of the Zimbabwe Electoral Commission (Javascript and admin area) code and uploaded stealth backdoor to keep persistent access to the website.
  • The poor website security of the site does not conform to state of the art security standards and best practices.
  • An experienced pen tester could identify the flaws of the website within hours which makes us believe that the website never underwent any security audit.

Zimelection.com

Network measurements data collected from OONI Probe tests suggests that TelOne (AS37204) blocked access to zimelection.com by means of TCP/IP blocking. RIPE Atlas data does not show any routing issues which may invalidate Bit track claims.

ZEC and the external political criminal adversary theory

In his statement, the ZEC spokesperson Qhubani Moyo said they decided to pull down the website so that we avoid spreading falsehoods that were being spread by hackers on the ZEC website…….We’ll also trace where the hackers originate from so we catch the political criminal elements.

His statement seems to conclude that the site was hacked by an external black hat adversary who had a criminal and political motive.

The MDC Alliance and its supporters’ political or technical white hat internal adversary

When the 1st hack of the ZEC website which led to the compromise of users’ data occurred, there was skepticism on the validity of such claims in the opposition, at least, according to those we spoke to. They saw it as a ploy to avoid accountability for allowing selective access by ZANU PF to the voters’ roll. However, if this is true, one wonders where Zimelection.com obtained a copy of the roll from?

When the 2nd hack occurred on 1 August, those we spoke to saw it as a ploy to further delay results announcements. Sources within the MDC and close to the MDC that we also spoke to, made 100% unverified claims that the hack was fake, and carried out by ZEC itself in order to claim that the site was compromised. The claimed purpose was to enable ZEC to revert to using Excel entries, in order to work out and calculate the results based on the claim that the ZEC at least temporarily lacked access to the returns data.

An MDC contact in the U.S. corroborated the above claim by maintaining that this was done to massage the results and may have played a role in the delayed announcement of province #10. While we do not endorse this claim and have no way of assessing its merits, according to our sources, this was an apparently theoretical opposition claim.

However, we are still talking to a variety of parties to see if the Excel angle, regardless of the nature of the “hack,” took place, and are working backward from there.

For example, Dr. Albert Chikanda, A Canada-based Zimbabwean who used excel to establish whether the voting totals at polling stations tallied with the number of registered voters at each station said, “ZEC did not want people to have the ability to analyze the data and they protected the files using a password so that they can only be read. In addition, one would not be able to see how they calculated the totals.” However, he claims that he managed to unprotect the files through the internet.

We and our sources are not privy to the ZEC investigations, what the investigation involved and revealed, notably including who has access and may have used the back door. But certainly, if the system was compromised and the content accessed, one hopes that a white hat actor (whether politically or technical-speaking) has the server(s) data and can document any irregular server access & behavior as well as technical irregularities or manipulation of the vote tally process and data.

This case raises serious transparency, data access, and accountability issues, therefore, ZEC, all parties, and perhaps accredited observers, should have had access to multiple findings on this case and the data should have been revealed publicly in whatever form.

The above was not done before the constitutional court petition to challenge the election results.

Impact of the cyber-attacks on democratic processes

The opposition subsequently filed a petition challenging the election results. In a unanimous determination delivered by the Constitutional court a following the opposition petition, the court stated that the evidence submitted was not sufficient to convince the court that the July 30, 2018 election was marred with irregularities that warranted the setting aside of the results. The opposition should have provided primary evidence- the contents of the ballot boxes and primary evidence to prove its case. It should have sought to obtain evidence from the election residue (primary paper trail).

The Independent Newspaper subsequently reported that the opposition lawyers had sought a court order compelling ZEC to bring (all) material on its servers and on the same day the Registrar of the Constitutional Court wrote back to opposition lawyers advising them that the court could not accept the subpoena.” From this, it would appear the opposition, apparently, tried to access the source material but were denied by the court itself. However, what is not clear is the extent to which source material from the servers could have swayed the decision in favor of the applicant. It is also not clear whether ZEC’s servers were up and running after the second hack. Nevertheless what is clear is that access to information and denial and/or failure to access key information played a role in the election itself and the court challenge outcome but a direct impact on the outcome remains speculative and tenuous at best. However, commenting on this issue, David Coltart an opposition leader said, “Access to the server was critical because it would have exposed differences between the inputted data and what they finally released. It would certainly have been a lot quicker than opening up 33 000 boxes to look at 4 million ballots.”

Conclusion

The professional conclusion by Qurium is clear on the hacker and its motive: According to their forensic investigation, zim4thewin said it was responsible for the attack, was motivated by the quest to protest against the military actions taking place in the streets on 1 August, the intruder, probably exploited the ZEC website architectural vulnerabilities, and may have uploaded a stealth backdoor to keep persistent access to the website. However, the proximity of the event to other events especially other censorship events and resistance and the larger political context open new lines of inquiry. It is not clear who zim4thewin is, for example, whether it’s an entity only concerned with Zimbabwe, given its claims for hacking the SABC in South Africa and its connection to Germany.

A claim is simply a claim and cannot establish attribution and motive, for example, the notorious terrorist groups have often claimed responsibility for major incidents in Europe and provided a justification and this has often been done to mislead the intelligence community on the real perpetrator and their motive.

Another problematic angle is whether Telone acted of its own volition to block access to Zimelection.com or whether it was instructed by the minister. Why the minister did not invoke his powers in instructing other ISPs (Econet, Netone, Africom, and Telecel) is not clear. If he did not do that, this meant that voters could still access the voters’ roll through other networks. Perhaps such a move would have rattled government’s attempts to portray a truly democratic process. This position might find backing in the views of Tina Freyburg and Lisa Garbe, writing on a similar subject who contend that, “the temporal interruption of Internet services is facilitated if the state is the majority owner of at least one ISP operating on its territory; by the same token, it should be more challenging for a government to make ISPs comply with its request if the majority of ISPs on its territory is in private hands. This relationship should be even more prominent in times of electoral conflict that may be perceived by the incumbent ruler as threatening reelection and hence political survival.”

Also, how did zimelection.com obtain the roll? Did they not realize that exposing users’ personal information, raised ethical questions or were they of the view that the larger political question was more important than the safety of users ‘data. One would imagine that they simply unprotected the official voters’ roll, which raises further ethical questions.

Finally, why did the attacker implicate Pachedu?

These questions will take time to answer and it remains difficult to attribute the ZEC cyber-attacks, but what this paper has sought to do is open new lines of inquiry.

What impact did this have on political processes? It is not clear whether the ZEC servers were up and running when the opposition apparently requested the court to subpoena ZEC servers. The extent to which the information in the servers could have swayed the election outcome is at best speculative, though access to information and denial and/or failure to access played a crucial role in the election itself and the court challenge outcome

While you are here, you may want to read our previous analysis on the same subject:

Verifiability and Trust: Two Key Ingredients to a Credible Election in Zimbabwe.

Dynamic Data Obfuscation Ahead of Zimbabwe’s Elections

How Undermining Encryption threatens Online User Security in Africa

How a technological solution backfired in Zimbabwe’s elections

Arthur Gwagwa

Written by

I blog on human rights, technology and security but also on my life experiences.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade