Zimbabweans knocked offline and see data wiped because of slew of cyber attacks last week during the elections, TechWeekEurope learns
Cyber Repression: In the weeks leading up to and following Zimbabwe’s election of last Thursday, Zimbabweans were hit by significant Internet-based attacks. In some, they could have just been the victims of collateral damage. In others, they were targeted directly.
Two massive distributed denial of service (DDoS) attacks against hosting providers took place this weekend. They took a slew of sites offline, a number of which were reporting heavily on the hugely controversial Zimbabwean election, TechWeekEurope has learned.
One of the hosting providers, GreenNet, which describes itself as an ethical hoster and ISP, with Privacy International and Fair Trade Africa amongst its customers, suspects it may have been hit because of goings on in Zimbabwe. One of its clients is the Zimbabwe Human Rights Forum, which told TechWeekEurope it believes it may have been the subject of a separate hack earlier in the week.
The coordinator of the international office of the Zimbabwe Human Rights Forum said he was alerted to the DDoS by an employee of the Congressional Research Service in Washington DC, who had been looking at the ZHRF’s election “situation-room”, a live feed updating users on the political situation in the African nation.
At 6pm Wednesday, just before the DDoS started, the coordinator noticed all the information on that feed had mysteriously been wiped. “I lost information I had gathered for eight hours,” he said. “All of the information I had recorded on 30 July in the evening through to lunchtime the next day had been wiped.
“Even our website designer and engineer couldn’t really explain what happened. Then, whilst we were still talking about the wiping, we realised the site wasn’t working.
“It is curious because we have never had this problem before in the past 10 years.”
He claimed he was putting out the most comprehensive feed on the election, drawing from a variety of sources for users, and that’s why he could have been a target.
Zimbabweans have set up numerous sites, to draw attention to fears of rigging, violent repression and threats that had blighted the 2008 election.
One, electionride.com, has been taken offline. On its Facebook page on election day, it claimed to have been compromised.
Last month, Kubatana.net, which has been disseminating information via various electronic means, said it had been blocked from sending bulk text messages. Its mobile provider Econet Wireless had been told by the government’s telecoms regulator to enforce the block, it was claimed.
“Kubatana.net views the interference in our work as obstructive, repressive and hostile. It is our opinion that as we approach the July poll the Zimbabwean authorities are increasing their control of the media,” the organisation said on its website on 25 July.
This election has proven just as controversial as 2008’s, with the two main parties at loggerheads over the result, which went strongly in favour of President Robert Mugabe. Opposition leader Morgan Tsvangirai, of the Movement for Democratic Change (MDC) party, has claimed the vote was rigged, whilst the official figures indicate Mugabe won with a significant majority.
MDC members have now claimed they were the victims of physical attacks by Mugabe supporters. Zanu-PF, Mugabe’s party, has denied the claims.
GreenNet taken out
GreenNet is only just recovering today, with some customer websites still down, having reported the strike on Thursday morning, the day after Zimbabweans headed to the polls. It appeared to be a powerful attack – TechWeek understands it was at the 100Gbps level – aimed at GreenNet’s co-location data centre provider. Its upstream provider Level 3 subsequently did not let GreenNet route through its infrastructure. Level 3 was not available for comment.
Cedric Knight, technical consultant at GreenNet, said the company suspected the massive attack, which knocked all its 3,000 customers offline, with email also disrupted, could have been launched because of the Zimbabwean organisations running off its infrastructure.
However, it could not be certain, saying only that it was one GreenNet customer that was targeted. Many of its customers from environmental, gender equality and human rights groups have powerful enemies.
It believes a government entity or a private organisation was responsible. A tweet from GreenNet earlier this week read: “The nature and magnitude of this attack does suggest corporate or governmental sponsors, likely a very unsavoury one.”
The DDoS that hit GreenNet was not a crude attack using a botnet to fire traffic straight at a target port, but a DNS reflection attack using UDP packets, which can generate considerable power. DNS reflection sees the attacker spoof their IP address to pretend to be the target, send lines of attack code to a DNS server, which then sends back large amounts of traffic to the victim.
HostGator, a huge hosting provider in the US, also suffered a big DDoS hit over the weekend. That took out popular Zimbabwean news service Nehanda Radio, amongst many others. Lance Guma, managing editor of the organisation’s website, said he was not sure what exactly had happened. But he has become used to attempted cyber attacks.
“Every time you have a big story, it depends whether the government want people to read it or not,” he said, admitting it was sometimes hard to tell if a story had just been hugely popular, causing the server to crash, or if it was a genuine attack.
Neganda Radio also receives plenty of threats via email: “We received a lot of those this last week. Obviously we never open any,” Guma added.
“We’ve been receiving a lot of election reports and then there’s a link you’re meant to click, but we never click anything because you can tell the subject matter is dodgy.
“They try all that… we normally just open emails from trusted sources.”
Guma said Mugabe’s government is fairly useless when it came to anything to do with technology, but China is believed to be assisting the nation’s cyber police. “You can just outsource this stuff now,” he added.
This article is part of TechWeek’s Cyber Repression Series – check out the first article on attacks stemming from China on spiritual activists and military bodies and the second on IP tracking in Bahrain.
What do you know about Internet security? Find out with our quiz!