Skip to content

Independent Media Sites in Belarus Reportedly Hijacked During Election

Belarus is holding an election today. This election is particularly important because Aleksandr G. Lukashenko, sometimes referred to as the ‘last dictator of Europe,’ has allowed a fair degree of freedom throughout the campaign, including giving free airtime on national TV to opposition candidates, during which they were allowed to criticize him without censorship.

However, it appears that Belarus is continuing in its mixed record of allowing free access to opposition Internet sites during elections. I am getting reports from a digital activist whom I trust of DDoS attacks against a number of sites, which is common during times of crisis in authoritarian countries. I can verify that the following sites have been inaccessible at times this morning: charter97.org, belaruspartisan.org, ucpb.org. He is also reporting that international connections to ports 443 and 465 are being blocked, which will prevent users from securely posting content to international sites like facebook and twitter and from sending mail through international carriers like gmail (the blocking is apparently for all international sites, though, not just ones that may be offensive to the government).

Most interestingly, he reports that BELPAK, the Belarussian national ISP, has been silently redirecting requests from independent media sites to copies of those sites presumably run by pro-government actors, if not the government itself. So when a user requests gazetaby.com, the ISP hijacks the request and instead of returning the requested page returns a redirect for gazetaby.in. The fake site is almost identical to the originally requested site, and as of this post each fake site appears to contain all of the same stories as the original site. Presumably as election day goes on, though, the government will use the fake site to prevent publication of stories that it does not like (by merely not mirroring them onto the fake site). My source observed this behavior repeatedly this morning, but it has since stopped, so requests from within Belarus are currently going to the original sites. This behavior was reported for the following sites, with the following faked mirrors (which can be accessed as confirmation):

original site fake site
gazetaby.com gazetaby.in
charter97.org charter97.in
nn.by nnby.in
belaruspartisan.org belaruspartisan.in
ucpb.org ucpb.in
euroradio.fm euroradio.in

Here’s a zip file of screenshots of each of the above sites, in case the fake sites are taken down.

I cannot verify that this activity was or is happening, but the mere presence of the mirrored sites under almost identical names is strong evidence of bad behavior by someone. My source is working directly with many of the sites listed above and so can verify that those mirrored sites are not being run by the site owners (running such mirrored sites under similar domain names is a very common form of DDoS resistance).

This practice of using a complex combination of different methods for controlling the Internet, particularly during times of crisis like an election or a protest, is very common (we will shortly release a report on DDoS attacks against independent media which includes the finding that independent media sites offer suffer from a range of different types of control rather than just filtering, just ddos, just hijacking, etc). Note above that several of the sites that have been subject to the hijacking described above have also been DDoS’d. It may or may not be the case that the actors DDoS’ing the sites are the same as the ones hijacking them (the hijacking is almost certainly the work of BELPAK, since they are the only ones with the ability to hijack requests as described above).

Update 2010-12-19:

All of the mirrors above are hosted on IP addresses owned by BELPAK:

gazetaby.in has address 194.158.211.74
nnby.in has address 194.158.214.60
charter97.in has address 194.158.214.58
bchdd.in has address 194.158.214.58
belaruspartisan.in has address 194.226.121.242
euroradio.in has address 194.158.211.74
ucpb.in has address 194.158.214.60
svaboda.in has address 194.158.194.2

This doesn’t necessarily mean that BELPAK itself is directly hosting the sites — it just means that BELPAK or one of its customers is hosting the mirrors sites within its network. Nonetheless, this is further evidence of bad behavior.

Update 2010-12-21:

Radio Free Europe / Radio Liberty is reporting that one of the site mirrors changed the location of a protest (presumably to misdirect protesters).

2 Comments

  1. Excellent, interesting writeup backed by solid research. Thanks for sharing this. I referenced it in the context of NDI’s efforts monitoring the election.

    Posted on 12-Jan-11 at 6:12 pm | Permalink
  2. I was in Minsk on the election day and I saw redirection of ucpb.org with my own eyes (and even filmed it on camera).

    Posted on 13-Jan-11 at 11:24 am | Permalink

7 Trackbacks/Pingbacks

  1. [...] weiterleitet. Ein Aufruf der kritischen Webseite gazetaby.com routet automatisch auf gazetaby.in. Hal Roberts vermutet, dass man damit verhindern will, dass am Wahltag auf den Webseiten kritische Texte erscheinen, die [...]

  2. [...] Roberts, Berkman Center censorship expert, comments on recent messages of extensive Internet censorship in Belarus. Besides, DNS-hijacking and [...]

  3. Hal Roberts / Independent Media Sites in Belarus Reportedly Hijacked During Election…

    Belarus is holding an election today. This election is particularly important because Aleksandr G. Lukashenko, sometimes referred to as the ‘last dictator of Europe,’ has allowed a fair degree of freedom throughout the campaign, including g…

  4. [...] blog at the Berkman Center for Internet & Society has an interesting report about how the Belarus government seems to be playing dirty tricks on the opposition candidates and media outlets in that [...]

  5. [...] weiterleitet. Ein Aufruf der kritischen Webseite gazetaby.com routet automatisch auf gazetaby.in. Hal Roberts vermutet, dass man damit verhindern will, dass am Wahltag auf den Webseiten [...]

  6. [...] Ein Aufruf der kritischen Webseite gazetaby.com routet automatisch auf gazetaby.in. Hal Roberts vermutet, dass man damit verhindern will, dass am Wahltag auf den Webseiten kritische Texte [...]

  7. [...] modified fake site instead), the site may as well not exist, unless a user knows where to look. And incidents during the recent Belarussian election highlight how a national ISP could achieve an analogous [...]