Group-IB releases the results of the investigation into the voting of “The Voice Kids Russia” Season 6

Group-IB, an international company that specialises in preventing cyberattacks, has released an analytical report outlining the results of the investigation into the final of the Russian edition of the show «The Voice Kids» Season 6. Group-IB experts have confirmed the fact of vote manipulation and have identified several voting anomalies.

In less than a month, Group-IB conducted an independent investigation initiated by Channel One. The report, which is published on the company’s website, reflects all the stages of the voting analysis. The specialists started by formulating hypotheses to explain the significant gap between the contestants in the final of the show, which was aired on April 26 on Channel One. To confirm or reject each of the hypotheses, a cross-functional project team was formed. The experts worked in the following areas: security assessment, data collection and computer forensics, and technical data analysis.

It should be noted that Group-IB’s official position regarding the situation is reflected in the report: “The results of an independent technical investigation carried out by Group-IB’s specialists are not intended for any accusatory conclusions about any participant of The Voice Kids”. Group-IB is strongly against the use of the data presented in the report for the purpose of assessing the ethical side of the question or making accusations against the children or their parents.

Analysis stages and conclusions about vote manipulation

At the first stage of the investigation, Group-IB experts discovered two groups of phone numbers used for vote manipulation. More than 41,000 votes in favour of Participant 07 were received from these numbers.

The specialists discovered a group of consecutive phone numbers (for example, 8 (XXX) XXX-XX-38, 8 (XXX) XXX-XX-39, 8 (XXX) XXX-XX-40, 8 (XXX) XXX- XX-41) that had been used to cast IVR-votes (phone calls) in favour of Participant 07. These phone numbers are all from the same region, Bashkortostan. The group contains 146 lists of consecutive numbers with up to 360 numbers in each list. The vote manipulation involved a total of 9,484 phone numbers from which 33,175 IVR-calls were made in favour of Participant 07.

The second group of phone numbers involved in the manipulation, was identified through the analysis of SMS votes. Due to a mistake on the part of the perpetrators behind the voting manipulation, 8,216 SMS messages contained not only the number of one of the participants, but also technical information with an additional number and a message timestamp. In addition, this group of messages was sent through the same operator and from the same area the Leningrad region.

At the second stage of the investigation, Group-IB specialists excluded both groups involved in the manipulation from the analysis, and continued to investigate the voting process. In order to identify possible anomalies, Group-IB specialists divided the votes into two categories: telephone calls (IVR) and votes received via SMS. These categories require different analysis approaches due to their technical differences.

At top speed: other anomalies

The detailed analysis of the voting in the Finale (nine participants) and the Grand Finale (three leaders) revealed an unusual vote frequency distribution in time during the broadcast of the show. The experts noticed a sharp start in the voting in favour of Participant 07, with high density of calls and SMS messages right from the beginning of their performance. In the Finale, where only one participant is chosen from each team of three, Participant 07 had 300 votes per second, while the other contestants averaged 110 votes per second. In the Grand Finale, Participant 07 had 250 votes per second in their favour, with the other contestants receiving 170 (Participant 06) and less than 100 (Participant 02).

Group-IB’s specialists separately analysed the voting of those mobile subscribers who voted more than 20 times for their favourite participant. The distribution of these votes exceeds the margin of statistical error, namely, Participant 07 had 2,078 such voters. The other contestants had «extreme voters» (20 and more votes) too: one of them had 39 such fans, while the other had 59, which is about 35 times fewer than what Participant 07 had.

As a result, the average number of votes per phone in favour of Participant 07 is close to 8, while the average for other participants is about 1.5. On average, the figure in all seasons of The Voice Russia since 2015 both for kids and adults was 1.33. Participant 07’s record helped them collect the highest number of votes overall. When compared with the second place, however, the number of unique phone numbers that voted for Participant 07 was 2 times lower in the Finale and almost 6 times lower in the Grand Finale.

Distribution of SMS votes

The share of IVR calls in the total volume of votes is less than 10%, which is why much of the research centered around SMS votes. In order to identify anomalies, Group-IB experts excluded the pool with SMS-votes containing «technical text» which came from the Leningrad Region. However, considering that it was a technical problem that exposed the vote manipulation, it is possible that there could have been more such «SMS pools».

The analysis of «clean» SMS traffic shows that the number of votes per number in favour of Participant 07 far exceeded the average. This trend was quite clear both in the Finale and the Grand Finale. A separate analysis of SMS traffic for each participant of the Grand Finale shows that the largest number of votes (63% for Participant 02 and 60% for Participant 06) can be attributed to those who only sent one SMS message, 12% and 14% 2 SMS messages, 7% and 8% three SMS messages. The distribution for Participant 07 is almost reverse: the share of votes received from the numbers which were used to send 20 SMS messages is 70%, 19 SMS messages 5%, 2 SMS messages 1%.

The analysis of the FInale is almost identical: the largest share of votes (80% for Participant 02 and 75% Participant 06) can be attributed to those who only sent one SMS message, 8% and 12% 2 SMS messages, 4% and 5% three SMS respectively. For Participant 07: those who sent 20 SMS 75%, 19 SMS 3%, 2 SMS only 1%.

How the regions voted

Historically, Moscow and St. Petersburg had been the most active regions to vote for «The Voice» contestants. In this case, however, the vote distribution was different. The top 10 most active regions in terms of the volume of votes cast for the Finale and Grand Finale participants are: Moscow (71,000), Bashkortostan (35,000), St. Petersburg (29,000), Kursk Region (12,000), Republic of Tatarstan (7,000), Krasnodar Krai, Rostov Region and Ulyanovsk Region with 6,000 votes each, and Voronezh and Samara with 4,000 votes each.

Distribution by region also shows deviations in the percentage of votes cast for Participant 07. This is especially clear in Bashkortostan (97%), and the Kursk (96%) and Ulyanovsk (95%) regions.

What audit and penetration testing revealed

Group-IB’s Audit team examined the voting system considering different aspects, including network architecture, device configuration settings, and distribution of administrative roles in the team. In addition, various scenarios and vectors of attacks were tested in order to identify technical possibilities to modify the voting results.

The comprehensive assessment of the infrastructure, website and web application revealed a number of vulnerabilities typical for modern web services and networks. They could have potentially been exploited by an external attacker highly skilled in compromising applications and systems. But as it was confirmed during the first and later stages of the analysis, these vulnerabilities had not been exploited. During the security assessment stage all the results were promptly provided to the company that aggregated and processed the votes. The company has adopted some of Group-IB’s recommendations and continues to work on improving the system’s security.

What digital forensics revealed

Group-IB’s digital forensics specialists studied more than 5 billion bytes and over 30 million log strings. The systems were examined for possible modifications in the voting data by authorised and unauthorised users, as well as for deliberate changes made to the settings, which could have created conditions for outside influence on the voting system to alter the voting results. Also at this stage, it was important to check whether any voting data was deleted and examine the systems for the presence of malicious code or backdoors.

The forensic investigation into the servers, services and the website, which jointly represent the vote counting system did not reveal any facts indicating unauthorised access to the system, or the removal and/or modification of information by employees of the company that aggregated the votes or by third parties. It was confirmed that the vulnerabilities identified at the security assessment stage had not been exploited. As such, the hypothesis of possible influence on the voting results by various attackers was rejected.

The results of Group-IB’s investigations rarely go public. This report is the first document that describes in detail how we conducted our investigation into this high-profile project that lies at the intersection of Group-IB’s areas of expertise. As technical specialists, we do not assess the impact on the voting, the ethical side, or any other aspect that lies outside the scope of our competencies, but we believe it is important to openly show how our work was carried out based on the data and capabilities we had. This was an interesting experience that demonstrated the synergy between our key departments and it is time to close the technical chapter too. The goal now in my opinion is to prevent such things from happening again in the future and ensure that at no point, under no circumstances and in no country do these things affect children.

Ilya Sachkov
Ilya Sachkov

CEO Group-IB

About Group-IB

Group-IB, with its headquarters in Singapore, is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property. The company’s Threat Intelligence and Research Centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), and Europe (Amsterdam).

Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real-time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat IntelligenceManaged XDRDigital Risk ProtectionFraud ProtectionAttack Surface ManagementBusiness Email ProtectionAudit & ConsultingEducation & TrainingDigital Forensics & Incident ResponseManaged Detection & Response, and Cyber Investigations.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 19 years of hands-on experience in cybercrime investigations worldwide and more than 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB.

Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.