Group-IB, an international company that specialises in preventing cyberattacks, has released an analytical report outlining the results of the investigation into the final of the Russian edition of the show «The Voice Kids» Season 6. Group-IB experts have confirmed the fact of vote manipulation and have identified several voting anomalies.
In less than a month, Group-IB conducted an independent investigation initiated by Channel One. The report, which is published on the company’s website, reflects all the stages of the voting analysis. The specialists started by formulating hypotheses to explain the significant gap between the contestants in the final of the show, which was aired on April 26 on Channel One. To confirm or reject each of the hypotheses, a cross-functional project team was formed. The experts worked in the following areas: security assessment, data collection and computer forensics, and technical data analysis.
It should be noted that Group-IB’s official position regarding the situation is reflected in the report: “The results of an independent technical investigation carried out by Group-IB’s specialists are not intended for any accusatory conclusions about any participant of The Voice Kids”. Group-IB is strongly against the use of the data presented in the report for the purpose of assessing the ethical side of the question or making accusations against the children or their parents.
Analysis stages and conclusions about vote manipulation
At the first stage of the investigation, Group-IB experts discovered two groups of phone numbers used for vote manipulation. More than 41,000 votes in favour of Participant 07 were received from these numbers.
The specialists discovered a group of consecutive phone numbers (for example, 8 (XXX) XXX-XX-38, 8 (XXX) XXX-XX-39, 8 (XXX) XXX-XX-40, 8 (XXX) XXX- XX-41) that had been used to cast IVR-votes (phone calls) in favour of Participant 07. These phone numbers are all from the same region, Bashkortostan. The group contains 146 lists of consecutive numbers with up to 360 numbers in each list. The vote manipulation involved a total of 9,484 phone numbers from which 33,175 IVR-calls were made in favour of Participant 07.
The second group of phone numbers involved in the manipulation, was identified through the analysis of SMS votes. Due to a mistake on the part of the perpetrators behind the voting manipulation, 8,216 SMS messages contained not only the number of one of the participants, but also technical information with an additional number and a message timestamp. In addition, this group of messages was sent through the same operator and from the same area — the Leningrad region.
At the second stage of the investigation, Group-IB specialists excluded both groups involved in the manipulation from the analysis, and continued to investigate the voting process. In order to identify possible anomalies, Group-IB specialists divided the votes into two categories: telephone calls (IVR) and votes received via SMS. These categories require different analysis approaches due to their technical differences.
At top speed: other anomalies
The detailed analysis of the voting in the Finale (nine participants) and the Grand Finale (three leaders) revealed an unusual vote frequency distribution in time during the broadcast of the show. The experts noticed a sharp start in the voting in favour of Participant 07, with high density of calls and SMS messages right from the beginning of their performance. In the Finale, where only one participant is chosen from each team of three, Participant 07 had 300 votes per second, while the other contestants averaged 110 votes per second. In the Grand Finale, Participant 07 had 250 votes per second in their favour, with the other contestants receiving 170 (Participant 06) and less than 100 (Participant 02).
Group-IB’s specialists separately analysed the voting of those mobile subscribers who voted more than 20 times for their favourite participant. The distribution of these votes exceeds the margin of statistical error, namely, Participant 07 had 2,078 such voters. The other contestants had «extreme voters» (20 and more votes) too: one of them had 39 such fans, while the other had 59, which is about 35 times fewer than what Participant 07 had.
As a result, the average number of votes per phone in favour of Participant 07 is close to 8, while the average for other participants is about 1.5. On average, the figure in all seasons of The Voice Russia since 2015 both for kids and adults was 1.33. Participant 07’s record helped them collect the highest number of votes overall. When compared with the second place, however, the number of unique phone numbers that voted for Participant 07 was 2 times lower in the Finale and almost 6 times lower in the Grand Finale.
Distribution of SMS votes
The share of IVR calls in the total volume of votes is less than 10%, which is why much of the research centered around SMS votes. In order to identify anomalies, Group-IB experts excluded the pool with SMS-votes containing «technical text» which came from the Leningrad Region. However, considering that it was a technical problem that exposed the vote manipulation, it is possible that there could have been more such «SMS pools».
The analysis of «clean» SMS traffic shows that the number of votes per number in favour of Participant 07 far exceeded the average. This trend was quite clear both in the Finale and the Grand Finale. A separate analysis of SMS traffic for each participant of the Grand Finale shows that the largest number of votes (63% for Participant 02 and 60% for Participant 06) can be attributed to those who only sent one SMS message, 12% and 14% — 2 SMS messages, 7% and 8% — three SMS messages. The distribution for Participant 07 is almost reverse: the share of votes received from the numbers which were used to send 20 SMS messages is 70%, 19 SMS messages — 5%, 2 SMS messages — 1%.
The analysis of the FInale is almost identical: the largest share of votes (80% for Participant 02 and 75% Participant 06) can be attributed to those who only sent one SMS message, 8% and 12% — 2 SMS messages, 4% and 5% — three SMS respectively. For Participant 07: those who sent 20 SMS — 75%, 19 SMS — 3%, 2 SMS — only 1%.
How the regions voted
Historically, Moscow and St. Petersburg had been the most active regions to vote for «The Voice» contestants. In this case, however, the vote distribution was different. The top 10 most active regions in terms of the volume of votes cast for the Finale and Grand Finale participants are: Moscow (71,000), Bashkortostan (35,000), St. Petersburg (29,000), Kursk Region (12,000), Republic of Tatarstan (7,000), Krasnodar Krai, Rostov Region and Ulyanovsk Region with 6,000 votes each, and Voronezh and Samara with 4,000 votes each.
Distribution by region also shows deviations in the percentage of votes cast for Participant 07. This is especially clear in Bashkortostan (97%), and the Kursk (96%) and Ulyanovsk (95%) regions.
What audit and penetration testing revealed
Group-IB’s Audit team examined the voting system considering different aspects, including network architecture, device configuration settings, and distribution of administrative roles in the team. In addition, various scenarios and vectors of attacks were tested in order to identify technical possibilities to modify the voting results.
The comprehensive assessment of the infrastructure, website and web application revealed a number of vulnerabilities typical for modern web services and networks. They could have potentially been exploited by an external attacker highly skilled in compromising applications and systems. But as it was confirmed during the first and later stages of the analysis, these vulnerabilities had not been exploited. During the security assessment stage all the results were promptly provided to the company that aggregated and processed the votes. The company has adopted some of Group-IB’s recommendations and continues to work on improving the system’s security.
What digital forensics revealed
Group-IB’s digital forensics specialists studied more than 5 billion bytes and over 30 million log strings. The systems were examined for possible modifications in the voting data by authorised and unauthorised users, as well as for deliberate changes made to the settings, which could have created conditions for outside influence on the voting system to alter the voting results. Also at this stage, it was important to check whether any voting data was deleted and examine the systems for the presence of malicious code or backdoors.
The forensic investigation into the servers, services and the website, which jointly represent the vote counting system did not reveal any facts indicating unauthorised access to the system, or the removal and/or modification of information by employees of the company that aggregated the votes or by third parties. It was confirmed that the vulnerabilities identified at the security assessment stage had not been exploited. As such, the hypothesis of possible influence on the voting results by various attackers was rejected.