4 | Forensic data analysis
As a first step, Group-IB experts compared the source data (incoming SMS traffic transmitted from telecom operators to vote counting system) with the voting results. As a result, the specialists determined that the source data corresponded to the results shown during the broadcast on 26 April 2019. We will call it "Check 1". Scenario 1.
"An insider is the operator of Channel One's website."
The channel's operator is capable of changing each candidate's voting results. Check 1, however, disproved this hypothesis. Scenario 2.
"Technical failure in delivering messages from telecom operators to the provider that processed the votes."
Technical failure could have prevented some text messages from being delivered. At the end of the voting, the company that aggregated the votes and telecom operators checked the number of delivered text messages against those paid by the senders. As a result of the check, the percentage of discrepancies averaged 0.5% for all operators. This is less than in previous seasons of "The Voice Kids" and fell within the margin of error. It is important to note that the experts analysed the logs of incoming SMS messages. No delays in message delivery were detected. Scenario 3.
"Technical failure in the company that aggregated the votes."
Operational failures could have led to a change in the voting results, due to a loss or distortion of part of the data. The experts analysed the system logs of the servers involved in collecting and counting text messages. The primary focus was on checking error events of operating systems and software, system reboots during the voting, and instances of interference with the operation of third-party software servers. The specialists also searched for the traces of malicious programs. No events indicating any technical failures or interference with the operation of the servers were detected. Scenario 4.
"An insider in the company that provided the vote counting system"
An employee of the company could have manually changed the number of votes in favour of a particular participant. Check 1 partially rejected this hypothesis. Following this, the experts checked system logs for the presence of remote access to servers and databases by company employees. The analysis was conducted on the basis of the roles established during the interviews with the employees. No abnormal activities were detected. Further, the specialists analysed the commands (sql queries) transmitted to the "DB Golos" database during the voting process. No actions that could have altered and/or deleted information about the incoming votes were detected. Scenario 5.
"External intrusion into the infrastructure of the vote counting system"
An external attacker could have gained access to the company's infrastructure and changed the voting results in favour of one of the participants either in the database or on the website used by Channel One employees to display the results. Impact on the website where the results are displayed is excluded by Check 1. To verify the hypothesis of an attack on the database and other servers and services, the specialists analysed user authentication logs of the objects in question, as well as the history of commands executed by the users during the voting process. Information indicating access to the infrastructure of the company that aggregated and processed votes by third parties was not detected.