of "The Voice Kids Russia Season 6"
Group-IB Technical Investigation
BACKGROUND
26.04
"The Voice Kids" Season 6 Finale
In April 2019, the final episode of Season 6 of Russia's "The Voice Kids" was aired on Channel One Russia. The winner was chosen by public voting, but there was a considerable gap between the finalists. It sparked a public outcry, with many viewers, including public figures, claiming the vote had been rigged.

The voting results raised doubts within the Channel One team , which has been broadcasting "The Voice" for 8 years. As a number of very strong contestants had reached the final stage of Season 6, a very small gap between the leaders was expected. This, however, was not the case as the winner scored 56.5% of the votes, while two other contestants received 27.9% and 15.6%, respectively.
Timeline
29.04
Channel One engaged Group-IB to verify voting results
07.05
Group-IB presented initial investigation results to Channel One and Talpa Media (the Dutch-based owner of the rights to the show "The Voice")
16.05
Channel One cancelled the results of the final episode and announced a special live edition of the project
11.06
Publication of Group-IB's technical investigation results

TECHNICAL TASKS
This situation prompted Channel One to launch a comprehensive independent investigation into the final voting results of "The Voice Kids".

Channel One entrusted the task of verifying the voting results to Group-IB, an international company that specialises in complex digital investigations and preventing cyberattacks.

The aim of the investigation was to determine whether there had been any outside influence on the public voting and answer the following questions:
Alteration
of data
Vote manipulation
01
02
Was there any technical influence on the vote aggregation and processing system to alter the results?
Were there any vote
manipulation tools used
to imitate real viewers' votes?

REPORT OBJECTIVE
This report aims to present the activities and results of the independent technical study conducted by Group-IB's cross-functional team of experts in security assessment, digital forensics, investigation and technical data analysis as part of the investigation into the voting results of "The Voice Kids Russia Season 6".

LIMITATIONS
At the outset it should be noted that Group-IB's technical investigation is independent and its results are not intended for any accusatory conclusions about any participant of "The Voice Kids". Group-IB is strongly against the use of the data presented in the report below for the purpose of assessing the ethical side of the question or making accusations against the children or their parents.

Group-IB's detailed analytical report has been presented to Channel One Russia.

This report outlines the results of Group-IB's independent investigation and is available for review and analysis by third-party experts, except technical information, which is confidential and has been provided to the Customer directly. Group-IB recommends that all facts presented in the report be considered as a whole.

This report does not aim to assess whether the detected deviations are in compliance with the official rules of the show "The Voice Kids".

Group-IB specialists worked with the amount of the raw data provided by the Customer. In particular, they only used data relating to actual phone numbers, the number of votes and their frequency. The analysed information can be supplemented with data that Group-IB did not have at the time of the technical investigation.

It is important to note that this investigation does not aim to identify the perpetrators behind the vote manipulation or prove/disprove any specific individual's involvement in it. To identify the perpetrator Group-IB recommends
that a separate investigation be conducted.

KEY FINDINGS
Automated vote manipulation revealed

The analysis of the votes revealed at least two pools of phone numbers that had been used to manipulate the voting. More than 41,000 votes in favour of Participant 07 were received from these numbers.

The first pool is distinguished by an unusual distribution of votes during the broadcasting of the show. The pool includes lists of consecutive numbers (up to 360 in a row), which belong to the same region. The automated manipulation involved a total of 9,484 numbers from which 33,175 calls were made. All numbers belong to the same region, Bashkortostan.

The second pool used in automatic vote manipulation was identified through the analysis of SMS messages. Likely due to a mistake of the perpetrators, 8,216 SMS messages contained not only the number of one of the contestants, but also technical information with an additional number and a timestamp. In addition, this pool of messages was sent through the same mobile operator and from the same region - Leningrad region. The analysis revealed signs of multithreading software as well.


Abnormally high rates of voting in specific regions revealed

Distribution by region also shows deviations in the percentage of votes cast for Participant 07 in the Grand Finale in comparison with the other contestants . This is especially clear in Bashkortostan - 97% (due to the pool of calls mentioned above), Kursk - 96%, and Ulyanovsk - 95% regions. The Kursk and Ulyanovsk regions had pools of phone numbers that voted a maximum number of times, while the other participants did not have that.


Abnormal distribution of votes discovered

It is important to note that even after these pools were excluded from the analysis, Participant 07 still had an abnormal distribution, namely, a large number of unique phone numbers that cast 20 or more votes. This is not prohibited by the rules, but the distribution goes beyond the statistical error: Participant 07 had 2,078 such unique numbers, while the other Grand Finale participants (02 and 06) had only
39 and 59 respectively.

This means that the average number of votes per phone in favour of Participant 07 is close to 8, with an average of about 1.5 for the other participants (on average, the figure in all seasons of "The Voice" Russia since 2015 was 1.33). The high number of votes per number helped Participant 07 collect more votes overall. When compared with the second place, however, the number of unique phone numbers that voted for Participant 07 was 2 times lower in the Finale and almost 6 times lower in the Grand Finale.

Besides the two pools mentioned above, Group-IB specialists identified other deviations in the distribution of votes by number and region for Participant 07.
A more detailed examination of these deviations will require additional information from the mobile operators, which can only be requested by government authorities.


Vulnerabilities detected in the voting system

As part of the security assessment, Group-IB experts examined the voting system, provided by the company that aggregated and processed the votes. The system was studied considering different aspects, including network architecture, device configuration settings, and distribution of administrative roles in the team.
In addition, various scenarios and vectors of attacks on the infrastructure, website and web application were tested in order to identify technical possibilities to influence the voting results.

The assessment revealed vulnerabilities that could have been exploited by attackers to modify the voting results. However, digital forensic analysis conducted in the later stage showed that these vulnerabilities had not been exploited during the voting.

The information about detected vulnerabilities was provided to the company that aggregated and processed the votes. Some of Group-IB's recommendations have been implemented. The company continues to work on improving the system's security.


No changes in the voting results were made

Group-IB's digital forensic specialists reconstructed the exact chronology of the
April 26 events, examined the received raw data for possible changes in the voting results by authorised and unauthorised users, as well as ensured the safety and reliability of the evidence base for further analysis.

Digital forensic analysis showed that the vulnerabilities detected at the security assessment stage had not been exploited.

The forensic investigation did not reveal any facts indicating unauthorised access to the system, or removal or modification of information by insiders or third parties. This means that the voting results correspond to the calls and text messages received.

THE CRITERIA FOR CHOOSING GROUP-IB
Group-IB employees leverage their extensive experience and expertise to provide comprehensive solutions to a wide range of cybersecurity issues, including security assessment, identification of insider threats, protection against digital piracy, and other types of threats and online fraud.

Group-IB's unique structure ensures that there is synergy between its departments and that all necessary competencies are in place to deliver an effective protection against cyberattacks of all scales.

The joint work of experts from the Audit, Consulting, Forensic, Incident Response and Investigation Departments enables them to carry out turn-key projects of varied complexity. The effective coordination and synergy between the teams ensure that all deadlines are met.

Group-IB — official Europol and INTERPOL partner

Over 1000 successful investigations

16 years of experience
in cybersecurity

HYPOTHESES
TESTED
In accordance with the assigned tasks, Group-IB experts developed the following hypotheses, which were agreed upon with the Customer and tested:


1
The vote counting system had technical vulnerabilities that could have potentially been exploited by attackers to modify the voting results.
2
The voting system was technically influenced by external attackers or by insiders with the purpose of altering the results of the vote. In other words, vulnerabilities detected in the voting system were exploited.
3
The collected data had traces of automated vote manipulation in favour
of one of the participants.
Each of these hypotheses was then tested by Group-IB specialists at various stages of the investigation.

THE INVESTIGATION PROCESS
To test the hypotheses, a cross-functional project team was formed.
Group-IB high-qualified experts carried out analysis in three areas:
1
Security assessment of the voting system
The key task of the first stage was to determine whether it was technically possible to influence the results by interfering with the voting system provided by Channel One's partner-company, which aggregated and processed the votes.

Objective: to check whether employees or external attackers could make changes to the voting results by exploiting vulnerabilities, architecture or configuration settings of the system.

What is important: to assess the possibility and probability of technical influence, such as insider interference, cyberattacks, and human error when handling the results of the voting and to carry out security assessment of the application by testing different scenarios and attack vectors.

Required methods and skills:

— for assessing the security of the main system interface: OWASP methodology (includes more than 100 different checks);
— for assessing the security of the voting system as a whole: knowledge
of and skills in security assessment of multi-component systems.
2
Data collection and digital forensics
At this stage, the experts performed comprehensive data collection and checked event logs for the presence of malicious code and backdoors.

Objective: to check event logs for unauthorised actions and possible changes in the voting data by authorised and unauthorised users; identify the traces of deliberate changes made to the settings, which could have created conditions for outside influence on the voting system to alter the voting results.

What is important: to study the structure of servers, services, and databases and identify whether any data manipulation in the event logs took place; ensure the safety and reliability of the evidence base.

Required skills: digital forensics, database and malware analysis.
3
Technical analysis of the data
The investigation department works with the information received from the forensic specialists in order to reveal potential deviations in a large body of data.

Objective: to analyse the data on calls and text messages (IVR and SMS traffic) in order to identify anomalies, the use of bots, and other technologies to manipulate votes.

What is important: to determine criteria to evaluate and analyse the data, to develop and test the maximum number of hypotheses.

Required skills: statistical analysis and database management.
STAGE 1
SECURITY ASSESSMENT
OF THE VOTE COUNTING SYSTEM
GOALS
As part of the investigation, Group-IB's Security Assessment team checked the infrastructure of the company that aggregated and processed the votes for vulnerabilities and collected information on its systems for further analysis.

The goal of this stage was to determine whether it was technically possible to interfere with the voting results. By technical interference we mean a change in the number of registered votes, which would affect the information viewed by the counting system operator.

RESEARCH PROGRAMME
AND METHODOLOGY
The voting system was a complex application consisting of a chain of components that successively collected calls and text messages with votes from telecom operators. The system then counted the votes, logging all events in detail. The statistics and results were displayed on a special website, which was used by the show's hosts to announce the final results.

The security check was performed by simulating methods of technical interference based on the capabilities of various types of intruders:

  • An external attacker without knowledge of the voting system.
  • An attacker with access to the source code of the voting system.
  • An attacker with user rights in the web interface of the voting system.
  • An attacker with admin rights in the infrastructure and/or database that stores voting data.
During the security analysis, Group-IB experts were granted access to information systems and source codes. As part of the investigation, the administrators and owners of the voting system were interviewed.

The assessment was performed in accordance with international standards of practical risk assessment. For example, the OWASP methodology, which includes more than 100 checks, was used to analyse the security of the system's website. Group-IB specialists leveraged their expertise accumulated through more than 500 similar projects to adapt this methodology to the techniques and features of the application in question.

MAIN STEPS
The comprehensive security assessment of the system included, but was not limited to, the following actions:
    1
    Collecting data and analysing technologies used
    2
    Testing configuration and deployment management
    3
    Checking the distribution of access privileges
    4
    Testing the following mechanisms:
    • identification
    • authentication
    • authorization
    • session management
    • input data validation
    5
    Testing error processing
    6
    Testing business logic of the application
    7
    Testing client-side security mechanisms
    The main goal of the simulation during the project at this stage was to modify the voting results. Group-IB's Audit and Consulting team, therefore, focused on searching for logical errors in the system and typical website vulnerabilities that could have been exploited by attackers to modify the data.

    DETECTED VULNERABILITIES
    The comprehensive analysis of the system's infrastructure and the website revealed a number of vulnerabilities that are generally typical of modern web services and networks.

    The following vulnerabilities were detected:

    • Request injections in the database language format (SQL injections)
      They enabled the external attacker, who did not have anything to do with the system initially, to alter the voting results. This type of vulnerability was especially dangerous for the vote counting systems due to the use of a Postgres database and the PHP programming language used for web development. This made it possible not only to extract all information from the database, which is what a typical SQL injection does, but also to substitute data.

    • Bypass of online voting access control
      Some of the functions of the voting system could be communicated with directly through the Internet without any access rights, which made it possible to obtain or alter the data. Only the main page of the voting system was password-protected, with no passwords required for the majority of other functions.

    • Bypass of the voting system's password protection
      The password protection on the main page could be bypassed by sending a specifically crafted request without entering the password. This enabled the external attacker (hacker) to immediately gain access to the system's main interface and attack it to substitute the data.

    • Lack of control over data integrity
      Administrator access to the voting system and its infrastructure was not controlled, which enabled the administrators to alter the data. Despite the fact that this vulnerability is typical of most information systems, the vote counting system in question created a risk of data substitution that is difficult to detect.
    During the security assessment stage all the results were promptly provided to the company-provider that aggregated and processed the votes. The company has adopted some of Group-IB's recommendations and continues to work on improving the system's security.

    Note: Group-IB's detailed report with security assessment results, conclusions and recommendations is confidential and will be provided exclusively to the Customer.

    KEY FINDINGS
    The comprehensive inspection of the system's infrastructure and website revealed vulnerabilities that might have been exploited by various types of attackers.
    The inspection focused on those system vulnerabilities that could have been leveraged by an external attacker to interfere with the voting results.

    Thus, Hypothesis 1 that suggests technical vulnerabilities in the vote aggregation and processing system was confirmed at the first stage of the investigation.

    However, the forensic investigation conducted at the second stage showed that these vulnerabilities had not been exploited during the voting and before the data was provided to Group-IB for analysis.
    STAGE 2
    DATA COLLECTION
    AND FORENSICS
    GOALS
    Specialists from Group-IB's Digital Forensics Lab, the largest forensic laboratory in Eastern Europe, were engaged to conduct proper data collection and detailed forensic research.

    The goal at this stage was to reveal all components of the vote logging systems, which could have potentially been used to alter the voting results; to ensure the safety of event logs and analyse the collected data for unauthorised access to the system or data corruption by an insider or an external attacker.

    Moreover, at this stage it was important to ensure the safety and reliability of the evidence base and prepare the data for further analysis.

    STAGES OF FORENSIC INVESTIGATION
    1 | Analysis of the voting system's structure

    At the first stage, Group-IB specialists determined the sequence of servers, services, and databases, through which text messages (or information about incoming phone calls) passed, from the moment telecom operators' data were received, until the time the processed information was displayed in the voting results.
    2 | Employee interviews

    Next, the forensic specialists conducted a series of face-to-face interviews with the following employees of the company that aggregated and processed the votes:

    • administrators of servers and services
    • CTO
    • other persons who had the right of access to these resources.

    Based on the results of the interviews, Group-IB specialists determined the roles
    of the employees and identified technical data on the operation of the services, data collection and aggregation algorithms, as well as possible methods of modifying or deleting data received from telecom operators.
    3 | Forensic data collection

    At this stage, server and website access logs, database logs, server user activity logs, and other forensic artifacts were collected and analysed:

    • Log files of user logons on the database of incoming SMS messages, the website backend and frontend
    • Log files of three servers of Java applications that processed text messages received from the MSG platform (a platform designed to work with telecom operators using the SMPPv.3.4 protocol)
    • System log files of SMS counting database
    • Log files of servers that were used to manage incoming SMS messages and responses from telecom operators (ESME clients (MSG platform), communications with operators via SMPP)
    • Code files of the resource "gd2019.mmi.ru", as well as website access logs
    • Network traffic dump with data on incoming text messages received from telecom operators "goloskids2019-final.pcap

    The investigation involved the collection and analysis of:

    – 5,711,169,746 bytes of data
    – more than 30,000,000 log rows
    All of the mentioned files were packed in "*.ad1" forensic containers to preserve metadata, such as timestamps. This makes it possible to ensure that the files are
    not changed in order to study them and present them as evidence.
    The data collection stage resulted in an "Act of Copying Information", which was signed by all involved parties on the side of the company that aggregated and processed the votes, and Group-IB.
    4 | Forensic data analysis

    As a first step, Group-IB experts compared the source data (incoming SMS traffic transmitted from telecom operators to vote counting system) with the voting results. As a result, the specialists determined that the source data corresponded to the results shown during the broadcast on 26 April 2019. We will call it "Check 1".

    Scenario 1. "An insider is the operator of Channel One's website."
    The channel's operator is capable of changing each candidate's voting results. Check 1, however, disproved this hypothesis.

    Scenario 2. "Technical failure in delivering messages from telecom operators to the provider that processed the votes."
    Technical failure could have prevented some text messages from being delivered. At the end of the voting, the company that aggregated the votes and telecom operators checked the number of delivered text messages against those paid by the senders. As a result of the check, the percentage of discrepancies averaged 0.5% for all operators. This is less than in previous seasons of "The Voice Kids" and fell within the margin of error. It is important to note that the experts analysed the logs of incoming SMS messages. No delays in message delivery were detected.

    Scenario 3. "Technical failure in the company that aggregated the votes."
    Operational failures could have led to a change in the voting results, due to a loss or distortion of part of the data. The experts analysed the system logs of the servers involved in collecting and counting text messages. The primary focus was on checking error events of operating systems and software, system reboots during the voting, and instances of interference with the operation of third-party software servers. The specialists also searched for the traces of malicious programs. No events indicating any technical failures or interference with the operation of the servers were detected.

    Scenario 4. "An insider in the company that provided the vote counting system"
    An employee of the company could have manually changed the number of votes in favour of a particular participant. Check 1 partially rejected this hypothesis. Following this, the experts checked system logs for the presence of remote access to servers and databases by company employees. The analysis was conducted on the basis of the roles established during the interviews with the employees. No abnormal activities were detected. Further, the specialists analysed the commands (sql queries) transmitted to the "DB Golos" database during the voting process. No actions that could have altered and/or deleted information about the incoming votes were detected.

    Scenario 5. "External intrusion into the infrastructure of the vote counting system"
    An external attacker could have gained access to the company's infrastructure and changed the voting results in favour of one of the participants either in the database or on the website used by Channel One employees to display the results. Impact on the website where the results are displayed is excluded by Check 1. To verify the hypothesis of an attack on the database and other servers and services, the specialists analysed user authentication logs of the objects in question, as well as the history of commands executed by the users during the voting process. Information indicating access to the infrastructure of the company that aggregated and processed votes by third parties was not detected.

      KEY FINDINGS
      The forensic investigation into the servers, services and the website, which jointly represent the vote counting system did not reveal the presence of malicious code or backdoors, any facts indicating unauthorised access to the system, or the removal and/or modification of information by employees of the company or third parties.

      This means that the technical vulnerabilities of the system identified at the security assessment stage were not involved in the voting and did not affect its outcome.

      Hypothesis 2, which suggests that the vote counting system's technical flaws might have been exploited, was therefore rejected based on the results of this stage of the investigation.
      STAGE 3
      TECHNICAL ANALYSIS
      OF THE DATA
      GOALS
      The goal at this stage was to determine whether there had been any traces of systems for automated calls and SMS messages used to manipulate the voting in favour of one of the participants. Based on the data checked by the forensic specialists and the report by the company that aggregated and processed the votes, Group-IB's Investigation Department conducted their own analysis to identify and explain any anomalies.



      PRELIMINARY STAGE
      AND DATA CHECK
      The original data was provided by the company that processed the votes and checked with mobile operators' data to identify whether there had been any possible discrepancies. The data was divided into two categories: telephone calls (hereinafter IVR) and votes received via SMS. These categories require different analysis approaches due to their technical differences.


      The original SMS data was divided by mobile operators and was presented in the form of logs that contained:

      • vote timestamp
      • voter phone number
      • phone number that the SMS messages were sent to (in our case 4447)
      • mobile operator
      • text from the SMS messages

      IVR data included:

      • project number
      • project name
      • vote timestamp
      • voter phone number
      • participant number
      • mobile operator
      • region (geographic) associated with the phone number

      FINALE STRUCTURE
      AND SHOW RULES
      As part of the investigation, the experts analysed the voting data received during the broadcast on 26 April 2019. The final episode had two stages:

      Stage 1 — choosing a contestant from each coach's team of three
      (hereinafter Finale)

      Stage 2 — choosing the winner (hereinafter Grand Finale)

      According to the competition's rules, one phone number can be used for a maximum of 20 votes for one participant at each stage of the show, i.e. the total number of votes is 20+20. When analysing the data, Group-IB specialists excluded the votes that surpassed 20 at each stage.

      The section below analyses the key statistics of all participants, where the top contestants are referred to as Participant 02, Participant 06, and Participant 07.


      VOTES DISTRIBUTION
      IN TIME
      The final show's live broadcast started at 9.30pm Moscow time (UTC+3:00) on
      26 April 2019. The voting stages were opened and closed by order of the TV hosts. During the performance, each participant had their number shown at the bottom
      of the screen. The participants' numbers were shown a second time closer to the end of each voting stage, which can be seen in small increases on the chart.

      The chart below shows that normal vote distribution has several peaks. The votes reached their peak in the middle of a contestants' solo performance, with less significant upticks when voting information was shown on the screen.

      Specialists also detected an uneven ratio of the number of IVR votes and text messages (there were about 10 messages per 1 call). That is why they decided to build a separate chart for the IVR traffic to analyse the data in more detail.
        Distribution of IVR votes and text messages in time

        Singling out and analysing IVR Pool
        IDENTIFICATION OF NUMBERS INVOLVED IN THE VOTE MANIPULATION
        Deviation of Participant 07 is clearly visible: a high level of the number of votes per second from the very beginning of the voting and an even distribution over time (instead of one or several peaks).

        This observation provided the basis for checking the IVR traffic in more detail and identifying a pool of phone numbers that were involved in the vote manipulation (hereinafter IVR Pool). This pool included groups of consecutive numbers, for example:

        834794ХХ238
        834794ХХ239
        834794ХХ240
        834794ХХ241
        834794ХХ242
        834794ХХ243
        834794ХХ244
        834794ХХ245
        834794ХХ246
        834794ХХ247,
        where ХХ are the same digits

        The largest pool comprises 364 consecutive numbers while the smallest one has
        4 numbers.* There were 146 such groups. They all have the same def code (Bashkortostan) and belong to the same mobile operator. All these groups were singled out as IVR Pool.

        Conclusion: most of the calls made in favour of Participant 07 were received from consecutive numbers from the Republic of Bashkortostan and the same mobile operator. These calls were distributed evenly and had no peaks like the calls for the other participants.

        There was a total of 9,484 phone numbers detected, which made 33,175 calls in favour of Participant 07. If the calls from these pools are excluded, the call distribution for Participant 07 follows a normal pattern and is similar to that of the other participants. These calls made a significant impact on the results of the vote. Because of the IVR Pool in the Republic of Bashkortostan, the share of voters supporting Participant 07 was 97% in comparison with the other Grand Finale participants.

        *No votes coming from consecutive numbers were recorded in the results of the other participants.
          Distribution of IVR votes in time
          Number and size of lists of consecutive phone numbers
          Distribution of votes in IVR pool

          There is another sign that indicates deviations from the norm in the IVR Pool. To detect this deviation, the specialists compared the IVR pool of Participant 07 and the voting data for the other participants: 02 and 06. The experts analysed the percentage of voters who voted once, twice, etc.

          Explanation of the figure. The histogram below shows that the pattern of vote distribution for Participants 02 and 06 is the same, while there is a deviation in IVR pool.
            Conclusion: in addition to the pool of consecutive numbers from the Republic of Bashkortostan, the analysis revealed that over 80% of the IVR pool voted twice
            or more for Participant 07, while over 80% of people voting for the other participants voted only once.
              Vote distribution in the IVR Pool (Finale)

              SMS: General analysis of votes
              TIME-BASED
              DISTRIBUTION OF
              SMS VOTES
              The chart for the distribution of the SMS votes per second during the broadcast of the show has deviations for Participant 07.

              Explanation of the figure.
              The first peak in each participant's voting results was recorded during their performance. The second peak was closer to the end of the voting, when a contestant's number was shown on the screen.

              The distribution of peaks in the Finale is normal for all the participants. In the Grand Finale, Participant 07's first peak, however, was significantly shifted towards the beginning of the vote, even though they were the last to perform.

              Conclusion: this abnormal distribution of peaks is caused by automated SMS voting, which is confirmed by further analysis of SMS traffic.


                Distribution of SMS votes in time during the show
                Singling out and analysing SMS with technical text

                SMS CONTAINING TECHNICAL TEXT
                Further analysis of the SMS traffic revealed messages with unusual text. Most likely, those who carried out automated mass SMS messaging experienced a technical problem. The error resulted in part of the code of an automated SMS messaging tool ending up in the text of the SMS.
                  We detected a total of 8,217 such SMS messages sent from 253 phone numbers that had the same def-code of the Leningrad region and belonged to the same mobile operator (hereinafter SMS Pool). This pool was used in voting at the two stages - Finale and Grand FInale - which means that a maximum of 40 votes could be counted from one phone.

                  HLR requests that were made to determine whether a subscriber was available revealed that the majority of numbers had been inactive.

                  The detected text messages consisted of three parts: a contestant number, an additional number and a timestamp. The list of additional numbers (from 1 to 32) had an interesting feature: all messages sent from each unique phone number contained the same additional number. This is typical of multithreading software, where the second number stands for the number of a thread that is used to send automatic SMS messages. Group-IB specialists believe that these are the numbers of threads that were set up on the side of the organiser of the SMS texts from the SMS Pool.
                  Conclusion: the analysis revealed that software had been used to send automated SMS votes for Participant 07. As with the IVR voting, the numbers that were used to manipulate the vote were from the same area (Leningrad region) and belonged to the same mobile operator. The software that was used to manipulate the vote had multithreading capabilities and created logs of sent messages specifying the thread number and the exact time. The analysis revealed a total of 8,217 messages sent from 253 numbers, which indicates that the average number of messages per number was 32 out of a maximum of 40 messages.
                  Example of a table showing messages with technical information
                  Vote distribution in SMS Pool

                  It is important to note that the SMS Pool has certain features of vote distribution per number. In most cases these numbers voted 20 times at each voting stage, which can be seen in the charts below.

                  Conclusion: the SMS Pool has a high number of votes from each unique phone number (in most cases the maximum number of votes permitted by the rules).
                    Distribution of votes for Participant 07 (SMS Pool) when choosing participants from teams of three (Finale)
                    Distribution of votes for Participant 07 (SMS Pool) when choosing the winner (Grand Finale)

                    Analysis of other votes (without SMS Pool)
                    Similar to the IVR votes, we analysed the distribution of SMS messages per phone number with SMS Pool excluded. The analysis results are similar: Participant 07 has an unusual number of phone numbers with 20 votes each.

                    The difference is that the share of text messages in the total volume of votes is much more than the share of calls. For this reason, in the case of IVR, there were hundreds of phone numbers involved, while in this case, the number of unique phone numbers that cast 20 votes for Participant 07 reached about 2,000 (overall for the Finale and Grand Finale together).

                    Analysis by region: The analysis shows that the distribution of these phone numbers (that cast 19 or more votes) by region, like in the case of IVR, is abnormal:

                    Moscow: 680
                    Kursk Region: 260
                    Ulyanovsk Region: 210
                    St. Petersburg: 150
                    Republic of Tatarstan: 100

                    Conclusion: Even after SMS Pool is excluded from the analysis, there are still deviations in the form of an unusually significant number of people who voted 20 times from each unique number in favour of Participant 07. Taking into account the massive scale of SMS traffic, these votes made a great contribution to the final result: Participant 07 won by the number of votes, despite the fact that the amount of unique numbers that sent text messages was several times smaller than that of the participant who took second place.
                      Distribution of votes (SMS) when choosing participants from teams of three (Finale)
                      Distribution of votes (SMS) when choosing the winner (Grand Finale)

                      DISTRIBUTION OF VOTES BY REGION
                      The analysis summary of the vote distribution by region (SMS and IVR together) reveals the overall picture. Apart from Bashkortostan, where 97% of the votes were in favour of Participant 07 (due to the IVR Pool mentioned above), there is an unusual vote distribution in the Kursk (96%) and Ulyanovsk (95%) regions.

                      The map below shows the total distribution of votes among Participants 02, 06 and 07 in the most active geographical regions:

                      Moscow: 71,000
                      Bashkortostan: 35, 000
                      St. Petersburg: 29, 000
                      Kursk region: 12, 000
                      Republic of Tatarstan: 7, 000
                      Krasnodar Krai, Rostov Region, Ulyanovsk Region: 6, 000 each
                      Voronezh Region, Samara Region: 4, 000 each
                      Stavropol Krai: 3, 000

                      Conclusion: the Republic of Bashkortostan and the Kursk and Ulyanovsk regions have evidently abnormal vote distribution patterns. In Bashkortostan, most of the votes were received through calls made from consecutive numbers and from the same mobile operator. A similar distribution pattern is evident in the Kursk and Ulyanovsk regions, where 260 and 210 numbers voted a maximum number of times. Confirming the fact of automated vote manipulation requires information about the geolocation of these numbers at the time of voting in order to determine whether they were located in the same area. However, only government authorities can access these data.


                      Distribution of average number of votes cast
                      from one phone per participant
                      Explanation of the figure. On the left you can see that the average number of votes cast from one phone for Participant 07 approaches 8 with an average value of about 1.5 (Participant 02 and Participant 06 have a result close to the average).

                      Conclusion: the high number of votes per number helped Participant 07 collect a total of more votes. That said, the number of unique phone numbers that voted for this participant was 2 times lower in the Finale and almost 6 times in the Grand Finale than that of Participant 06, who took second place.
                      Average number of votes per phone and the number of unique phone numbers in the Grand Finale in comparison with the average figure for all participants (IVR and SMS pools excluded).

                      KEY CONCLUSIONS
                      The investigation revealed two instances of vote manipulation: IVR calls from consecutive phone numbers coming from Bashkortostan and automated SMS messaging from the Leningrad region. This means that hypothesis 3, which suggests that automated vote manipulation took place, was confirmed.

                      However, even after these pools are excluded from the analysis, there are still deviations in the form of an unusually significant number of people who voted
                      20 times from each unique number, and vote distribution by region.

                      Apart from Bashkortostan, where 97% of votes were cast via IVR in favour of Participant 07, there are similar distributions in the Kursk (96%) and Ulyanovsk (95%) regions, mostly through SMS voting. These are the regions were the investigation revealed pools of numbers from which maximum numbers of votes were received, unlike the other participants.

                      Confirming automated vote manipulation in the Kursk and Ulyanovsk regions required information about the geolocation of these numbers at the time of the voting in order to determine whether they were located in the same area. These data, however, should be requested from mobile operators, which only provide this information to government authorities.
                      Contact us to learn about our products and services
                      Contact us to learn about our products and services
                      Отправляя форму, даю согласие на обработку своих персональных данных в соответствии с Федеральным законом «О персональных данных» от 27.07.2006 №152‑ФЗ