About Team Cymru Internet weather reports
Our Internet weather reports are intended to provide data and technical analysis of significant events occurring across the Internet. The information aims to equip readers with insights that contribute to their own conclusions and provide additional context.
Introduction
On July 28, 2024, Venezuela held presidential elections to determine who would lead the nation for the next six-year term. The government-controlled Consejo Nacional Electoral (CNE) declared incumbent Nicolás Maduro the winner, a result that remains heavily disputed by opposition candidates and the broader international community.
Among the myriad concerns raised during the election process was a delay in the vote count, with the results being announced later than scheduled. Both the CNE and Maduro attributed this delay to a "cyber attack" allegedly launched from North Macedonia.
In this blog post we will examine these “cyber attack” claims by analyzing high-level network telemetry data, derived from Pure Signal™.
Key Findings
A noticeable spike in network traffic was observed on 28 July 2024, the day of the Venezuelan presidential election, specifically targeting IP 201.130.83.39, which is linked to the CNE's services
The nature of the traffic spike, characterized by a sudden increase in connections from a wide range of global IP addresses, suggests a potential distributed denial of service (DDoS) attack.
The responsible party for the activity remains unidentified based on the available data, leaving the source and intent of the attack unclear.
Analysis of AS61471
The CNE operates its own autonomous system (AS61471) with a single /23 netblock assigned to it: 201.130.82.0/23. This netblock hosts various domains associated with the CNE, typically subdomains of cne.gob[.]ve.
Given the claims of a "cyber attack" against the CNE, AS61471 is a logical focal point for our analysis. Figure 1 below shows observed UDP traffic from the period 23 July to 2 August, 2024.
Figure 1 - UDP Traffic
The traffic pattern shows a distinct spike on 28 July 2024, the day of the election. Traffic levels before and after this spike are generally consistent with expected volumes based on a broader analysis of AS61471 over a more extended period.
Upon further investigation, we discovered that a single IP was the target of the vast majority of this activity, accounting for 98% of the traffic. Specifically, the communications data for IP 201.130.83.39 was related to traffic over UDP (Protocol 17). Once again, the distinct spike is evident in Figure 2 below.
Figure 2 - Communications Overview for 201.130.83.39
According to passive DNS (pDNS) data, IP 201.130.83.39 hosts two CNE subdomains:
safe.cne.gob[.]ve
sicofpe.cne.gob[.]ve
Both subdomains direct traffic to login portals. Figures 3 and 4 below show screenshots of the login portals for safe.cne.gob[.]ve and sicofpe.cne.gob[.]ve, respectively.
Figure 3 - Login Portal for SAFE
"SAFE" appears to be an acronym for Sistema Automatizado de Fiscalización Electoral, or “automated electoral oversight system”.
Figure 4 - Login Portal for SICOFPE
"SICOFPE" appears to be an acronym for Sistema Integral del Control del Financiamiento Político Electoral, or “comprehensive system for the control of political-electoral financing”. According to OSINT this relates to an accounting tool in which all expenses and income received and used by organizations with political purposes are recorded.
It is evident that both portals play a role in the operations of the CNE and, by extension, in the political apparatus of the Venezuelan government.
However, the data available to us (NetFlow) does not pinpoint which service was the likely target of the suspected attack. It merely shows an increase in traffic to the IP address hosting both portals.
Analysis of 201.130.83.39
Examining specific data for IP 201.130.83.39, we observed that activity prior to the spike on 28 July 2024 was primarily characterized by inbound connections from other hosts within Venezuela, typically on port 443. This activity likely represents Venezuelan users accessing the login portals known to be hosted on this IP address.
However, at 11:29 AM local time in Venezuela on 28 July 2024, we noticed a change in activity, with UDP connections initiating from numerous remote hosts worldwide. These connections were characterized by remote port 53 and local port 80 on IP 201.130.83.39. Figure 5 below provides a simplified representation of this activity for clarity.
Figure 5 - Observed Connections
This activity continued for approximately 34 minutes, until 12:03 PM local time. During this period, we also observed occasional TCP activity, with high ephemeral ports on the remote IPs replacing port 53. After 12:03 PM, the activity reverted to the previously detailed pattern, with inbound connections via port 443 from IPs primarily located in Venezuela. No further spikes in activity were noted.
The ports and protocols observed in this case present a challenge when forming a hypothesis about the nature of the observed activity.
However, we can state with a greater degree of confidence that there was a significant spike in traffic involving IP 201.130.83.39; a spike that may have affected genuine users trying to access the services hosted on this IP. Such a spike in traffic is indicative of an attempted distributed denial of service (DDoS) attack.
Upon examining the individual IP addresses involved in this traffic spike; just under 6,000 in total, we found that the majority (86%) were assigned to providers in Czechia and South Africa. In all, we observed 110 distinct country codes.
Conclusion
The analysis of network traffic around the time of the Venezuelan presidential election on 28 July 2024 suggests a significant spike in activity directed at IP 201.130.83.39, likely indicative of a distributed denial of service (DDoS) attack. Whether this spike led to services being knocked offline during the election is unclear, and, compared to other DDoS attacks we have observed, the activity appears to have been short-lived.
One claim made following the election was that the "cyber attack" originated from North Macedonia. However, our findings do not support this assertion for the data we analyzed in this post. Based on the data available, it remains uncertain who was responsible for the observed activity.
Ultimately, this incident further underscores the need for robust measures to protect electoral infrastructure from potential disruptions, particularly in environments characterized by high stakes and international scrutiny.
Team Cymru’s Unwanted Traffic Removal Service (UTRS), is a no cost BGP-based service that is an effective tool to help mitigate large and concentrated DDoS attacks.
Comments