New research confirms Kazakhstan is spying on connections to Facebook, Twitter, VK, Instagram, Youtube, Google, and more

Posted on Jul 24, 2019 by Caleb Chen

Kazakhstan is actively spying on its citizens’ internet connections to Facebook, Twitter, VK, Instagram, Youtube, Google, along with many other sites. New research published by Ram Sundara Raman, Leonid Evdokimov, Eric Wustrow, Alex Halderman, and Roya Ensafi has identified 37 domains that are being targeted by Kazakhstan’s ongoing man-in-the-middle (MITM) internet attack. The group of researchers hail from the University of Michigan and the University of Colorado, Boulder. The research also builds on continuing work at Censored Planet, a University of Michigan lab founded by Roya Ensafi to create and utilize tools that could continuously monitor disruptions on the world wide web. Censored Planet has been tracking the ongoing situation in Kazakhstan since July 20th and published their research on July 23rd.

The fake root certificate authority (CA) attack being used by the Kazakh government is very brute force and relies on forcing its citizens to install and trust the fake government’s fake root certificate either through nudging by the internet service provider (ISP) or by breaking functionality. Unlike previously reported, not every connection out of Kazakhstan is affected – and researchers showed that it is possible to have HTTPS traffic intercepted from outside of Kazakhstan, which is how the research was carried out. The researchers clarified:

“So far, the attack appears to affect a fraction of connections passing through the country’s largest ISP, Kazakhtelecom (AS 9198 KazTelecom). This means some, but not all, of the Kazakh Internet population is affected.”

Kazakhstan is targeting social media and communication websites as it spies on its citizens’ internet traffic

The Kazakh government is using a “middlebox” located at Kazakhtelecom to decrypt and then re-encrypt traffic. Currently, the system is only set up to spy on a handful of websites – likely due to hardware limitations. Technically, the Kazakh government could use their fake root CA to attack and decrypt traffic to any website and the government could still just be saving that functionality for more individually targeted attacks.

The full list of 37 sites identified by Censored Planet thus far are:

  • Allo.google.com
  • Android.com
  • Cdninstagram.com
  • Dns.google.com
  • Docs.google.com
  • Encrypted.google.com
  • Facebook.com
  • Goo.gl
  • Google.com
  • Groups.google.com
  • Hangouts.google.com
  • Instagram.com
  • Mail.google.com
  • Mail.ru
  • Messages.android.com
  • Messenger.com
  • News.google.com
  • Ok.ru
  • Picasa.google.com
  • Plus.google.com
  • Rukoeb.com
  • Sites.google.com
  • Sosalkino.tv
  • Tamtam.chat
  • Translate.google.com
  • Twitter.com
  • Video.google.com
  • Vk.com
  • Vk.me
  • Vkuseraudio.net
  • Vkuservideo.net
  • www.facebook.com
  • www.google.com
  • www.instagram.com
  • www.messenger.com
  • www.youtube.com
  • youtube.com

On July 19th, a Kazakh government official tried to clarify that the installation of the fake certificate was not technically mandatory. However, Kazakh internet users trying to access affected sites may be unable to access the site as they normally would without trusting a rogue certificate. While the Kazakh government has been adamant that this measure is to enhance the cybersecurity of its citizens, the list of targeted websites is incontrovertible proof that the Kazakh government has taken this monumental action with the intention of spying on its citizens. The researchers concluded:

“The international community needs to closely monitor this alarming practice, which flies in the face of decades of progress by the computer security community towards ensuring that all websites are protected by strong, end-to-end encryption.”