news

When a cigar isn't just a cigar Russia's federal censor briefly blocked some of the Internet's biggest websites, and experts wonder if it wasn't an inside job

Meduza
Roskomnadzor’s Moscow headquarters
Roskomnadzor’s Moscow headquarters
Ramil Sitdikov / Sputnik / Scanpix / LETA

Before dawn on April 27, for about two hours, Russia’s federal censor blocked several IP addresses operated by some of the biggest and most popular online social networks and Internet companies.

Roskomnadzor updated its “out-loud list” to include a handful of IP addresses owned by Yandex and Mail.ru Group (through Vkontakte and Odnoklassniki). The censor also blacklisted IP addresses belonging to Facebook, Twitter, Yahoo, and Liveinternet. The Telegram channel RKNShowtime, which monitors revisions to Roskomnadzor’s registry, first drew attention to the blockings.

These IP addresses were present on the government’s blacklist for about two hours, before Roskomnadzor suddenly removed them. The whole thing happened so quickly that Internet users experienced no widespread outages.

Roskomnadzor blamed the incident on “technical issues,” but experts believe it could be the result of “sabotage” within the agency.

On the morning of April 27, Roskomnadzor acknowledged that IP addresses belonging to several “Russian and foreign social networks” were added briefly to its registry of banned online resources, explaining that it was due to “technical features of its system operations.” Officials refused to say what this means exactly, and the agency has not apologized to the companies accidentally targeted.

Roskomnadzor says these IP addresses were not forwarded to Internet service providers “for the purpose of restricting access,” though the agency’s own website previously confirmed that the IP addresses in question had been blacklisted.

“This is untrue, of course,” says Vladislav Zdolnikov, who works as an IT consultant for Alexey Navalny’s Anti-Corruption Foundation. “Roskomnadzor sent the out-load list, and that is precisely how everyone found out about the blockings. Providers were required by law to start blocking. This kind of lying is Roskomnadzor’s style, and they often rely on it when they’ve screwed up big time.”

Zdolnikov thinks Roskomnadzor may have blocked the IP addresses by accident, possibly by allowing someone to access its equipment who shouldn’t have been working on blocking websites.

“There’s a computer at Roskomnadzor that’s connected to a device running the Telegram app, and this computer intercepts all communications [from the app to any IP addresses] and automatically (or semi-automatically) blocks those addresses,” explains Zdolnikov. “I suspect that some other Internet-enabled device was connected to this computer. It’s possible that this was someone who works at Roskomnadzor, who used the Internet at some point and the computer blocked whatever IP addresses the device accessed. I’m certain it happened like this. [I think] the staff there are about as competent as that.” Zdolnikov also joked that the incident could be the work of a “saboteur” inside Roskomnadzor.

IT expert and Internet Protection Society executive director Mikhail Klimarev thinks the saboteur theory is no joke. He wrote on his Telegram channel: “It seems one of Roskomnadzor’s [competent employees] has slipped his leash and decided to screw over the bosses. Or maybe there’s another reason. It’s hard to figure out the motives of people who are sick in the head.” Klimarev is even outing the person who supposedly instigated the blocking: “Alexander Alexandrovich Veklich, the head of the IT department at the Main Radio Frequency Center” (a state unitary enterprise subordinate to Roskomnadzor). Klimarev told Meduza that he learned this name from a contact inside Roskomnadzor, whom he refuses to identify.

“Don’t go thinking that Roskomnadzor is just [director Alexander] Zharov. In fact, there’s a whole staff of qualified specialists with enormous experience who work on serious issues, like monitoring radio frequencies and distributing licenses. They see what’s happening, and of course they’re unhappy. Their reputation is in the toilet, and nobody [else] will work with them because of the stain [of having worked at Roskomnadzor]. They’re trying to resist somehow from the inside,” Klimarev told Meduza.

Klimarev also says he “knows for sure” that blocking Telegram was entrusted to Zharov’s deputy, Oleg Ivanov. “He was given three days to do it. Now two weeks have passed and it’s still not blocked. They’ve started looking for people to blame, and they’re rolling on each other… Basically, it’s all bad news at Roskomnadzor,” Klimarev says.

Russian IT companies have condemned Roskomnadzor’s actions, and this is their first official reaction to the agency’s efforts against Telegram.

Yandex’s public relations director, Ochir Mandzhikov, called the attempt to block Telegram “a blow to the entire Runet.” In a statement on April 27, he said, “We do not consider this situation to be acceptable. The Russian market can develop only in conditions of open competition. Restricting access to global and Russian Internet services will harm the RuNet most of all. A lack of openness and competition [...] deprives the country of the chance to compete technologically in world markets in the future.”

“We see that access to many resources is being limited due to a lack of understanding of the principles of the modern Internet. Services with millions of users have been completely or partially unavailable,” said Vkontakte’s managing director, Andrey Rogozov, who promised that Vkontakte will soon introduce end-to-end encryption on all voice and video calls.

Anton Fedchin, the head of the social network Odnoklassniki, told Meduza: “The current situation has already gone beyond online society and is now affecting business as a whole. Any company that uses the Web to communicate with customers is now ‘Internet-dependent.’ We are against any restrictions on the Internet and we call on all parties to move toward a dialogue.”

In response to Friday’s criticism, Roskomnadzor invited Yandex and Vkontakte to join it in finding “solutions that minimize the risks” of the Telegram block. Meduza was unable to reach Roskomnadzor to discuss this initiative. (The agency wouldn’t take our calls.)

After Roskomnadzor’s IP address snafu, Mail.ru Group launched three proxy servers allowing Internet users to circumvent Russian censorship. Experts say these proxies could be a trap.

Mail.ru Group, which owns Vkontakte and Odnoklassniki, announced on April 27 that it is sharing three servers “for stable access to any [Internet] services.” In other words, the company is making available three proxy servers that allow users to bypass barriers erected by Roskomnadzor. IT experts Vladislav Zdolnikov and Mikhail Klimarev, however, warn against using Mail.ru’s proxies.

Klimarev says two of the three IP addresses shared by Mail.ru Group were caught “hunting” for VPNs and proxy servers on April 24. In other words, these servers were used to help track ways to bypass the blocking of Telegram. Klimarev says Mail.ru Group operates a special “Web crawler” bot that scans the Internet for all possible IP addresses in search of proxy servers that connect directly to Telegram’s known servers. If the bot finds a suspicious proxy, it mimics a Telegram server, to avoid giving itself away, and tries to verify whether that particular proxy connects to Telegram’s servers. If the test comes up positive, the bot creates instructions for an abuse claim, which Mail.Ru allegedly files with server hosts, which then block that server, not even realizing that it was being used by Telegram.

Klimarev says the Internet Protection Society discovered the Mail.ru Web crawlers on April 24, when several of its proxy servers were blocked by their hosts because of “abuse claims.” He says the proxies were blocked almost immediately after they were visited by Mail.ru’s servers, leading the organization to conclude that they’d been flagged by the company's Web crawlers.

Mail.ru Group later stated that the proxy-hunting Web crawlers using its servers belonged to one of its cloud-computing clients. The company’s representatives say the customer was banned, after Mail.ru realized what was happening. It’s unclear, however, why two of the IP addresses used by these Web crawlers share the same IP addresses as the proxy servers Mail.ru offered up on April 27 to circumvent Russia’s Telegram ban. The company has not explained this coincidence.

“Like Sigmund Freud said, ‘Sometimes a cigar is just a cigar,’ and a proxy is just a proxy,” a Mail.ru spokesperson told the news agency RIA Novosti on Friday.

Story by Evgeny Berg, translation by Kevin Rothrock