NDP voting disruption deliberate, hard to track

An attack on the online voting system used to select Thomas Mulcair as the leader of the NDP used at least 10,000 computers, pointing to a deliberate effort to disrupt the leadership race - and one that will be hard to track.

More than 10,000 computers used in denial of service attack, voting company Scytl says

A cyber attack that caused long delays in the online voting system used to select Thomas Mulcair as NDP leader on Saturday was a deliberate effort to disrupt balloting, according to the company that created the system. (Evan Mitsui/CBC)

It could be impossible to track whoever tried to sabotage the NDP's leadership vote last weekend, with both New Democrats and the company behind the online voting system pointing Tuesday to what's bound to be a complicated investigation.

The attack on the online voting system used to select Thomas Mulcair as the NDP's leader needed a level of organization that points to a deliberate effort to disrupt the leadership race, Scytl, the company that created the electronic ballots, said in a news release Tuesday.

Scytl has identified more than 10,000 IP addresses, mostly in Canada, and that could help identify the people behind the attack, which slowed down voting and denied party members access to the website used for voting.

The firm is now conducting a forensic investigation, a spokeswoman said.

An NDP spokeswoman wouldn't speculate on what the report might say or whether it would spark a police complaint.

"People who are able to pull off these kinds of things are very good at covering their tracks," Sally Housser said. "Whether there's a police complaint] depends on when we receive more information. We’re not going to speculate until we have further information."

The Scytl release says "the required organization and the demonstrated orchestration of the attack indicates that this was a deliberate effort to disrupt or negate the election by a knowledgeable person or group."

The company attributes the problem to a "deliberate, large-scale Distributed Denial of Service (DDoS)" attack.

A denial of service attack bombards a server with repeated attempts at communication to try to slow it down or crash it altogether. That kind of attack can be co-ordinated by one person using a number of IP addresses with computers that don't belong to the attacker.

'None of this is legal'

It's entirely possible one person may be behind the attack, and that would be very hard to track, cyber security expert David Skillicorn told CBC News.

It's possible for a hacker to get into hundreds of computers and install software, then rent out the use of the computers for such an attack. The cost: as little as $100.

"There's lots of ways in which a computer can be compromised, but I guess the most common one is that somebody gets an email with an attachment and nothing seems to happen, but in fact something did, and a week or a month later that piece of software starts behaving in ways they wouldn't have liked," said Skillicorn, who teaches at Queen’s University.

"None of this is legal to do, but it's relatively easy to go on the internet and find somebody who has a botnet to rent [the collection of machines]" he said.

The best chance to find the perpetrator is if the person brags and is reported, Skillicorn said. "Or just maybe you could track their credit card payment for the botnet service," he added.

Attack slowed vote

The attack over the weekend slowed down the voting process by several hours over two ballots, forcing the convention to run later than the party had hoped and past the prime time for announcing the new leader. It led to a flood of complaints by members who couldn't cast their ballots. About 11,000 NDP members were voting live, as opposed to advance voting.

The company's statement says high-profile political or organizational websites are common targets of denial of service attacks, "often launched as protests by the organization's political or economic opponents."

Scytl has never experienced an attack like this before, company spokeswoman Susan Crutchlow said .

"But this is not uncommon, I mean … this is just a common thing that is happening out in the industry," Crutchlow said.

"Obviously, this has now allowed us to capture additional data to incorporate into the security measures of our system."

Crutchlow wouldn't say how long it will take to prepare the forensic analysis and said it's up to the NDP to comment on whether there will be a police complaint out of it.

The vote wasn't compromised, Scytl says, pointing to an audit by Price Waterhouse Coopers during the convention. The attacker didn't get through the site's security system, and no ballots cast by credentialed NDP members were added, subtracted or changed, the company says.