Research reveals the battle to control Yemen’s internet
In Yemen, a civil war involving various different factions has raged since 2015, when the Yemeni government was usurped by a faction of Houthi rebels. Today, both claim to be the rightful government, with the Houthi faction holding the capital, Sana’a, and forces loyal to the former government occupying Aden and the surrounding land.
The factions in the country are also backed by foreign nations, in effect conducting a proxy war within Yemen. At the moment, Saudi Arabia has heavily armed the forces loyal to the former Yemeni government that are right now aiming to regain control of Hodeidah. Thousands of civilians have been killed in attacks perpetrated by this Saudi and Emirati-backed coalition and there is an ongoing famine that in 2018, the UN warned could become “the worst famine in the world in 100 years”. Already, three quarters of the population of 28 million are dependent on aid for survival.
When a country faces this level of devastation, the internet may be considered a low-level concern, but recent research from internet security company, Recorded Future, illustrates that it has in fact emerged as an important means of control.
“More and more, we see internet control being used as another form of weapon or another form of warfare in these battles that are going on,” said Allan Liska senior security architect at Recorded Future. “And Yemen is a particularly stark case of that where when the Houthi rebels took control of the internet infrastructure, they became the de facto government.
“Even if the rest of the world doesn’t recognise that,” he continued, “to the people in Yemen, they’re the de facto government because it’s Houthi leaders that are on the face of all the government websites now, that run all of the government services, and that manage the government-owned ISPs that filter out content that they don’t want to be seen.”
But it isn’t just about taking over government sites. The Houthi faction has also exerted control through cutting access to sites that were critical of them. “Filtering down to, we’ll allow this news source but not these ones, to the actually cutting of fibre, cutting access to cell service and so on during offences in order to cut off operations,” says Liska.
He’s surprised by how quickly the faction had been able to grasp this control. “By all accounts, the Houthi rebels aren’t very technically adept, but they’ve managed to figure this out and they’ve managed to figure it out very quickly – how to use the internet to control flow of information,” he says.
So how did they accomplish this feat? It was when the group took over Sana’a: “When they gained control of Sana’a, that’s where both the national ISP, Yemen Net, and TeleYemen, which is the infrastructure provider were both located.
“When they gained control, they essentially gained control of those companies and that was it,” says Liska.
However, their research also illustrated that the citizens of Yemen were aware of this internet control, and that they had a desire to circumnavigate it.
“We saw a lot of Tor activity, we saw a lot of VPN activity,” says Liska. “One of the ways they censor is through watching DNS names that they consider sort of objectionable, and what we saw was a high percentage of home routers that had enabled DNS recursion as a way to bypass that censorship.”
On average, they would expect to see about five percent DNS recursion enabled on routers, which allows that router to act as a DNS server and bypass the ISP’s DNS server. However, in Yemen, between 30 percent and 35 percent of home routers had DNS recursion enabled.
“Even in a country that’s living through all of the troubles that Yemen is, people will figure out ways to bypass that,” says Liska. “And the more you censor, it appears the more people figure out ways to bypass those censors.”
Liska ties this to the question of legitimacy, saying that in a heavily censored country such as North Korea, the same phenomenon doesn’t exist because the government is accepted as legitimate.
Another thing the group looked for was the presence of malware from governments with vested interests in the warfare in Yemen, including Russia, China, the US and Saudi Arabia. While they didn’t find any evidence of Russian and U.S. malware in the country’s infrastructure, Kaspersky and other security providers have reported this in the past.
“Our guess is that at this point, any kind of malware or any kind of presence from either Russia or the U.S. has been so well established that you may not see a lot of indicators of it,” says Liska.
However, they did find evidence of Chinese malware, which he does not find surprising.
“When the Hadi government realised that they lost control of the internet, they set up their own ISP called HadiNet, and this is fully Chinese Huawei infrastructure,” he explains. “It’s Huawei routers, Huawei backbone, Huawei telecommunications information, and with that, we also saw a lot of Chinese malware, including a back door that’s suspected to be a Chinese government [backdoor].”
He says they don’t have any confirmation of that but the team suspects it could have been implanted by the Chinese government or at least someone working for them.
Liska says this is something which is likely to increase as proxy wars continue.
“It’s essentially that other countries want to know what’s going on there, so we’re going to see their presence in malware and in back doors and so on, trying to connect up to the systems,” he says. “Because even if you can gain just a little bit of a tactical edge by having that access and information, that’s going to be really important to the battles that are going on.”
“I do think that this type of activity is going to serve as a model for future wars,” Liska says, explaining that in their research, this was the first case of seeing an outside faction gain control of the internet and using it in this way. “And I think the relative success that they have had with it means that we may see this in other wars, where seizing control of internet infrastructure becomes one of the goals of the fighting.”
Internet control has long been a tool of oppression and misinformation, in China and North Korea for example, but also in Iran and Syria, who have some of the lowest scores on internet freedom. During the Arab Spring it was deployed to shut down social media and therefore the means of quelling protest.
The USA, Britain, New Zealand, Australia and Canada, meanwhile, are all part of the Five Eyes global spying programme uncovered by whistleblower Edward Snowden.
And Cambridge Analytica parent company SCL’s CEO boasted of the company’s influence on the political trajectory of target nations.