FSB Contractor Suffers 7.5TB Breach

According to BBC Russia, a contractor believed to work with the FSB, Russia’s intelligence service, was hacked on July 15, 2019. A group of hackers named 0v1ru$ hacked into SyTech's Active Directory server from where they gained access to the company's entire IT network, including a JIRA instance. This access enabled the hackers to steal 7.5TB of data, which included information concerning projects worked on by the contractor for the intelligence agency. Forbes, who has also been covering the incident, believe that this incident may be the largest suffered by and impacting the FSB.

To add insult to injury the hacking group left a “Yoba Face” on the contractor's homepage, the face been mainly interpreted as an emoticon for trolling. 0v1ru$ then passed on the data to another, larger, hacking group DigitalRevolution who subsequently shared the files with various media outlets and the headlines with Twitter. DigitalRevolution made headlines in 2018 when they successfully breached Quantum another Russian contractor. While announcing the hack on Twitter the larger of the two groups then shared the stolen files with journalists. While there is conflicting information about the exact nature of the leaked information, BBC Russia stated that no state secrets where leaked.

Rather what was leaked were projects worked on by the contractor for both the FSB and Quantum. These projects include:

  • Nautilus: a project for collecting data about social media users from sites such as Facebook, MySpace, and LinkedIn.
  • Nautilus-S: a project for de-anonymizing Tor traffic with the help of rogue Tor servers.
  • Reward: a project to covertly penetrate P2P networks, such networks are used by torrent sites.
  • Mentor: a project to monitor and search email communications on the servers of Russian companies.
  • Hope: a project to investigate the topology of the Russian internet and how it connects to other countries' network.
  • Tax-3: a project for the creation of a closed intranet to store the information of highly-sensitive state figures, judges, and local administration officials, separate from the rest of the state's IT networks.

Further, according to DigitalRevolution the leak also revealed that the FSB was also tracking students and pensioners. According to BBC Russia most of the projects look to be research into technology, such work is to be expected and is carried out internationally by intelligence services. However, two of the projects appear to have gone through real-world testing. Those being Nautilus-S and Hope, which seem to have been tested and corroborated by other events.

fsb contractor suffers breach 0virus

The Nautilus-S was created to de-anonymize users of the Tor browser. These browsers work by distributing an Internet connection randomly across servers in different parts of the world, allowing its users to bypass censorship, hide their data, and browse sites with heightened privacy. Tor browsers developed a questionable reputation as they are seen as the primary method of accessing the Dark Web. According to BBC Russia, work on Nautilus-S started in 2012, focussing on the exit node of a Tor browser with this node being the server that requests are sent to external sites. By knowing at what point a particular user sends requests through a Tor browser, for example from an Internet provider, the program operators could match them in time with the visits to sites through the control node. Tracing activity like this requires a certain amount of luck but if done successfully can result in the operator de-anonymizing a browser built for anonymous use.

Two years later, a paper published by academics from Karlstad University and SBA Research in Austria titled “Spoiled Onions: Exposing Malicious Tor Exit Relays” discovered such abuse of Tor exit nodes. It was also discovered that 25 malicious servers, 18 of which were located in Russia, were used in the exit node attack attempting to decrypt traffic. These servers were running Tor version, which was the same one detailed in the leaked files.

The second project which seems to have been real-world tested was the project, Hope. The project was established to analyze the structure and make-up of the Russian segment of the internet. The information gained from the project could have been used to disconnect Russia from the Internet. Earlier this year the Russian government successfully disconnected its national segment from the Internet. The test was part of the authority’s ongoing mission to disconnect Russia the country from the rest of the world. Before the testing authority’s built a local backup of the Domain Name System (DNS), which they first tested in 2014, and again in 2018. Russia's response comes as NATO countries announced several times that they were mulling a stronger response to cyberattacks, of which Russia is constantly accused of carrying out. Such action by the Russian government would be disastrous for ISPs and other businesses to that extent the government agreed to foot the bill and to cover the costs of ISPs modifying their infrastructure and installing new servers for redirecting traffic towards government-approved exchange points. The end goal is for Russian authorities to implement a web traffic filtering system like China's Great Firewall, but also have a fully working country-wide intranet in case the country needs to disconnect.

At the time of writing there has been no acknowledgment or an official statement of the breach either by the FSB or SyTech. This is a normal response when it comes to cyber incidents that occur in Russia. At times it feels like the official policy is to ignore and deny. The projects that were leaked are in themselves nothing new as many within the InfoSec community assumed them to be in existence following corroborating evidence. What is of interest is the apparent ease a hacking group succeeded in breaking into the system. Given Russian policy, we may never know exactly how the breach occurred.

Click to post a comment

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal