Red faces in Moscow this weekend, with the news that hackers have successfully targeted FSB—Russia’s Federal Security Service. The hackers managed to steal 7.5 terabytes of data from a major contractor, exposing secret FSB projects to de-anonymize Tor browsing, scrape social media, and help the state split its internet off from the rest of the world. The data was passed to mainstream media outlets for publishing.
A week ago, on July 13, hackers under the name 0v1ru$ reportedly breached SyTech, a major FSB contractor working on a range of live and exploratory internet projects. With the data stolen, 0v1ru$ left a smiling Yoba Face on SyTech’s homepage alongside pictures purporting to showcase the breach. 0v1ru$ then passed the data itself to the larger hacking group Digital Revolution, which shared the files with various media outlets and the headlines with Twitter—taunting FSB that the agency should maybe rename one of its breached activities “Project Collander.”
Also, hackers have published a screenshot of the interface of the internal network of the affected company. Next to the names of the projects (“Arion”, “Relation”, “Hryvnia” and others) were the names of their curators – the employees of “Sitek”.
Apparently, before deleting information from the computer, hackers partially copied it. They shared documents with the Digital Revolution – a group that in December 2018 took responsibility for hacking the server of the Kvant research institute. This institute is administered by the FSB.
Hackers sent documents “Sitek” journalists of several publications.
From the archive, which the BBC Russian Service was able to familiarize with, it follows that “Sitek” performed work on at least 20 non-public IT projects ordered by Russian special services and departments. These papers do not contain state secrets or secrets.
Who does Sitec work for?
The company is managed by Denis Vyacheslavovich Krayushkin. One of the customers of “Sitek” is the research institute “Kvant”, where, according to Runet-ID, works as a scientific consultant Vyacheslav Krayushkin. Krayushkin registered in the Moscow district of Zamoskvorechye.
The Bi-bi-s Research Institute “Quantum” refused to answer the question whether Denis and Vyacheslav Krayushkin are related to the organization: “This is confidential information, they are not ready to voice it.”
For information on joint projects “Sitek” and the Research Institute “Kvant” the BBC correspondent was advised to look at the institute’s website and on the Russian government procurement portal. Detect contracts “Sitek” with the Institute on these sites failed.
The latest financial results of “Sidek” published in 2017. Its revenue amounted to 46 million rubles, net profit – 1.1 million rubles.
The total amount of the company’s public contracts for 2018 is 40 million rubles. Among the customers are the national satellite communications operator JSC RT Komm.ru and the information and analytical center of the judicial department at the Supreme Court of Russia.
The stolen data seen by BBC Russia outlines a variety of projects being developed by Sytech. These projects include:
Mentor was allegedly being developed for the Russian military unit No. 71330, which is reportedly the radio-electronic intelligence of the FSB of Russia. This project would monitor selected email accounts at specified intervals in order to collect information related to certain phrases.
Nadezhda, or Hope in English, is a project designed to visualize how Russia is connected to the rest of the Internet. This research is part of Russia’s attempts to create a “sovereign Internet” where Russia can isolate itself from the rest of the Internet.
Nautilus is a project developed between 2009 and 2010 to collect information about users on social networks such as Facebook, LinkedIn, and MySpace.
Nautilus-S is research into de-anonymizing users on the Tor network by creating exit nodes that were controlled by the Russian government. This project was allegedly started at the request of the Russian Research Institute “Kvant”.
Reward was being designed to penetrate and perform covert operations on peer-to-peer networks. This includes BitTorrent, Jabber, OpenFT, and ED2K
Tax-3 is the most recent project and was commissioned by “Chief Scientific Innovation Innovation Center JSC, reporting to the Federal Tax Service.”. This project would provide the ability to manually remove information from the Federal Tax Service about people under state protection.
The site for Sytech (www.sytech.ru) has since been shut down and have not responded to inquiries by the BBC.
While this data breach is not nearly as concerning as the Vault 7 WikiLeaks leak of NSA exploits, the BBC has stated that this is the largest data leak in the history of Russian special services.
Russian President Vladimir Putin previously signed provisions for an initiative to ensure that the Russian internet could operate independently from the world wide web in the event that it was disconnected for any purpose, internal or otherwise.
Most of the non-public projects “Sitec” performed on the order of military unit No. 71330. Experts of the International Center for Defense and Security in Tallinn believe that this military unit is part of the 16th Directorate of the Federal Security Service of Russia, which is engaged in radio-electronic intelligence.
In March 2015, the SBU accused the 16th and 18th FSB center of mailing files stuffed with spyware to the email of Ukrainian servicemen and intelligence officers.
The documents indicate the address of one of the sites where employees of the Saytek conducted the work: Moscow, Samotechnaya, 9. Previously, this address contained the 16th Administration of the KGB of the USSR, then the Federal Agency for Governmental Communication and Information under the President of the Russian Federation (FAPSI).
In 2003, the agency was abolished, and its powers were distributed between the FSB and other special services.
Tor distributes an Internet connection randomly across sites (servers) in different parts of the world, allowing its users to bypass censorship and hide their data. He also allows you to go into the darknet – “hidden network”.
The software complex “Nautilus-S” was developed by Sitec in 2012 by request of the Research Institute “Kvant”. It includes the “output” node of the Tor – the server through which requests are sent to sites. Usually such nodes are supported by enthusiasts on a voluntary basis.
But not in the case of “Sitek”: knowing at what point a particular user sends requests through Tor (for example, from an Internet provider), the program operators could, with a certain luck, match them in time with visits to sites through the control node.
In “Sitek” also planned to replace traffic to users who got to a specially created site. Sites for such users could look different than they really were.
A similar pattern of hacker attacks on Tor users was discovered in 2014 by experts at Karlstad University in Sweden. They described 19 interconnected hostile “exit” Tor nodes, 18 of which were controlled directly from Russia.
The fact that these nodes are connected was also indicated by their common version of the Tor browser – 0.2.2.37. The same version is indicated in the “Nautilus-S” operator’s manual.
One of the results of this work was to be “a database of users and computers actively using Tor networks,” according to documents merged by hackers.
“We believe that the Kremlin is trying to de-anonymize Tor purely for its own selfish purposes,” wrote the BBC Digital Revolution hackers. “Under various pretexts, the authorities are trying to restrict us from the ability to freely express our opinion.”
“Nautilus” and social networks
An earlier version of the project “Nautilus” – without the letter “C” through a hyphen after the name – was devoted to collecting information about users of social networks.
The documents indicate the period of work (2009-2010) and their cost (18.5 million rubles). The BBC is unknown whether Saitak managed to find a customer for this project.
The promotional offer for potential clients contained the following phrase: “In England, there is even a saying:“ Do not write to the Internet what you cannot tell the policeman. ”This carelessness of users opens up new possibilities for collecting and summarizing personal data, analyzing them further and using them for solving special tasks. ”
The users of Nautilus planned to collect data on social networks such as Facebook, MySpace and LinkedIn.
“Reward” and torrents
As part of the Reward research work, which was conducted in 2013-2014, Saitek had to explore “the possibilities of developing a complex of penetration and covert use of peer-to-peer and hybrid networks,” the hacked documents say.
The project customer is not listed in the documents. As a basis for conducting the study, the Russian government decree on the state defense order for these years is mentioned.
As a rule, such non-public tenders are held by the army and special services.
In peer-to-peer networks, users can quickly share large files, since they function as a server and client at the same time.
In “Sitek” they were going to find a vulnerability in the BitTorrent network protocol (with the help of it, users can download movies, music, programs and other files through torrents). Users of RuTracker – the largest Russian-language forum on this topic – download more than 1 million torrents daily.
Also, Jabber, OpenFT and ED2K network protocols are in the interests of “Sitek”. The Jabber protocol is used in instant messengers popular with hackers and sellers of illegal services and goods on the darknet. ED2K was known in the 2000s to Russian-speaking users as an “ass”.
Mentor and Email
The customer of another work under the name of “Mentor” was the military unit No. 71330 (presumably – electronic intelligence of the FSB of Russia). The goal is to monitor email at the customer’s choice. The project was designed for 2013-2014,
According to the documentation provided by the hackers, the Mentor program can be configured so that it checks the mail of the required respondents at a specified time interval or collects the “mining mining group” using the specified phrases.
An example is a search on the mail servers of two large Russian Internet companies. According to the example from the documentation, the mailboxes on these servers belong to Nagonia, a fictional country from the Soviet spy detective “TASS authorized to declare” Julian Semenov. The plot of the novel is built around the recruitment of an employee of the KGB officer in Nagonia by the US special services.
The Nadezhda project is dedicated to creating a program that accumulates and visualizes information about how the Russian segment of the Internet is connected to the global network. The customer of the work carried out in 2013-2014 was the same military unit No. 71330.
By the way, in November 2019, the law on the “sovereign Internet” will enter into force in Russia, the stated purpose of which is to ensure the integrity of the Russian segment of the Internet in the event of isolation from the external one. Critics of the law believe that he will give the Russian authorities the opportunity to isolate the RuNet for political reasons.
In 2015, commissioned by military unit No. 71330, Sitek carried out research work on the creation of a “software and hardware complex” capable of anonymously searching for and collecting “Internet information materials” while hiding “informational interest”. The project was named “Mosquito”.
The most recent project from the collection sent out by hackers dates back to 2018. It was ordered by the Chief Scientific Innovation Innovation Center JSC, reporting to the Federal Tax Service.
Roskomnadzor has blocked the site to vote against the “United Russia”
Roskomnadzor launches new telegram technology. How much does it cost?
Hackers revealed the data of 257 thousand users of Facebook. Traces lead to Russia
The program “Tax-3” allows you to manually remove from the information system of the FTS data of persons under state protection or state protection.
In particular, the creation of a closed data center for protected persons is described. These include some state and municipal servants, judges, participants in criminal proceedings and other categories of citizens.
Hackers claim that they were inspired by the movement of digital resistance against blocking Telegram messenger
Digital Revolution hackers claim that they gave information to journalists in the form in which it was provided by members of $ 0v1ru (how many of them are unknown). “It seems that the group is small. Regardless of their number, we welcome their contribution. We are glad that there are people who do not spare their free time, who risk their freedom and help us,” noted Digital Revolution.
Contact with the group 0v1ru $ at the time of preparation of the material failed. FSB did not respond to a request from the BBC.
Website “Siteka” is not available – neither in its previous form, nor in the version with “Yob-face”. When you call the company on the answering machine, the standard message is turned on, in which you are invited to wait for the secretary’s response, but short beeps follow.