Hacking the contractor: Russia’s FSB in the spotlight

A serious cyber attack came to light earlier in July, when hacker groups DigitalRevolution and 0v1ruS claimed responsibility for hacking, defacing and leaking data from SyTech, a contractor for the Federal Security Service of the Russian Federation (FSB).

SyTech has been working with the FSB since 2009; it has contributed to a range of projects, and specialises in the development and implementation of information and analytical systems for various Russian government departments.

While it was claimed that no actual state secrets had been exposed, this is nevertheless a particularly embarrassing incident for the Russian government.

The FSB – the successor to the Soviet Union’s KGB – is the most important security organisation in Russia, comparable to the UK’s MI5 or the USA’s FBI, and dealing both with domestic and foreign intelligence issues. It reports directly to President Putin.

0v1ruS reportedly gained access to SyTech networks on 13 July, stealing 7.5TB of data containing details of secret FSB projects and surveillance operations, and leaving a smiling Yoba Face on the organisation’s homepage, as well as pictures relating to the breach.

DigitalRevolution then posted redacted screenshots of the stolen data, later sending the entire cache of files to BBC Russia, which described the documents as possibly "the largest data leak in the history of the work of Russian special services on the Internet”.

The files included details on the following:

• Nautilus - a project for collecting data about social media users (such as Facebook, MySpace, and LinkedIn).
• Nautilus-S - a project for deanonymizing Tor traffic with the help of rogue Tor servers.
• Reward - a project to covertly penetrate P2P networks, like the one used for torrents.
• Mentor - a project to monitor and search email communications on the servers of Russian companies.
• Hope - a project to investigate the topology of the Russian internet and how it connects to other countries' network.
• Tax-3 - a project for the creation of a closed intranet to store the information of highly-sensitive state figures, judges, and local administration officials, separate from the rest of the state's IT networks.
(source)

An analysis of the screenshots showed that 0v1ruS infiltrated the server with an account named “tarasov”. The hackers then used malicious software to escalate privileges and remove other administrative accounts. The tarasov account allowed the group to move through SyTech email servers, and ultimately access the Jira instance where the data was stolen.

An in-depth analysis of SyTech’s operations and research has also been published on the Russian Wikileaks-type site Dosje.

DigitalRevolution has been very open about the motives of the hackers responsible for the attack and the theft of data. The group members make no secret of their anti-Kremlin agenda, complaining bitterly about oligarchs, corruption and censorship of the internet. They have a website and a VK account, and even publish their contact details on both, encouraging people to upload documents and information for them to assess.

The hacktivists were particularly incensed by the decision of a Russian court to block the use of Telegram inside the country. This happened in 2018 after telecoms watchdog, Roskomnadzor, filed a lawsuit against the social messaging app following its refusal to allow the FSB access to its encryption keys. The ruling was met by street protests involving thousands of demonstrators.

Encrypted social media apps such as Telegram, WhatsApp and Viber are as popular throughout Russia as they are in many other countries. In the cyber-criminal world they are becoming ever more so, as hackers and fraudsters have realised they offer greater security and privacy than the Darknet forums traditionally used in illegal activities when selling stolen data, ransomware, drugs, weapons etc. Law enforcement authorities have enjoyed some handsome successes over the last couple of years, managing to close down some of the more well-known marketplaces, and cyber-criminals have become increasingly reluctant to list their adverts on them.

On the other hand, anybody can use encrypted apps such as Telegram or WhatsApp: it takes no knowledge of Tor or expertise in anonymous connections to join an encrypted channel and thereby increase one’s chances of avoiding the attentions of the police or intelligence agencies. For the cyber-criminal, an encrypted app provides a much safer space to operate in.

In some ways this attack on SyTech has parallels with the leaks from the US National Security Agency (NSA) in 2016, when hacker group TheShadowBrokers published a series of stolen zero-day exploits and vulnerabilities believed to be the work of Equation Group, a very sophisticated alliance alleged to be part of the Tailored Access Operations (TAO) unit of the NSA. It was later determined that an NSA insider was actually responsible for the theft. Harold T. Martin III, a former contractor for Booz Allen Hamilton, was eventually convicted of stealing approximately 50 terabytes of data from the NSA. The judicial proceedings took several years: in fact, he was only sentenced to prison (nine years) on 19 July, 2019.

TheShadowBrokers hacktivists were therefore simply the conduit for the publication of the stolen information and, unless they are proved to be one and the same as 0v1ruS or it is shown that the data was stolen by a different third party, the same appears to be true for DigitalRevolution.

SyTech’s website was immediately taken offline after the news of the hacking attack emerged. It has yet to reappear.