Hackers Expose Russian FSB Cyberattack Projects

More nation-state activity in cyberspace, this time from Russia:

Per the different reports in Russian media, the files indicate that SyTech had worked since 2009 on a multitude of projects since 2009 for FSB unit 71330 and for fellow contractor Quantum. Projects include:

  • Nautilus—a project for collecting data about social media users (such as Facebook, MySpace, and LinkedIn).
  • Nautilus-S—a project for deanonymizing Tor traffic with the help of rogue Tor servers.
  • Reward—a project to covertly penetrate P2P networks, like the one used for torrents.
  • Mentor—a project to monitor and search email communications on the servers of Russian companies.
  • Hope—a project to investigate the topology of the Russian internet and how it connects to other countries’ network.
  • Tax-3—a project for the creation of a closed intranet to store the information of highly-sensitive state figures, judges, and local administration officials, separate from the rest of the state’s IT networks.

BBC Russia, who received the full trove of documents, claims there were other older projects for researching other network protocols such as Jabber (instant messaging), ED2K (eDonkey), and OpenFT (enterprise file transfer).

Other files posted on the Digital Revolution Twitter account claimed that the FSB was also tracking students and pensioners.

Tags: , , ,

Posted on July 22, 2019 at 6:17 AM19 Comments

Comments

Winter July 22, 2019 9:03 AM

“Other files posted on the Digital Revolution Twitter account claimed that the FSB was also tracking students and pensioners.”

Some time (years?) ago, I read about rumors that some (state level?) actors were building a global database of humans. The idea was to collect data on any human for which a digital file was available anywhere. The above looks to be limited to Russia.

Anyone able to tell me to which extend these rumors were true, and whether the OP are part of such an effort?

65535 July 22, 2019 10:44 AM

“…a group of hackers going by the name of 0v1ru$ hacked into SyTech’s Active Directory server from where they gained access to the company’s entire IT network”-zdnet

Are we talking about Active Directory as in Microsoft Server 2016?

Hum, did they pay Microsoft the proper licenses fees? Does FSB contractors actually use Microsoft Servers from Redmond, Washington? That sounds a bit unsafe for an FSB contractor to use an American product – am I correct?

Ross Snider July 22, 2019 11:00 AM

BCC dumping this information is clearly politically motivated. Still, I stand for it.

I think this arena of information warfare, where news outfits from various companies partner with leakers and intelligence and ex-intelligence, to disclose censorship, surveillance, and propaganda capabilities makes us all (“the plebs”) more secure.

justinacolmena July 22, 2019 4:01 PM

  • Nautilus — a project for collecting data about social media users (such as Facebook, MySpace, and LinkedIn).
  • Nautilus-S — a project for deanonymizing Tor traffic with the help of rogue Tor servers.

We should have known when FB cracked the Tor protocol to get a vanity onion address.

http://facebookcorewwwi.onion

I am still not sure how they did that, but the Солнцевская братва does exercise that modus operandi of compromising a computer network to a far greater extent than others are led on to believe.

A “great leap forward” is then made, Blitzkrieg style, toward total systems compromise, not unlike the “great political smash” of the Protocols of Zion.

A lot of it depends, of course, on what extent the братва has infiltrated the FSB (or modern equivalent of the KGB.)

Humdee July 22, 2019 7:24 PM

“I am still not sure how they did that”

It is called luck. Lots of monkeys, lots of time, equal the bible. FB has lots and lots of monkeys.

A July 22, 2019 9:31 PM

Curious if there’s anything groundbreaking or if this is just detailing where their efforts were focused on.

Mike Donovan July 22, 2019 10:21 PM

Let’s stop demonizing Russia for their treading into the waters of hacking and data collection, The United States is the world leader in pulling off data heists, distributing malware to disrupt the internal affairs of other countries, the list of U.S. military/intelligence black cyber-ops is long. Not to mention the private mega tech and data companies whose goal is a digital footprint on every human. Before hypocritically calling out other nations cyber activities, we should take a step back, look in the mirror, and see the giant in these dastardly activities is looking back at us,

Dan July 22, 2019 11:12 PM

@justinacolmena: You just have to keep generating .onion addresses until the first [n] bits match the character string you want. Here’s a tool for it: https://github.com/katmagic/Shallot

Obviously, the more non-random characters you want to have in your onion address, the more compute resources you’re going to have to throw at it to generate a matching one. Facebook just has a lot of compute resources.

David Rudling July 23, 2019 4:34 AM

Am i the only one who finds it a little strange that a Russian three letter agency was spending scarce foreign hard-currency on employing western companies to do jobs which, in at least the first four and possibly five projects listed, are the sort of things US three letter agencies are certain to have worked on and to which they probably found solutions. If the successful hacks of US three letter agencies were indeed done by Russian resources then it seems an unnecessary extravagance to pay to re-invent what you have stolen for free. Of course the revelations cover a period back to 2009 so possibly the projects pre-date any successful hacking – assuming Russian resources were indeed behind those hacks.

Clive Robinson July 23, 2019 5:24 AM

@ All,

As I wrote over on the friday squid[1] there are some other aspects to these tools, other than those that bring out “The Reds are Hacking us” responses.

But firstly note all such tools are “agnostic to use”. We know the FBI “outsourced work” on “deanonymising Tor” some years ago to a University. I’m sure the FBI would claim despite building evidence[2] that they are “The Good Guys”. Thus would claim that tool was “for the good”.

But as we also know when you have a nice new shiny tool, “The boys will play with their toys”. As has been found out, the same tool or something very similar, has been used in a dragnet fashion to go after people who use online gambling… Which is quite legal in many parts of the world. So the FBI would almost certainly have got the details of quite innocent people in such a dragnet, and based on their previous behaviours I doubt very much that the FBI has deleated such information as it alows for all sorts of behaviour by them. For those entirely innocent individuals I suspect they would regard the tool usage most definately as “for the bad”.

Thus upmost when talking about such development you have to remember they are first and formost tools, just like a hammer which can drive a nail or your skull in… It’s the use the “Directing Mind” actually puts them to that is what is actually important. Such is the problem there are now famous phrases coined to highlight the issue,

    Unlimited power is apt to corrupt the minds of those who possess it.
    “Power tends to corrupt, and absolute power corrupts absolutely. Great men are almost always bad men.”

Which increasingly appears to be the case, in law enforcment etc, thus there are “no good guys” with such tools, unless they can be proved otherwise[3].

But back to the tools, “Tax3” is not a new idea as various Western governments including the UK have “special status people” and their Government records are supposadly “specially protected” which as most readers here should know is at best a joke. That is their records are suppodadly kept away from the records for “ordinary people”, so that only “Specially Authorized Personnel” can access them. The simple fact is in most cases the reality is a flag in a record held in the general database. Thus not realy protected at all from sysadmins data center staff backup tapes and those who gain access via fairly simple social engineering tricks, or as we also know paid “out-sourceing companies” in India or China alowed through the firewall…

Running a system specifically designed to keep such records protected will make it a “target” to just about every SigInt agency world wide. But if you think about things logically, you will realise that events over the past couple of years shows the Five-Eyes are already well into the financial records of Russian Citizens.

Which brings us around to the “hope” tool, this is interesting not so much from the security asspect, but that of near future Russian intentions. As I mentioned over on the Friday Squid[1] it’s a fairly good flag to indicate that Russia is going to in effect “Balkanize The Internet”. The Russian’s and several other countries have made it clear that they have had enough of the “All Roads lead to Rome” structure that favours the US, UK and other Five-Eyes nations, and that they want control of their network boarders.

Whilst some might think this is a good thing, in the long term it’s going to lead to very bad rent seeking behaviour not just by Governments looking for a new tax stream, but also by corporates with new ever prejudicial business models. And it will be all of us paying that rent seeking.

But on a lighter note lets consider “Mentor” we all know –or should– that the Free Email services run by silicon Valley BigCorp are doing just this and have been for years. It’s been said by some that they got the idea via “Echelon” that journalist Duncan Campbell reported on for the EU[4]. Part of which is the “Keyword Search” capability.

Well… For those in London over the Summer, the Science Museum has an exhibition in it’s “distant basement”[5] on Cryptography, that is being sponsored by GCHQ. In it two things, one Duncan Campbell’s name comes, up and secondly an “Electronic Performance Sculpture” that is basically a number of printers pushing out Twitter messages filtered against a “Keyword Search” capability…

More importantly they have several good old fashioned mechanical cipher machines including atleast a couple of three rota Enigma machines. But the one that caught my eye and made me laugh which supprised my son was a British Typex. For those that have seen one they are a bit of a monster and were designed to run on “mains power”. The reason for my laugh, on the end of the old WWII ruberised heavy duty mains cable, a very modern UK three pin plug, which means that not only is it probably in full working order, but is still used today, probably as part of GCHQ’s internal Crypto Museum / Training. Even more ironic, there is also one of the Guardian’s Computers from the Ed Snowden trove stand off with the UK Government. Which gave rise to GCHQ’S “Tweedle Dee and Tweedle Dummer Come up to town to do shopping” visit, which for those that remember the photographs the Guardian published “full page” showed the world which Chips GCHQ had suspicions about (and yes the majority were from Far Eastern sources).

Any way for those interested in visiting London Science Museum entry is free, as is entry to the Crypto exhibit. However for safety reasons you need to get a “timed entry ticket” from one of the ticket desks in the Museum. They also have quite a good Space Exhibit with both the Apollo 10 and Tom Peake’s Soyuz TMA-19M Capsuals on display and a full scale mock up of an Apollo lander and Britains space launch rockets that put Prospero in space. All of which has been augmented for the current Moon Landing half century celebration.

[1] https://www.schneier.com/blog/archives/2019/07/friday_squid_bl_686.html#c6795987

[2] As we have found out the FBI are quite happy to lie and perjur themselves (see goings on in Marcus Hutchison case). But apparently it has happened so often some judges just assume they are being lied to by the FBI personnel.

[3] For those that feel I’m being unfair, I would say “go look” and by the way I’ve mentioned other LEAs in this, such as the Met Police.

[4] http://www.duncancampbell.org/content/echelon

[5] Though it does not have a “Beware of the tiger” notice (read Douglas Adam’s book if you don’t get the refrence 😉

Clive Robinson July 23, 2019 4:30 PM

@ David Rudling,

If the successful hacks of US three letter agencies were indeed done by Russian resources then it seems an unnecessary extravagance to pay to re-invent what you have stolen for free.

As the saying has it “The other shoe has dropped”.

I’ve mentioned a few things relating to this in the past but they are now not here. Lets just say Facebook is a big distraction to draw your attention away from CA and it’s activities.

justinacolmena July 23, 2019 5:24 PM

@Humdee

It is called luck. Lots of monkeys, lots of time, equal the bible. FB has lots and lots of monkeys.

That is too much Nazismo and social Darwinism to the Swastika luck on FB and TWTR. I refuse to take Mark Zuckerberg and Priscilla Chan, or others of their class, at face value.

Facebook just has a *lot* of compute resources.

They have a “brotherhood” with too many social(ist) or “human” resource connections, which I, err, seem to have already mentioned. I mean, people have access to private keys and such when they ought not to.

GOOG // GOOGL // Alphabet Inc. is a big problem, too.

Rachel July 23, 2019 8:55 PM

Dan; Justina

‘You just have to keep generating .onion addresses until the first [n] bits match the character string you want. Here’s a tool for it: https://github.com/katmagic/Shallot

Protonmail created an .onion address for their service. They explained it took a few months of round the clock computation to achieve a string that was useable/sufficiently attractive

1&1~=Umm July 24, 2019 2:53 AM

@justinacolmena:

“We should have known when FB cracked the Tor protocol to get a vanity onion address.”

It’s ‘Brut Forced’ not ‘cracked’, and back in Bletchly Park some called it the ‘British Museum’ method, for reasons that are more to do with pre world war one linguistics than more modern mathematical cryptanalysis. In more modern parlance yet it would be a form of ‘Rainbow table’ generation if you kept all the output you generated.

You simply supply an input to the determanistic algorithm and examine the output, if it’s not acceptable, just repeate with a new input and keep going.

There are effectively two ways you can generate the input,

1, With a counter as input.
2, With a TRNG as input.

The first option will go through every state and eventually give you an acceptable plain text, if there is one to be found. The second is generally accepted to get you an acceptable answer faster but may not find you the best answer ever because you will never know when all states have been tried.

If you think about it logically if your desired ouput only needed a single bit to be set or clear you would find that in two-four trys of input. For two bits four-eight trys and so on. Each successive bit requiring on average twice the number of input trys.

When you have your required bits set in the remaining state, the other bits will effectively be random. Thus the first match you get on your desired bits may not be the best choice. The longer you keep going the more likely you will be to get what you might consider a ‘better result’.

With modern algorithms their size is usually such that based on forcasted CPU performance a full ‘Brut Force’ via counter is not possible. Not just in our life times, but in terms of the life times of celestial objects or the Universe it’s self. Or some other limit such as insufficient matter/energy in the Universe.

Even Quantum Computing as we currently see it has it’s limits in how much it can speed things up in searching for an answer.

It’s all determanistic at the end of the day even with a Truly Random Number/Bit Generation (TRNG) driving the input the length of time to do individual tries remains determanistic and rational.

Whilst doing this for a ‘Vanity Name’ might appear a waste of resources, that is not necessarily the case. One of the things engineers do with new hardware is “Burn in tests”. If you look up the ‘Bathtub curve’ in reliability you will find the first plunging part of the curve is called ‘juvenile failures’. These are as problematic in computers as they are in new cars. The solution in both cases is to ‘Run them in’ with some form of ‘stress testing’. In the case of computers doing Brut Force searches with a few variations provide ideal stress test for computer ‘burn/run in’.

Joe July 25, 2019 2:05 AM

@Mike Donovan wrote, “Let’s stop demonizing Russia for their treading into the waters of hacking and data collection, The United States is the world leader in pulling off data heists, distributing malware to disrupt the internal affairs of other countries, the list of U.S. military/intelligence black cyber-ops is long. Not to mention the private mega tech and data companies whose goal is a digital footprint on every human.”

I’m surprised we did get a bigger “we scored one on them” reponse. IMHO, the Hillary hack was coincidentally a retaliation for the panama papers hack which had exposed scores of Russian and Chinese politicos for their oversea extravaganzas. It remains logical because Hillary was SoS at the period of those panama exposures which was suspiciously “our boys” work.

May we all live in interesting times…

Yet another concerned US citizen July 27, 2019 5:58 PM

Honestly, after several months of non-stop proven antiRussian propaganda and logical fallacies blasted nonstop from several unethical sources, this type of article is just not believable.

Modern day Joe McCarthyism is a proven measureable reality. It’s pretty much just pre genocidal stigma as usual. And that is NOT GOOD; that is bad.

Coincidentally, this week I was having more trouble with search engine and web page results than usual. The only exception was a prominent and reliable Russian originating search engine. It gave reliable results every time and without delay, unlike every other US and European search engine I could think of.

The Russian search engine gave me correct results on the first form submit attempt, and returned more correct results than I needed. They all seemed helpful and correct. My time was thus not wasted. This is GOOD.

In contrast, the familiar US and European search engines gave a lot of faulty results and advertisements and seemed to be designed to waste my time. This is NOT GOOD; this is BAD.

In terms of improvement, scientific devices and programs and services ought to be based upon proper cause and effect results rather than ethnic stereotypes and geopolitical provacateurism and instigating.

I am not Russian; I have never been to Russia.

Russia is still not forgotten in the struggle against world terrorism. Several nations and groups and individuals are still committed to battle the terrorism and it’s bigotted sources.

America, please stand down before something irreversibly destructive happens.
Sincerely,

Yet another concerned US citizen.

65535 July 28, 2019 8:15 AM

@ David Rudling

“Am i the only one who finds it a little strange that a Russian three letter agency was spending scarce foreign hard-currency on employing western companies to do jobs which, in at least the first four and possibly five projects listed…”

No you are not.

It is not just that fact. Why would a high level FSB subcontractor be using what is reported to be Active Director [AD with Federated service] from Microsoft out of Redmond Washington, USA?

Why would said FSB contractor being paying licenses fees to use Microsoft’s Servers [MS Sever 2003 to Server 2016] via a money trial?

Micorsoft Servers licenses can get very expensive to use – not to mention leaky. Would the Russian’s FSB trust MS and pay them money?

[Server 2008 v. server 2019]

” Everything changes starting with the general availability of Windows Server 2016 (WS2016). Note that you always purchase the latest edition of Windows Server, so the latest rules always apply to you. You might opt to deploy an older version of Windows Server, if the license allows that, but the latest rules still apply. You can now purchase a Xeon processor with 24 cores. This means that Microsoft has started to lose money on larger customers. Once upon a time, a server with 2 of those processors (48 cores) might have required 6+ processors, which is at least 3 copies of Windows Server, but the old license program requires just 2 processors for a pair of those 24 core CPUs.”-petri

htt ps://www.petri.com/understanding-windows-server-2016-licensing

[and]

Windows Server 2016 licensing mode

“Windows Server 2016 licensing model includes both Cores + Client Access Licenses (CALs). Each user and/or device accessing a licensed Windows Server Standard, Datacenter or Multipoint edition requires a Windows Server CAL or a Windows Server and a Remote Desktop Services (RDS) CAL. A Windows Server CAL gives a user or device the right to access any edition of Windows Server of the same or earlier version. Each Window Server CAL allows access to multiple licenses of Windows Server. After the General Availability of Windows Server 2016, the business model for Standard and Datacenter editions will transition from processor-based to core based licensing. Core-based licensing provides a more consistent licensing metric across multi-cloud environments, improves workload portability for Windows Server through benefits like Azure Hybrid…”-technet

ht tps://blogs.technet.microsoft.com/ausoemteam/2016/07/26/windows-server-2016-licensing-model/

[and]

“Server 2016 licensing. CALs??”

ht tps://community.spiceworks.com/topic/1982231-server-2016-licensing-cals

[and]

“Servers licnesed by cores”

ht tps://www.directionsonmicrosoft.com/sites/default/files/PDFs/Windows_Server_2016_Licensing_Guide.pdf

[and]

“Server 2016 licensing. CALs??”

ht tps://community.spiceworks.com/topic/1982231-server-2016-licensing-cals

[and]

“Running Windows Server without a license”

ht tps://www.reddit.com/r/sysadmin/comments/5la3a5/running_windows_server_without_a_license/

Are we really talking about an FSB contractor running USA developed equipment? I am doubtful.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.