Hackers breach FSB contractor, detail leaks on IoT hacking project

Hackers breach FSB contractor, detail leaks on IoT hacking project

Special feature

Cyberwar and the future of cybersecurity

Today’s security threats have expanded in scope and severity. There may now be millions, or even billions of dollars, at risk when information security is not managed properly.

Read more

Russian Revolution group Digital Revolution claims to have breached a contract with the FSB (Russia’s national intelligence service) and has discovered details of a project aimed at hacking Internet of Things (IoT) devices.

The group released 12 technical documents, schemas and code snippets for a project called “Fronton” this week.

ZDNet has also viewed the documents first hand, along with BBC Russia, which first published the news earlier this week.

Fronton: The IoT botnet of the FSB

According to screenshots shared by the hacker group, which ZDNet asked security researchers to analyze, and based on a report from BBC Russia earlier this week, we believe the Fronton project describes the basics how to create an IoT botnet.

The Fronton technical documents were compiled under a procurement order made by one of the FSB’s internal departments, unit no. 64829, also known as the FSB’s Information Security Center.

The documents cover InformInvestGroup CJSC, a Russian company with a long history of complying with the orders of the Russian Ministry of Internal Affairs, with the creation of an IoT hacking tool.

According to the BBC, InformInvestGroup appears to have outsourced the project to Moscow-based software company ODT (Oday) LLC, which Digital Revolution claims to have hacked in April 2019.

From the time segments of the files, the project looks like it was built in 2017 and 2018.Documents are heavily referenced and are inspired by Mirai, an IoT malware strain that was used to create a massive IoT bot in late 2016, which was later used to launch devastating DDoS attacks against a wide range of targets, from ISPs to leading Internet service providers.

The documents propose the creation of a similar IoT botnet that is made available to the FSB. As per specifications, the Fronton botnet would be capable of performing password dictionary attacks against IoT devices that still use default logins and common combinations of username and password. After a password attack, the device would be locked into a botnet.

Pedestal that directs IoT cameras and NVRs

The front specs say that the botnet should be targeted specifically at Internet Security Cameras and Digital Recorders (NVRs), which are ideal for DDoS attacks.

“If they stream video, they have a channel of communication large enough to effectively perform DDoS,” the documents read, as quoted by BBC Russia.

According to the documents, about 95% of the total botnet should consist of these two types of devices, and each infected device would have to perform password attacks on other devices in order to keep the botnet alive.

In addition, the botnet must be managed through a web-based administration panel hosted on a Command and Control Server (C&C), behind a VPN and proxy server network, to hide the its actual location.

Image via digital revolution

According to screenshots from the Fronton Backend, the botnet was capable of targeting Linux-based smart devices, which currently represent the vast majority of IoT systems. This would have allowed it to focus more on smartphones and NVRs.

Image via digital revolution

Image via digital revolution

According to Fronton specifications, the use of the Russian language and the Cyrillic alphabet was strictly prohibited throughout the project and in the source code.

The C&C server also had to be password protected, and all unused ports should be closed to prevent other hackers from taking over the botnet’s backend infrastructure.

Russian state hackers have a history of hacking on IoT devices

The fact that Russian state hackers are interested in acquiring IoT hacking features is no surprise.

In August 2019, Microsoft said it had observed one of Russia’s elite state-sponsored hacking groups breaching IoT devices in order to gain access to the home network’s most important target.

In addition, it is believed that the same group, known as APT28, also created and ran the VPNFilter IoT botnet, which the FBI pushed for in 2018.Fronton and VPNFilter appear to have no relation, according to security researchers who spoke with ZDNet. .

Third hacker of FSB contractor

The leaks this week also mark the third time Digital Revolution has leaked files from an FSB contractor.

The first victim was a company called Quatum, where they leaked details in December 2018 about FSB’s social media monitoring projects.

The second was a company called SyTech, where Ditigal Revolution hackers leaked details about six other FSB projects, ranging from Tor rebate tools and P2P hacking software:

  • Nautilus – a project for collecting data on users of social networks (such as Facebook, MySpace and LinkedIn).
  • Nautilus-S – a project to deactivate Tor traffic with the help of unknown Tor servers.
  • Reward – a covert penetration project of P2P networks, such as the one used for torrents.
  • Mentor – a project for monitoring and searching for electronic communications on the servers of Russian companies.
  • Hope – a project to investigate the topology of the Russian Internet and how it connects to the network of other countries.
  • Tax-3 – a project to create a closed intranet to store the information of very sensitive state figures, judges and local government officials, separate from the rest of the state computer networks.