Hackers breached servers at a contractor for Russia’s Federal Security Service (FSB), SyTech, and stole about 7.5 terabytes of data after gaining access to the company’s entire network earlier this month, ZDnet reported on Saturday.
According to ZDNet, the hacking crew in question goes by the name 0v1ru$ and also defaced the Sytech website with a “yoba face,” the Russian term for a meme known stateside as “Comfy Guy”. They gained access to SyTech systems on July 13 by breaking into the firm’s Active Directory server and from there breaching the entire network, including a JIRA instance (a bug-tracking and project management tool), ZDNet wrote:
Hackers posted screenshots of the company’s servers on Twitter and later shared the stolen data with Digital Revolution, another hacking group who last year breached Quantum, another FSB contractor.
This second hacker group shared the stolen files in greater detail on their Twitter account, on Thursday, July 18, and with Russian journalists afterward.
The stolen data included information on a number of projects that SyTech had been working on for the FSB since 2009; according to Engadget, the most prominent, dubbed Nautilus-S, was part of an effort to deanonymize the Tor network using rogue Tor servers, presumably for the purpose of outing political dissidents.
Others, ZDNet wrote, included the similarly named but separate Nautilus project, designed to harvest information on social media network users; Reward, which aimed to penetrate P2P networks; Mentor, a program to spy on emails at Russian companies; Hope, which was meant to “investigate the topology of the Russian internet and how it connects to other countries’ network”; and Tax-3, a closed intranet for storing information about “highly-sensitive state figures, judges, and local administration officials” in an environment secured from the rest of Russia’s state internet. Those last two projects are suspected to relate to Russian efforts to investigate whether the country’s internal internet can be effectively severed from the rest of the web during a crisis (or if its leadership simply decides to do so).
Per BBC Russia, the Sytech leak may be the “largest in the history of the work of Russian special services on the Internet.” However, according to Forbes, most of the projects were already “known or expected” among people familiar with Russian cyber efforts, and the leak is primarily notable for its size and that it targeted an FSB contractor.
According to BBC Russia, SyTech performed most of these non-public projects for military unit No. 71330, which International Center for Defense and Security in Tallinn experts believe is a signals intelligence unit of the 16th Directorate of the FSB. Ukraine’s security services have accused that unit of involvement of a 2015 incident involving spyware mailed to Ukrainian military personnel. In 2014, ZDNet wrote, Karlstad University in Sweden researchers published research “detailing the use of hostile Tor exit nodes that were attempting to decrypt Tor traffic”; of the 25 malicious servers involved, 18 were in Russia and running a Tor version that is mentioned in the Nautilus-S files.
The 0v1ru$ group is poorly known, according to Forbes, but Digital Revolution said it passed on the materials without editing them. SyTech has reportedly taken down its website and refused to answer inquiries from the media.
“It seems that the group is small,” Digital Revolution told BBC Russia. “Regardless of their number, we welcome their contribution. We are glad that there are people who do not spare their free time, who risk their freedom and help us.”
Reports made little mention of any possible political motive for the leaks. Protests in Moscow over candidates barred from running for the City Duma in the past few weeks have swelled to the biggest in years amid “a groundswell of dissatisfaction across Russia over declining living standards that has led to falling ratings for [President Vladimir Putin] and the ruling United Russia party,” according to the Moscow Times. The paper noted that one particularly large protest on Saturday that drew an estimated 22,500 was state-sanctioned, but organizers could draw the ire of state security if the demonstrations continued to expand.
[BBC Russia via ZDNet]