Russian FSB intelligence agency contractor hacked - loses 7.5TB of data

FSB projects to de-anonymise Tor and isolate Russia from the internet exposed

The FSB, Russia's Federal Security Service and successor to the KGB, has been hacked, losing some 7.5TB of highly sensitive data.

The agency was hacked via one of its contractors, SyTech, by a hacking group that goes by the name'0v1ru$'. It left behind a 'smiley Yoba face' on the company's home page as a calling card, alongside images proving that it had been breached.

The data was then passed on to the larger hacking group Digital Revolution (@D1G1R3V on Twitter), which distributed the cache to media and publicised it across Twitter. The company's website has since been taken down.

Digital Revolution has been behind a number of attacks in Russia, including against FSB-administered research institute Kvant. Digital Revolution appears to be a collective of Russian opposition hackers, opposed to "the authorities… trying to restrict us from the ability to freely express our opinion".

The attack occurred on Saturday 13 July and the publicised documents examined by the BBC's Russian service over the next week.

^{The 'smiling Yoba face' that adorned the website of FSB contractor SyTech on 13th July}

"From the archive, which the BBC Russian Service was able to familiarize with, it appears that SyTech performed work on at least 20 non-public IT projects ordered by Russian special services and departments," according to the BBC.

These ‘special projects' include the Nautilus-S project, intended to de-anonymise Tor web browsing sessions - presumably to identify Tor users and their communications. "SyTech also planned to replace traffic to users who got to a specially created site. Sites for such users could look different than they really were," the BBC reported.

This ties-in with research in 2014 at Karlstad University in Sweden that highlighted the existance of at least 19 interconnected ‘hostile' exit Tor nodes - 19 of which were controlled directly from Russia.

"The fact that these nodes are connected was also indicated by their common version of the Tor browser - 0.2.2.37. The same version is indicated in the Nautilus-S operator's manual."

The project also involved the development of a database of Tor users.

Other projects that the organisation worked-on on behalf of the FSB included a plan to collect information about users of social networks, finding and exploiting vulnerabilities in peer-to-peer networking protocols, and the Jabber, OpenFT and ED2k protocols.

The Nadezhda project, meanwhile, involved the mapping of the Russian internet and its interconnections with the rest of the world. This project was carried out in 2013 and 2014, well ahead of a Russian government plan to isolate the country's internet connectivity from the rest of the world.

Earlier this year, the Russian government conducted a trial run as part of what it called its Digital Economy National Programme (DENP).

According to Zak Doffman, the founder and CEO of security firm Digital Barriers, the leak revealed "nothing newsworthy… everything was known or expected", although it has confirmed a number of suspicions about the nature and reach of Russia's FSB and its online activities. "The fact of the breach itself, its scale and apparent ease is of more note. Contractors remain the weak link in the chain for intelligence agencies worldwide," he added.

Russia, like China, has been a frequent detour of choice for BGP protocol hijacks in the recent past, while hacking gangs based in Russia, including the GandCrab ransomware group, have been able to operate with impunity - as long as they avoid causing trouble in Russia and the CIS.