On July 13, 2019, a group of hackers known as “0v1ru$” allegedly managed to hack SyTech, one of the largest suppliers of the Federal'naya sluzhba bezopasnosti Rossiyskoy Federatsii : the FSB. The company, headed by Denis Krayushkin, is said to have worked on nearly twenty projects, the majority of which were sponsored by unit no. 71330 of Russian military intelligence.
According to Jeffrey Care[1] (analysis corroborated by theInternational Center for Defense and Security of Tallinn), this unit would be part of the Center for Electronic Communications Surveillance (FSB TSRRSS) on 16e management of the FSB. This would be responsible for the interception, decryption and analysis of electronic communications, under the direct responsibility of the director of the FSB. This unit has already been talked about in the past, particularly as part of a vast operation of Phishing targeting Ukrainian intelligence agents in 2015.
This data leak is on an unprecedented scale. The group of hackers reportedly managed to seize the equivalent of 7,5 terabytes of data (nearly 7 GB). Once this data was in possession of the 500v0ru$ group, it would then have transmitted it to the group DigitalRevolution , the same group that was behind the intrusion into the servers of another FSB supplier – Quantum – in 2018.
The stolen data would have finally been handed over to the media BBCRussia who focused on their analysis. For example, cybersecurity researchers have identified some 25 malicious servers, including 18 located in Russia, as well as a certain number of programs:
- Nautilus : Monitoring user activity on the main social media platforms (Facebook, MySpace and LinkedIn);
- Nautilus-S : Deanonymization of the Tor network. Launched in 2012, this program would rely on a perverted network of nodes. Moreover, in January 2014, a survey researchers at Karlstad University in Sweden discovered that an unspecified Russian entity was spying on nodes at the edge of the Tor network;
- Reward : Clandestine infiltration of P2P networks;
- Mentor : Spying on email communications managed by Russian companies;
- Hope/Nadezhda : Analysis of the entire Russian Internet and its connections to the World Wide Web;
- Tax-3 : Manual deletion from information systems of all FTS data of individuals under state protection.
If the very nature of some of these programs is reminiscent of those revealed by Edward Snowden (xkeyscore, PRISM, ECHELON or even Carnivore), others denote a renewed desire on the part of Moscow to be able to disconnect the Runet (the Russian Internet) from the global Internet, notably with the adoption by the Duma of the “Digital Economy National Program” at the beginning of the year 2019 for entry into force in November 2019.
This new legislation aims to ensure that online data traffic between Russian individuals, businesses and organizations takes place within the country's borders and that this data is no longer routed abroad. Additionally, Russia is currently developing its own alternative to the DNS system (Domain Name System) should in theory allow the Runet to function even in the event that connections with servers based abroad had to be interrupted, deliberately or not.
Jean Lebougre
Cyberwarfare Specialist
[1] Jeffrey Carr, Inside Cyber Warfare – Mapping the Cyber Underworld, O'Reilly Media, Second Edition, 2012, pp. 230-231.