Posted on July 22, 2019 at 12:00 PM
On 13 July 2019, hackers going by the name 0v1ru$ hacked SyTech servers, releasing information of secret research projects conducted on behalf of Russia’s Federal Security Service to the media. The projects sought to scrape social media, de-anonymize Tor browsing, and assist the country split its internet away from the rest of the globe.
SyTech is a contractor for Russia’s national intelligence service, the FSB, a Russian security agency equivalent to MI5 or the FBI.
Hackers stole information on projects SyTech was working on behalf of the FSB – including one investigating deanonymizing traffic. Reporting directly to the Russian president, FSB is the key successor to the KGB.
The hackers breached SyTech’s Active Directory server and gained access to the firm’s entire IT network.
After stealing 7.5TB of data, they then defaced the company’s website with a “yoba face,”. This is an emoji Russian users adopt for “trolling.” Their abuse did not stop there.
Using Twitter, the hackers posted several screenshots of SyTech’s servers and then shared the stolen data with the Digital Revolution. This is another hacking team who only last year breached Quantum, also an FSB contractor. It is not clear as to how, or if, the hacking teams are linked.
By 18 July 2019, Quantum had shared the stolen files on their Twitter account and then with Russian journalists.
Many reports on the information obtained have flooded the Russian media. The hackers exposed the names of SyTech project managers as well as project names.
The data indicate that SyTech worked for the FSB unit since 2009 on multiple projects and also for fellow contractor Quantum. Those projects were reported to include:
Hope: A project investigating the Russian internet topology and how it connected to the networks of other countries.
Mentor: A project that monitored and searched email communications on Russian companies servers.
Tax-3: A project creating a closed intranet that stored information on highly-sensitive state figures, like judges or local administration officials, separate to the rest of the state’s IT network.
Nautilus: A project where data was collected on social media users (like Facebook, LinkedIn, and MySpace).
Nautilus-S: A project that used rogue Tor servers to de-anonymize Tor traffic.
Reward: A project to stealthily infiltrate P2P networks, like those used for torrents.
BBC Russia received the full trove of documents stating that this was possibly the most significant data leak in the history of the Russian intelligence service. However, they also noted that no state secrets were exposed.
The BBC added that SyTech’s projects were mainly contracted with the Military Unit 71330, which is part of FSB’s 16th Directorate. This division handles signals intelligence and is the same group, accused in 2015, of emailing spyware to Ukranian intelligence officials.
The BBC alleged that there were additional older projects, researching different network protocols like Jabber (instant messaging), OpenFT (enterprise file transfer) and ED2K (eDonkey).
Some files posted on the Digital Revolution Twitter account alleged that the FSB was also monitoring student and pensioner data.
It is important to note that all intelligence services conduct research on modern technology. SyTech were doing the same. However, two of their projects went further and looked as if they were tested in the real world.
Firstly the one for deanonymizing Tor traffic named Nautilus-S.
BBC Russia stated that work on Nautilus-S began in 2012. By 2014, academic minds from Karlstad University, Sweden, published a paper (available here in PDF format) describing the use of unfriendly Tor exit nodes that were trying to decrypt Tor traffic.
The researchers had identified 25 malicious servers. Eighteen of these servers were situated in Russia and operating Tor version 0.2.2.37, the same version noted in the leaked files.
The second was the one analyzing the assembly and structure of the Russian segment of the internet, project Hope.
Russia ran tests earlier this year during which it disconnected its state segment internet from the remainder of the globe. Hacked SyTech has removed its website since the attack and has refused to comment to the media.