26 July 2019

Mosquito, Nadezhda, Nautilus: hackers revealed the essence of the projects of the secret contractor of the FSB

Andrei Soshnikov

The hackers broke into the server of a major contractor of the Russian special services and departments, and then shared with reporters descriptions of dozens of non-public Internet projects: from de-anonymization of users of the Tor browser to research the vulnerability of torrents.

It is possible that this is the largest data leak in the history of the work of Russian special services on the Internet.

The hack occurred on July 13, 2019. Instead of the main page of the site of the Moscow IT-company "Sitek", an image of a face appeared with a wide smile and smugly squinting eyes (on the Internet slang - "Yoba-face").

Deface, that is, the replacement of the main page of the site, is a common hacker tactic and a demonstration that they were able to access the victim’s data.


A snapshot of “Yob-face” appeared in a 0v1ru $ twitter account registered on the day of the attack. There also appeared screenshots of the folder "Computer", allegedly belonging to the victim. One picture shows the total amount of information - 7.5 terabytes. The following image shows that most of this data has already been deleted.

Also, hackers have published a screenshot of the interface of the internal network of the affected company. Next to the names of the projects ("Arion", "Relation", "Hryvnia" and others) were the names of their curators - the employees of "Sitek".

Apparently, before deleting information from the computer, hackers partially copied it. They shared documents with the Digital Revolution - a group that in December 2018 took responsibility for hacking the server of the research institute "Kvant". This institute is administered by the FSB.

Hackers sent documents "Sitek" journalists of several publications.

From the archive, which the BBC Russian Service was able to familiarize with, it follows that "Sitek" performed work on at least 20 non-public IT projects ordered by Russian special services and departments. These papers do not contain state secrets or secrets.
Who does Sitec work for?

The company is managed by Denis Vyacheslavovich Krayushkin. One of the customers of “Sitek” is the research institute “Kvant”, where, according to Runet-ID, works as a scientific consultant Vyacheslav Krayushkin. Krayushkin registered in the Moscow district of Zamoskvorechye.

The Bi-bi-s Research Institute "Quantum" refused to answer the question whether Denis and Vyacheslav Krayushkin are related to the organization: "This is confidential information, they are not ready to voice it."

Information about joint projects "Sitek" and the Research Institute "Kvant" correspondent Bi-bi-si was advised to look at the institute site and on the Russian portal of public procurement. Detect contracts "Sitek" with the Institute on these sites failed.

The latest financial results of "Sidek" published in 2017. Its revenue amounted to 46 million rubles, net profit - 1.1 million rubles.

The total amount of the company's public contracts for 2018 is 40 million rubles. Among the customers are the national satellite communications operator JSC RT Komm.ru and the information and analytical center of the judicial department at the Supreme Court of Russia.
Most of the non-public projects "Sitec" performed on the order of military unit No. 71330. Experts of the International Center for Defense and Security in Tallinn believe that this military unit is part of the 16th Directorate of the Federal Security Service of Russia, which is engaged in radio-electronic intelligence.

In March 2015, the SBU accused the 16th and 18th FSB center of mailing files stuffed with spyware to the email of Ukrainian servicemen and intelligence officers.

The documents indicate the address of one of the sites where employees of the Saytek conducted the work: Moscow, Samotechnaya, 9. Previously, this address contained the 16th Administration of the KGB of the USSR, then the Federal Agency for Governmental Communication and Information under the President of the Russian Federation (FAPSI).

In 2003, the agency was abolished, and its powers were distributed between the FSB and other special services.
Nautilus and Tor

The Nautilus-S project was created to de-anonymize users of the Tor browser.

Tor distributes an Internet connection randomly across sites (servers) in different parts of the world, allowing its users to bypass censorship and hide their data. He also allows you to go into the darknet - "hidden network".

The software complex "Nautilus-S" was developed by Sitec in 2012 by request of the Research Institute "Kvant". It includes the "output" node of the Tor - the server through which requests are sent to sites. Usually such nodes are supported by enthusiasts on a voluntary basis.

But not in the case of “Sitek”: knowing at what point a particular user sends requests through Tor (for example, from an Internet provider), the program operators could, with a certain luck, match them in time with the visits to sites through the control node.

In "Sitek" also planned to replace traffic to users who got to a specially created site. Sites for such users could look different than they really were.

A similar pattern of hacker attacks on Tor users was discovered in 2014 by experts at Karlstad University in Sweden. They described 19 interconnected hostile "exit" Tor nodes, 18 of which were controlled directly from Russia.

The fact that these nodes are connected was also indicated by their common version of the Tor browser - 0.2.2.37. The same version is indicated in the "Nautilus-S" operator's manual.Copyright holder illustrationsGETTY IMAGESImage captionIn July 2019, Russia updated its own record - about 600 thousand users of the Tor browser per day.

One of the results of this work was to be "a database of users and computers actively using Tor networks," according to documents merged by hackers.

“We believe that the Kremlin is trying to de-anonymize Tor purely for its own selfish purposes,” wrote the BBC Digital Revolution hackers. “Under various pretexts, the authorities are trying to restrict us from the ability to freely express our opinion.”
"Nautilus" and social networks

An earlier version of the project "Nautilus" - without the letter "C" through a hyphen after the name - was devoted to collecting information about users of social networks.

The documents indicate the period of work (2009-2010) and their cost (18.5 million rubles). The BBC is unknown whether Saitak managed to find a customer for this project.

The promotional offer for potential clients contained the following phrase: “In England, there is even a saying:“ Do not write to the Internet what you cannot tell the policeman. ”This carelessness of users opens up new possibilities for collecting and summarizing personal data, analyzing them further and using them for solving special tasks. "

The users of Nautilus planned to collect data on social networks such as Facebook, MySpace and LinkedIn.
"Reward" and torrents

As part of the Reward research work, which was conducted in 2013-2014, Saitek had to explore "the possibilities of developing a complex of penetration and covert use of peer-to-peer and hybrid networks," the hacked documents say.

The project customer is not listed in the documents. As a basis for conducting the study, the Russian government decree on the state defense order for these years is mentioned.

As a rule, such non-public tenders are held by the army and special services.

In peer-to-peer networks, users can quickly share large files, since they function as a server and client at the same time.

In “Sitek” they were going to find a vulnerability in the BitTorrent network protocol (with the help of it, users can download movies, music, programs and other files through torrents). Users of RuTracker - the largest Russian-language forum on this topic - download more than 1 million torrents daily.

Also, Jabber, OpenFT and ED2K network protocols are in the interests of "Sitek". The Jabber protocol is used in instant messengers popular with hackers and sellers of illegal services and goods on the darknet. ED2K was known in the 2000s to Russian-speaking users as an "ass".
Mentor and Email

The customer of another work under the name of "Mentor" was the military unit No. 71330 (presumably - radio-electronic intelligence of the FSB of Russia). The goal is to monitor email at the customer’s choice. The project was designed for 2013-2014,

According to the documentation provided by the hackers, the Mentor program can be configured so that it checks the mail of the required respondents at a specified time interval or collects the “mining mining group” using the specified phrases.

An example is a search on the mail servers of two large Russian Internet companies. According to the example from the documentation, the mailboxes on these servers belong to Nagonia, a fictional country from the Soviet spy detective "TASS authorized to declare" Julian Semenov. The plot of the novel is built around the recruitment of an employee of the KGB in Nagonia by the US secret services.
Other projects

The Nadezhda project is dedicated to creating a program that accumulates and visualizes information about how the Russian segment of the Internet is connected to the global network. The customer of the work carried out in 2013-2014 was the same military unit No. 71330.

By the way, in November 2019 in Russia the law on the "sovereign Internet" will come into force, the stated purpose of which is to ensure the integrity of the Russian segment of the Internet in case of isolation from the external one. Critics of the law believe that he will give the Russian authorities the opportunity to isolate the RuNet for political reasons.

In 2015, commissioned by military unit No. 71330, Sitek carried out research work on the creation of a “software and hardware complex” capable of anonymously searching for and collecting “Internet information materials” while hiding “informational interest”. The project was named "Mosquito".

The most recent project from the collection sent out by hackers dates back to 2018. It was ordered by the Chief Scientific Innovation Innovation Center JSC, reporting to the Federal Tax Service.

The program "Tax-3" allows you to manually remove from the information system of the FTS data of persons under state protection or state protection.

In particular, the creation of a closed data center for protected persons is described. These include some state and municipal servants, judges, participants in criminal proceedings and other categories of citizens.Image captionHackers claim that they were inspired by the movement of digital resistance against blocking Telegram messenger

Digital Revolution hackers claim that they gave information to journalists in the form in which it was provided by members of $ 0v1ru (how many of them are unknown). "It seems that the group is small. Regardless of their number, we welcome their contribution. We are glad that there are people who do not spare their free time, who risk freedom and help us," noted Digital Revolution.

Contact with the group 0v1ru $ at the time of preparation of the material failed. FSB did not respond to a request from the BBC.

Website "Siteka" is not available - neither in its previous form, nor in the version with "Yob-face". When you call the company on the answering machine, the standard message is turned on, in which you are invited to wait for the secretary’s response, but short beeps follow.

No comments: