Hackers have breached SyTech, a contractor for FSB which is the National Intelligence Service of Russia and have stolen information about internal projects that the company was working on behalf of the agency. It includes the project for deanonymizing Tor traffic.
The data breach happened on July 13th when a group of hackers by the name of 0v1ru$ hacked into SyTech’s Active Directory server and gained access to the company’s entire IT network, including a JIRA instance.
The hackers managed to steal 7.5TB of data from the contractor’s network, and they ruined the company’s website with a “yoba face,” that is a popular emoji among Russian users which stands for “trolling.”
The screenshots of the company’s servers were posted on Twitter by the hackers and later on they shared the stolen data with another hacking group named Digital Revolution who had breached another FSB contractor, Quantum last year.
Digital Revolution shared more details of the stolen files on their Twitter account 5 days later and also with Russian journalists afterwards.
The Secret Projects of FSB
According to various reports in Russian media, the files indicate that SyTech had worked on a large number of projects since 2009 for FSB unit 71330 and for fellow contractor Quantum.
The various projects include:
- Nautilus – for collecting data about social media users like Facebook, MySpace, and LinkedIn.
- Nautilus-S – for deanonymizing Tor traffic with the help of rogue Tor servers.
- Reward – to secretly penetrate P2P networks similar to the one used for torrents.
- Mentor – to monitor and search email communications on the servers of Russian companies.
- Hope – to investigate the topology of the Russian internet and how it connects to other countries’ network.
- Tax-3 – for creating a closed intranet to store the information of highly-sensitive state figures, judges, and local administration officials, separate from the rest of the state’s IT networks.
According to BBC Russia, there are many other older projects for researching other network protocols like Jabber (instant messaging), ED2K (eDonkey), and OpenFT (enterprise file transfer).
The files posted on the Digital Revolution Twitter account asserts that FSB was also tracking students and pensioners.
Most of the projects mentioned seems to be like research into modern technology that is normally performed by several intelligence services. But there are two which seem to have been tested in the real world.
The first one was Nautilus-S which is the project for deanonymizing Tor traffic started in 2012. In 2014, academics from Karlstad University in Sweden published a paper explaining the usage of hostile Tor exit nodes that were attempting to decrypt Tor traffic. The researchers identified 25 malicious servers, 18 of which were located in Russia, running Tor version 0.2.2.37, the same one detailed in the leaked files.
The second project is Hope that analyzed the structure and make-up of the Russian segment of the internet. This year, Russia ran tests during which it disconnected its national segment from the rest of the internet.
Following the data breach, SyTech has taken down its website and refused any media inquiries.