Fronton is a distributed denial-of-service (DDoS) botnet that was used by Russia-linked threat actors for coordinated disinformation campaigns.
In March 2020, the collective of hacktivists called “Digital Revolution” claimed to have hacked a subcontractor to the Russian FSB. The group released sensitive documents and contracts about an IoT botnet, codename Fronton, built by the contractor 0day Technologies. The botnet was developed to conduct DDoS attacks, but further analysis revealed that it could be used to coordinate large-scale disinformation campaigns, mimiking the behavior of a large audience online.
“Nisos research focused on the distribution of the numerous content types. This release noted that DDoS “is only one of the many capabilities of the system.” Nisos analyzed the data and determined that Fronton is a system developed for coordinated inauthentic behavior on a massive scale.” reads the analysis published by the security firm NISOS.
The botnet provides a web-based dashboard known as SANA that allows operators to spread trending social media events, called ‘newsbreaks,’ en masse. SANA allows operators to create and manage fake social media persona accounts.
“Two example lists of posting source dictionaries were included in the data. One, involving comments around a squirrel statue in Almaty, Kazakhstan may have affected the reporting on a BBC story. As of April 2022, 0day technologies has changed its domain from 0day[.]ru to 0day[.]llc. An instance of the SANA system appears to be up at https://sana.0day[.]llc . Nisos assessed that this is possibly a testing or demo instance, and is not currently used by the FSB.” continues the report.
The botnet was developed to interact with multiple social media platforms, including Blog Sites, Media Sites, Forums (various engines), Sites (various engines). The Behavior Model creation process allows an operator to specify the times for each activity.
An additional investigation linked the Russian hacker Pavel SITNIKOV (aka FlatL1ne) to the 0day Technologies. Pavel Sitnikov, a prominent figure in the hacking underground, was arrested in May 2021 by Russian authorities on charges of distributing malware via his Freedom F0x Telegram channel.
The Russian hacker is a member of multiple underground hacking communities where he offered for sale the source code of multiple malware strains, including Alina, Carberp, Dexter, Rovnix, and Tinba.
The man claimed he was a member of a group that is directed linked to the notorious nation-state actor APT28.
If you want to know more about Sitnikov, let me suggest reading this interview published by The Record in December.
Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit:
https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Fronton botnet)
[adrotate banner=”5″]
[adrotate banner=”13″]