0v1ru$ hackers breach FSB contractor SyTech and expose Russian intel projects

SyTech, a contractor for the Federal Security Service of the Russian Federation (FSB) has been hacked, attackers stole data about internal projects.

Attackers have hacked SyTech, a contractor for the Federal Security Service of the Russian Federation (FSB), and exfiltrated data about internal projects.

According to the Russian media, SyTech has been working with FSB since 2009, in particular, they contributed to several projects for FSB unit 71330 and for fellow contractor Quantum. The company earned 40 million rubles ($635,000) from public contracts in 2018. The latest project is the development of Nalog-3 for the Main Scientific Innovation Implementation Center.

“According to the data received, the majority of non-public projects of Sytech were commissioned by military unit No. 71330, which allegedly is part of the 16th directorate of the FSB of Russia.” states the website CrimeRussia.”This unit is engaged in electronic intelligence, experts form the International Center for Defense and Security in Tallinn believe.”

Some of the research projects accessed by the hackers were for Russia’s intelligence service, including one for deanonymizing Tor traffic.

On July 13, a hacker group named 0v1ru$ hacked into SyTech’s Active Directory server then compromised the entire infrastructure of the company, including JIRA instance.

The hackers exfiltrated 7.5TB of data and defaced the website of the company by publishing “yoba face.”

The hackers published images of the company’s servers on Twitter and also shared the data with another hacker crew known as Digital Revolution, that in 2018 breached the FSB contractor Quantum.

The hackers provided the stolen data to BBC Russia, who verified the presence of other older projects for compromising other network protocols, including Jabber, ED2K, and OpenFT.

“Among the projects of Sytech there is the work on de-anonymization of users of the Tor-network, collection of information about Facebook, MySpace and LinkedIn users, hidden collection of information on the Web, a system for substituting Internet traffic, through which certain users could be redirected to special sites when requested portals from the “black list.” continues CrimeRussia.

“Sytech was also supposed to explore the possibilities of developing a complex of penetration and covert use of resources of peer-to-peer and hybrid networks, network protocols Jabber, OpenFT and ED2K, which were used by darknet users and hackers.“

The list of projects shared by BBCRussia includes:

• Nautilus – a project for tracking the activity of users on the principal social media platforms (such as Facebook, MySpace, and LinkedIn).
• Nautilus-S – a project for deanonymizing Tor traffic, it leverages on a network of rogue Tor nodes. In January 2014, researchers from Karlstad University in Sweden, presented the results of a four-month study conducted to test Tor network exit nodes for sneaky behavior. They discovered that a not specified Russian entity was eavesdropping nodes at the edge of the Tor network.
• Reward – a project to covertly penetrate P2P networks.
• Mentor – a project to spy on email communications managed by Russian companies.
• Hope/Nadezhda – a project to analyzed the overall Russian internet and its connections to the global WWW.
• Tax-3 – a project to allow you to manually remove from the information system of the FTS data of persons under state protection.

Researchers identified 25 malicious servers, 18 of which were located in Russia, and running Tor version 0.2.2.37, the same one detailed in the leaked files.

SyTech took down its website after the hack.

“Website “Siteka” is not available – neither in its previous form, nor in the version with “Yob-face”. When you call the company on the answering machine, the standard message is turned on, in which you are invited to wait for the secretary’s response, but short beeps follow.” concludes BBC Russia.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SyTech, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]