Expert found Russia’s SORM surveillance equipment leaking user data

Pierluigi Paganini August 30, 2019

A Russian security researcher has found that hardware wiretapping equipment composing Russia’s SORM surveillance system had been leaking user data.

The Russian researcher Leonid Evdokimov has found that hardware wiretapping equipment used by the Kremlin as part of the SORM surveillance system (Russian: Система оперативно-разыскных мероприятий, lit. ‘System for Operative Investigative Activities’) had been leaking data online.

The Russian Government obliges national ISPs to purchase and install the probes used by SORM system that allows the Federal Security Service (FSB) to monitor Internet traffic including online communications.

SORM is a mass surveillance system that allows the Government of Moscow to track online activities of single individuals thanks to the support of the Russian ISPs.


Leonid Evdokimov shared his findings at the “Chaos Constructions” IT conference in St. Petersburg on August 25, technical details of his study are reported a paper titled “SORM Defects.”

He found 30 SORM devices installed on the network of 20 Russian ISPs that were running unsecured FTP servers. The servers contained traffic logs related to surveillance activities conducted by the authorities.

“Using the open-source security scanner “ZMap,” Evdokimov found 30 more “suspicious packet sniffers” in the networks of at least 20 Russian Internet providers.”  reads the post published by website.

“On these devices’ IP addresses, Evdokimov found open FTP (File Transfer Protocol) servers, as well as certain “live traffic,” where — among other data — he discovered “something very similar” to the mobile phone numbers of the providers’ clients, their logins, email addresses, network addresses, messenger numbers, and even the GPS coordinates clearly transmitted by inadequately protected smartphones running outdated firmware.”

“All these data make it possible to determine exactly whose traffic this is, and which clients they are,” Evdokimov concluded.

Evdokimov discovered the wiretapping equipment on April 2018 and since June 2018 he worked with ISPs to secure the SORM equipment.

Data found by the expert on the unsecured FTP servers included:

  • GPS coordinates for residents of Sarov that hosts Russia’s center for nuclear research;
  • ICQ instant messenger usernames, IMEI numbers, and telephone numbers belonging to hundred mobile phones across Moscow;
  • MAC addresses of the routers and GPS coordinates for people living in the village of Novosilske;
  • GPS coordinates from smartphones running outdated firmware, from multiple locations.

The 30 SORM devices remained unsecured online until Evdokimov made his presentation at the conference.

Some of the SORM devices found by the researcher were manufactured by the Russian MFI Soft. But, while other surveillance equipments were created by other vendors.

“In correspondence with Evdokimov, staff at MFI Soft refused to believe that the company’s hardware was the source of the data leaks, and attributed them instead to the “corporate information security systems” operated by the telecoms’ clients.” continues Meduza.

According to Meduza, of all the SORM equipment suppliers, MFI Soft had the best performance last year, with revenues soaring 294 percent to 10.3 billion rubles ($154.5 million), and profits jumping 298 percent to almost 2.1 billion rubles ($31.5 million). 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SORM, surveillance)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment