Hackers breach FSB contractor Sytech, expose internal Russian projects

Hacking group 0v1ru$ breached a contractor of Russia's Federal Security Service and leaked the secret program to the media

Sytech hacked by 0v1ru$, secret data exposedSytech, one of Russia's intelligence contractor was hacked by a 0v1ru$ hacking group which exposed the information about secret projects the government was working on for years

On July 13th, a hacking group 0v1ru$ managed to breach Sytech, otherwise known as “Sitek” – the contractor of Russia's intelligence service FSB and steal more than 7.5 Terabytes of sensitive data which was later leaked to the media. The information included Russia's secret plans of deanonymizing Tor browser traffic, secluding Russian part of the internet from the rest of the world, and spying on users via social networks like Facebook.

During the breach, attackers managed to access Sytech's Active Directory and then elevate their permission rights to those of the Administrator's, which consequently allowed them to access the entire IT infrastructure. Besides stealing the compromising information, 0v1ru$ hackers also corrupted the official firm's site sytech.ru and replaced its contents with “yoba face”[1] – a meme that is widely used in Russia for “trolling.”

BBC Russia, which first reported about the incident,[2] called it the “largest data leak in the history of the work of Russian special services on the Internet.”

Twitter was used to post evidence of the hack

After defacing Sytech's website and stealing the sensitive information, hackers posted screenshots of the company's hijacked servers on social platform Twitter, which is commonly used by threat actors to communicate. As of currently, the account associated with the hacking group @0v1ruS[3] is taken down.

The stolen information, which included detailed descriptions of non-public internet projects, was later shared with another Russian hacking group Digital Revolution, which by itself is responsible for hacking another FSB contractor Quantum in 2018.[4]

On July 18th, the second hacking group shared more details on their Twitter account, detailing the following (translated from Russian):

Cyberrevolution is growing! Our ranks are replenished! Another FSB litter, working on the de-anonymization of Tor, paid for cooperation with the authorities. @Dobrokhotov @RuBlackListNET @bbcrussian@kozlyuk

Some of the FSB's secret projects were already tested

The stolen information about the top-secret projects that Sytech engaged in since 2009, was initially received by the Russian division of BBC. It disclosed that the intelligence agency was working on research of such network protocols like OpenFT, Jabber, and ED2K. However, some of the most significant discoveries came from the following projects:

  • Nautilus – one of the first projects developed by Sytech during 2009-2010, which was responsible for various data scraping from users' social media accounts, such as Facebook, LinkedIn, and MySpace.
  • Nautilus-S – a Tor network analysis that allowed the governmental institutions to spy on users. Allegedly, it was initiated by the Russian Research Institute “Kvant.”
  • Reward – this research allowed the Russian government to infiltrate peer-to-peer networks.
  • Hope – the project designed to isolate Russian Internet from the rest of the world.
  • Mentor – o project that was developed by military unit 71330 and was designed to gather information about certain individuals based on keywords.
  • Tax 3 is one of the most controversial projects, as it would allow to manually remove certain details from the Federal Tax Service about people under the state protection.

While some of these projects seem to be rather a test into modern technologies, some were already put in use.

The work on Nautilus-S began in 2012 and, two years later, Swedish researchers from Karlstad University published an analysis[5] of compromised Tor exit nodes, which eventually attempted to decrypt Tor's traffic. All the malicious servers were running Tor version, and 18 out of total 25 were located in Russia.

In the wake of the incident, the hacker Twitter accounts are taken down, as well as Sytech's official website.

About the author
Alice Woods
Alice Woods - Likes to teach users about virus prevention

Alice Woods is the News Editor at 2-spyware. She has been sharing her knowledge and research data with 2spyware readers since 2014.

Contact Alice Woods
About the company Esolutions