The cyber virus pandemic

The cyber virus pandemic

As the world is being overwhelmed by information on the spread and fight against the coronavirus and everybody is concerned about the physical health of mankind, we can miss another invisible threat – a threat to our «technical» health. It is related to a new cyber threat or cyber weapon of the Federal Security Service (FSB) of Russia. Another threat from the FSB was reported by a hack-activist group “Digital Revolution” on its page (hack-activists  – this is how «white» hacker activists are referred now).

Hackers “Digital Revolution” or D1G1R3V have published, or rather leaked technical documents of the program “Fronton”, including text presentation, technical diagrams and even code fragments created in 2017-2018.

Digital Revolution insists that there are different versions of the program – “Fronton”, “Fronton-3D” and “Fronton-18”. Regardless of their quantity, their main danger is the ability to infect smart devices (from digital assistants to entire smart homes), network them and crash the servers that are responsible for the sustainability of large Internet services and the Internet connection in the entire countries. Thus, it is about the ability to organize cyber-attacks using Internet of Things (IoT) devices and even disrupt Internet access in a small country. This is a frightening quotation from the leaked documents: “A powerful attack of several hundred thousand machines is able to make social networking sites, file sharing sites inaccessible for several hours. Attack of national DNS servers may cut off the Internet access for several hours in a small country”.

Let’s try to understand it. Based on these documents, most of which are technical documentation clear only for advanced digital specialists, “Digital Revolution” claims that the Fronton program will enable the Russian government and the “Kremlin henchmen” “to hack our computers and to spy on the whole world”.

By the “Kremlin henchmen” is meant Kremlin’s contractors – the Moscow-based company Oday (LLC 0DT, ZERODAY TECHNOLOGIES), which could be involved in the “Fronton” development. It was attacked by hack-activists in April 2019.

“Oday Technologies” is a Russian privately-owned IT company operating in the field of modern technologies and information security in a highly classified manner, conducting orders from Russian government agencies. “Oday” has (or had until 2019) the status of a consultant to such Russian law enforcement agencies as the FSB, the Ministry of Internal Affairs and Roskomnadzor. The “Oday” team is suspected of developing and selling to law enforcement agencies information and IT products aimed at monitoring, collecting and storing information about Russian Internet (Runet) users and solutions blocking Telegram messenger.

The cooperation with state structures cannot be illegal in itself. The latter also requires cyber consultants. But given the nature of Russian security services’ actions aimed more at cyber-attacks around the world rather than at cyber-defense of their own country, one cannot assume the legal or transparent nature and direction of all FSB-related IT companies’ developments.

Fortunately, in 2018, the software solution of 0DT LLC aimed to block Telegram, which they had sold to Roskomnadzor, appeared to be non-functioning, and throughout 2019 Telegram was never blocked. The head of 0DT LLC Ruslan Giliazov comments openly in the media the other developments of the company in support of the implementation of the federal Yarovaia-Ozerov’s Law (law package FZ №374 and 375). This package of laws under the formulation of “counter-terrorism” actually limits human rights in Russia, extending the power of law enforcement agencies, telecommunication operators and Internet projects in the operational search actions and banal espionage on citizens. This FSB project is worth considerable amounts of money, which attracts IT-developers.

CJSC InformInvestGroup is another group of Kremlin’s contractors, whose roads, according to the “Digital Revolution”, lead to military unit No. 64829, known as the FSB Information Security Center. This company has repeatedly been executing orders from the Ministry of Internal Affairs of Russia, and the net profit in 2018 amounted to 12 million rubles.

The activity of white hackers is aimed to identify such non-public companies that “cooperate” with the FSB for profit. Digital Revolution hack-activists first made a statement in December 2018, when they broke down servers that they believed belonged to another FSB contractor, the Kvant Research Institute. Then a description of the system used by the special services to monitor public opinion and search for protest sentiment was leaked to the web. In July 2019, the Digital Revolution published projects of another FSB contractor, the Saitek Company, focused on de-anonymizing users of the famous “Tor” browser, investigating torrent vulnerabilities, collecting information about social network users. According to “D1G1R3V”, “we will continue to expose projects that demonstrate how the authorities are trying to push us under the control of the FSB”.

Let’s come back to the content of the last leak. Hack-activists are alarming about the possible virus attacks and infecting devices that we do not yet consider to be subjected to cyber-attacks. The mentioned “Fronton” is a software weapon for the cyberattacks organization, in particular in the interpretation of the BBC Russia, which was the first to report the leaked information. The so-called DoS attack DDoS attack, (Distributed) Denial-of-service attack – attacks on a computer system to make computer resources inaccessible (in the case of the Fronton using Internet of Things (IoT) devices). With the help of “Fronton”, it is possible to infect smart devices and network them (so-called botnets – networks. They can include hundreds of thousands of bots). For its functioning, a botnet needs not only casual devices from your home such as a kettle or a vacuum cleaner but the machines with large channels that carry a lot of heavy traffic. It could be IP cameras or digital video recorders. A botnet may conduct a successful DDoS attack with 95% of such machines. Journalists have suggested that such botnet can bring down even a big Internet service or cut off the Internet access for users in a particular country. A special server can be used to find targets for attacks, which can be connected to through a private virtual network or a “Tor” browser. The “Tor” itself (The Onion Router) is a system designed to ensure anonymity on the Internet. Tor client software routes Internet traffic through a worldwide network of voluntarily installed servers to hide the user’s location. The infection scheme is quite simple: infected machines scan the network, thereby infecting other devices. When a certain number of machines (up to several tens of thousands) is reached a complete search of all addresses is possible for the IPv4 address range. Thus, the principle of anonymity in the network becomes threatened.

Assuming such a scenario, the media refer to the materials from the presentation «Botnets of the Internet of Things» and a document called “Review”. “The Internet of Things is less secure, unlike mobile devices or servers” according to the “Review”. The “Mirai” experience is also mentioned there. Сurrently it is the most known network of infected devices with 600 000 bots. It became possible to create it due to the fact that device users didn’t change the standard passwords and settings on their smart devices. Problems with access to Twitter, PayPal, SoundCloud, and other well-known services were the results of the “Mirai” bot network operation.

Just imagine such development of events in the conditions of coronavirus pandemic, when a staggering amount of information about the course of disease worldwide, interstate aid, or sharing experience comes to us via the internet, social networks or file-sharing websites. Their unavailability even for a few hours can lead to unpredictable consequences. Could it be advantageous to the FSB or other law enforcement agencies? Quite possibly. The goal of white hackers, so as ours, is to prevent the spread of FSB-related cyber threats and attacks, alarming even when there is minimal suspicion. Before it’s too late.

Other online media, dailystorm.ru, positioning itself as a resource for a group of Russian altruistic journalists from different media united in order to convey the truth about the processes in Russia and abroad to Russian citizens, conducted its professional investigation into the leak by “Digital Revolution” hackers. According to the author of dailystorm.ru, it is not correct to judge the Fronton system or the FSB’s evil intentions based on published documents, and the presentation “Botnet Internet of Things” itself does not provide reliable answers. The fact is that it is most likely related to the initial stage of development of such software, the documents do not contain any seals or authorized signatures, so it is unknown which part of the work has been started, is being carried out or has been completed. The author emphasizes that almost all the technical documents presented are not final, and it is only about the stage of software with viral characteristics development. But the author does not deny that with such software it is quite possible to scan the Internet and attack the found devices by collecting and networking them. The FSB or other hypothetical user of the “Fronton” system can theoretically obtain its network, similar to the popular “Tor” network, which uses host chains and secure connections. The authors of dailystorm.ru, based on the lack of direct evidence and the weakness of the technical solution, however, consider this leak as the exposure of the possible fact of public money misuse rather than a real intention to bring down the Internet of things. The documents mention the brute-force method (full password reset) and Hydra – an open code tool for such brute-force known since 2001. This is why Hydra is blocked and detected easily. Thus, the “Fronton” system that uses hydra is neither new nor threatening.

It is a fact that the one who is warned is protected, isn’t it? We may not know the truth, but we need the hacker information to detect at least one real threat, even if the previous 100500 would be a typical hype or unverified information.

Link to Digital Revolution website  https://www.d1g1r3v.net/

Inna Krupnyk for Promote Ukraine