The hackers hacked into the server of a large contractor of the Russian special services and departments, and then shared with journalists descriptions of dozens of non-public Internet projects: from deanonymizing Tor browser users to investigating torrent vulnerabilities.
It is possible that this is the largest leak of data on the work of Russian special services on the Internet in history.
The hack took place on July 13, 2019. Instead of the main page of the site of the Moscow IT-company Saytek, a face with a wide smile and smugly squinting eyes appeared (in Internet slang - "yoba-face").
Deface, that is, replacing the home page of the site, is a common tactic of hackers and a demonstration that they managed to gain access to the victim's data.
A snapshot with a "yoba-face" appeared on the Twitter account 0v1ru $, registered on the day of the attack. There also appeared screenshots of the "Computer" folder, presumably belonging to the victim. One picture shows the total amount of information - 7.5 terabytes. The next snapshot shows that most of this data has already been deleted.
The hackers also posted a screenshot of the affected company's internal network interface. Next to the names of the projects ("Arion", "Relation", "Hryvnia" and others) were the names of their curators - the employees of "Saytek".
Apparently, before removing information from the computer, the hackers partially copied it. They shared the documents with Digital Revolution, the group that in December 2018 took responsibility for hacking the server of the Research Institute "Kvant". This institution is run by the FSB.
The hackers sent Saytek's documents to journalists from several publications.
Promotional video:
From the archive, which the BBC Russian Service was able to get acquainted with, it follows that Saytek carried out work on at least 20 non-public IT projects ordered by the Russian special services and departments. These papers do not contain notes about state secrets or secrecy.
Who does Saytek work for?
The company is headed by Denis Vyacheslavovich Krayushkin. One of Saytek's customers is the Kvant research institute, where, according to Runet-ID, Vyacheslav Vladilenovich Krayushkin works as a scientific consultant. The Krayushkins are registered in the Moscow region of Zamoskvorechye.
The BBC Research Institute Kvant refused to answer the question of whether Denis and Vyacheslav Krayushkin are related to the organization: "This is confidential information, they are not ready to voice it."
The BBC correspondent was advised to look at the Institute's website and on the Russian government procurement portal for information on joint projects between Saytek and the Research Institute Kvant. It was not possible to find contracts between Saytek and the Institute on the indicated sites.
The latest financial results were published by Saytek in 2017. Its revenues amounted to 46 million rubles, net profit - 1.1 million rubles.
The total amount of public contracts of the company for 2018 is 40 million rubles. Among the customers are the national operator of satellite communications JSC "RT Komm.ru" and the information and analytical center of the judicial department at the Supreme Court of Russia.
tatus/1151717992583110657
Most of the non-public projects Saitek carried out by order of military unit No. 71330. Experts from the International Center for Defense and Security in Tallinn believe that this military unit is part of the 16th Directorate of the FSB of Russia, which is engaged in electronic intelligence.
In March 2015, the SBU accused the 16th and 18th FSB centers of sending files stuffed with spyware to the e-mails of Ukrainian military personnel and intelligence officers.
The documents indicate the address of one of the sites where the employees of "Saytek" were working: Moscow, Samotechnaya, 9. Previously, this address was the 16th department of the KGB of the USSR, then - the Federal Agency for Government Communications and Information under the President of the Russian Federation (FAPSI).
In 2003, the agency was abolished, and its powers were divided between the FSB and other special services.
Nautilus and Tor
The Nautilus-C project was created to de-anonymize Tor browser users.
Tor distributes the Internet connection randomly to nodes (servers) in different parts of the world, allowing its users to bypass censorship and hide their data. It also allows you to enter the darknet - the "hidden network".
The Nautilus-S software package was developed by Saytecom in 2012 by order of the Kvant Research Institute. It includes a Tor exit node - a server through which requests to sites are sent. Usually such sites are supported by enthusiasts on a voluntary basis.
But not in the case of Saytek: knowing at what moment a particular user is sending requests through Tor (for example, from an Internet provider), program operators could, with some luck, match them in time with visits to sites through a controlled node.
Saitek also planned to substitute traffic for users who entered a specially created node. Sites for such users might look different than they really are.
A similar scheme of hacker attacks on Tor users was discovered in 2014 by experts from the Karlstad University in Sweden. They described 19 interconnected hostile Tor exit nodes, 18 of which were controlled directly from Russia.
The fact that these nodes are connected was also indicated by the common version of the Tor browser for them - 0.2.2.37. The same version is indicated in the "operator's manual" "Nautilus-S".
In July 2019, Russia updated its own record - about 600 thousand Tor browser users per day.
One of the results of this work was to be a "database of users and computers actively using the Tor network," according to the documents leaked by the hackers.
“We believe that the Kremlin is trying to de-anonymize Tor purely for its own selfish purposes,” hackers Digital Revolution wrote to the BBC. “Under various pretexts, the authorities are trying to limit our ability to freely express our opinion.”
"Nautilus" and social networks
An earlier version of the Nautilus project - without the hyphenated “C” after the name - was devoted to collecting information about social media users.
The documents indicate the period of work (2009-2010) and their cost (18.5 million rubles). The BBC does not know whether Saytek managed to find a customer for this project.
The advertisement for potential clients contained the following phrase: “There is even a saying in England:“Don't post on the Internet what you cannot tell a policeman.” Such carelessness of users opens up new opportunities for collecting and summarizing personal data, their further analysis and use for solving special problems."
The Nautilus developers planned to collect data from users in such social networks as Facebook, MySpace and LinkedIn.
"Reward" and torrents
As part of the research work "Reward", which was carried out in 2013-2014, "Saytek" had to investigate "the possibility of developing a complex of penetration and covert use of the resources of peer-to-peer and hybrid networks," according to the hacked documents.
The customer of the project is not specified in the documents. The Russian government decree on the state defense order for these years is mentioned as the basis for the study.
As a rule, such non-public tenders are carried out by the army and special services.
In peer-to-peer networks, users can quickly exchange large files because they act as a server and a client at the same time.
The site was going to find a vulnerability in the BitTorrent network protocol (with the help of which users can download movies, music, programs and other files via torrents). Users of RuTracker, the largest Russian-language forum on this topic, download over 1 million torrents every day.
Also the network protocols Jabber, OpenFT and ED2K got into the sphere of interests of "Saytek". The Jabber protocol is used in instant messengers, popular among hackers and sellers of illegal services and goods on the darknet. ED2K was known to Russian-speaking users as a "donkey" in the 2000s.
Mentor and Email
The customer for another work called "Mentor" was military unit 71330 (presumably - electronic intelligence of the FSB of Russia). The goal is to monitor email at the customer's option. The project was designed for 2013-2014, According to the documentation provided by the hackers, the Mentor program can be configured so that it checks the mail of the right respondents at a given time, or collects a “smart loot group” for the given phrases.
An example is a search on the mail servers of two large Russian Internet companies. According to an example from the documentation, the mailboxes on these servers belong to Nagonia, a fictional country from the Soviet spy detective "TASS is authorized to declare" by Yulian Semenov. The plot of the novel is based on the recruitment of a KGB officer by the US intelligence services in Nagonia.
Other projects
The Nadezhda project is dedicated to the creation of a program that accumulates and visualizes information about how the Russian segment of the Internet is connected with the global network. The customer for the work carried out in 2013-2014 was the same military unit No. 71330.
By the way, in November 2019, the law on "sovereign Internet" will come into force in Russia, the stated goal of which is to ensure the integrity of the Russian segment of the Internet in case of isolation from the outside. Critics of the law believe that it will give the Russian authorities the opportunity to isolate Runet for political reasons.
In 2015, by order of military unit No. 71330, Saytek carried out research work to create a "hardware and software complex" capable of anonymously searching and collecting "information materials on the Internet", while hiding "information interest". The project was named "Mosquito".
The most recent draft from the collection sent out by hackers dates back to 2018. It was ordered by the Main Scientific Innovation and Implementation Center JSC, subordinate to the Federal Tax Service.
The Tax-3 program allows you to manually remove data from persons under state protection or state protection from the FTS information system.
In particular, it describes the creation of a closed data center for persons under protection. These include some state and municipal officials, judges, participants in criminal proceedings and other categories of citizens.
The hackers claim they were inspired by the digital resistance movement against blocking the Telegram messenger.
Digital Revolution hackers claim that they gave journalists information in the form in which it was provided by the participants of 0v1ru $ (how many of them are unknown). “It looks like the group is small. Regardless of their number, we welcome their input. We are glad that there are people who do not spare their free time, who risk their freedom and help us,”noted Digital Revolution.
It was not possible to contact the 0v1ru $ group at the time of preparing the material. The FSB did not respond to the BBC's request.
The site of "Sayteka" is inaccessible - neither in the previous form, nor in the version with "yoba-face". When you call the company, a standard message is turned on on the answering machine, in which you are asked to wait for the secretary's answer, but after it there are short beeps.
Andrey Soshnikov, Svetlana Reiter