Russia’s FSB wanted its own IoT botnet

If you thought the Mirai botnet was bad, what about a version under the control of Russia’s military that it could point like an electronic cannon at people it didn’t like? That’s the prospect we could face after the reported emergence of secret Russian project documents online last week.

The documents, which come from hacking group Digital Revolution but haven’t been verified, suggest that Russia’s Federal Security Service (in Russian, the FSB), has been working on an internet of things (IoT) botnet of its own called Fronton.

Mirai was a botnet that infected IoT devices by the million, taking advantage of default login credentials to co-opt them for attackers. They then pointed it at DNS service provider Dyn, mounting a DDoS attack that took down large internet services for hours.

That happened in late 2016. Shortly after, the documents suggest, the FSB decided to get in on the act by commissioning its own botnet that would infect and control connected small footprint devices. The evidence apparently shows a procurement order from unit 64829, an internal FSB department, for a project put together in 2017 and 2018. They reference Mirai, suggesting that the FSB could develop something similar.

BBC Russia, which saw the 12 documents in the dumped cache first hand, said they refer to three variations of the project: Fronton, Fronton-3D, and Fronton-18. Each describes a botnet of infected IoT devices under the FSB’s control.

The documents include a schematic of victims’ computers communicating with back-end servers via a range of VPNs to anonymise the chain of command. The diagram shows the back-end servers connecting via the Tor anonymous onion routing system to a search server that apparently indexes the infected boxes.

The FSB seems to be at pains to hide the botnet’s origin. BBC Russia found this specification among the documents (translated):

The use of the Russian language and a connected Cyrillic alphabet is excluded, authorization is required to access the server.

The design instructions are said to detail the targeting of security cameras and digital video recorders almost exclusively, adding that because they are able to send video they would be useful source points for DDoS attacks.

Digital Revolution is a group dedicated to exposing FSB projects online. It has dropped file collections allegedly from the Russian agency before, including 170Mb of files related to projects that would scrape social networks for user data and intercept traffic using fake Tor relays.

As with last year’s 170Mb file drop, this hack details third-party contractors that the FSB appears to have enlisted to carry out the work. The primary contractor was reportedly InformInvestGroup, a Russian company that has worked extensively with the Russian Ministry of Internal Affairs. The documents suggest that this company subcontracted at least some of the work to another, called 0day (LLC 0DT), in Moscow.


Latest Naked Security podcast

go top