Documents obtained from the Russian military by a hacking group indicate that the country’s Federal Security Service (FSB) is actively working on building a giant Internet of Things (IoT) botnet. The documents specifically reference the infamous Mirai botnet as a source of inspiration, indicating that the country is seeking the ability to direct crippling distributed denial of service (DDoS) attacks against rivals.
However, no country has yet to execute an attack on the scale of the late 2016 Mirai assaults that temporarily shut down the backbone of services such as Amazon, PayPal and Twitter.
Documents allegedly stolen from the FSB by hacker group Digital Revolution indicate that Russia is actively working on this specific capability. The documents indicate that the FSB sprung into action with this project in late 2016 after witnessing the Mirai attacks, dubbing it “Fronton.”
It calls for the organized infection and roundup of millions of poorly-secured devices to create an IoT botnet capable of gigantic DDoS attacks, with a particular focus on compromising security cameras and digital recorders capable of sending relatively large video files to targets.
The first confirmed nation-state DDoS attacks?
Several IoT botnets that are strongly suspected to be connected to nation-state APT groups have been seized and dismantled in recent years, but there has never been this clear of a “smoking gun” pointing directly back to a government agency.
It is important to note that the documents are not confirmed to have belonged to the FSB (though the agency would almost certainly never do so voluntarily). However, they have been reviewed by BBC Russia and stem from a “hacktivist” group that has an established history of leaking classified documents from both Russia and Iran. Digital Revolution has a particular focus on exposing clandestine FSB activities, leaking 7.5 terabytes of classified documents in 2019 that included plans to de-anonymize various communications and file sharing platforms such as Tor, Jabber and eD2k. In 2018, the group leaked documents from a government contractor exposing an FSB social media monitoring program.
The FSB’s “Death Star”
The FSB’s planned massive IoT botnet would almost entirely be made up of video cameras. The documents call for using various internet-connected cameras and video recorders as an almost exclusive source of compromised devices, leveraging their ability to transmit video files to increase the overall volume of traffic being pushed out during DDoS attacks. The FSB was also seeking easy targets; camera models known to use default passwords or no passwords at all, or those that have known vulnerabilities that could be exploited quickly with automated techniques.
The documents included schematics outlining the proposed network of victim devices and computers, linked by way of a set of VPNs. The FSB was very focused on anonymizing the IoT botnet and removing any potential links back to Russia; the documents go so far as to propose not using any Russian words or Cyrillic letters anywhere in the network.
Much of the work on this IoT botnet appears to have been done from 2017 to 2018, and a number of Russia-based private contractors were brought in. Among the FSB contractors were InformInvestGroup, a telecommunications company, and 0day, an obscure security company that has worked with the Russian Ministry of Internal Affairs previously. Both companies are based in Moscow. Digital Revolution claims to have obtained the documents by breaching 0day.
Beyond DDoS attacks
Attacks on the scale of the 2016 Mirai incident are a potent and frightening capability, but botnets can be used for more than just DDoS attacks. Fancy Bear’s use of the VPNFilter botnet in 2018 is a prime example. Rather than focusing on DDoS attacks, the botnet was packed with a variety of malware and scripts that it would try against any network a compromised device was connected to. The main target was reproducible vulnerabilities in a variety of router models from major manufacturers such as Mikrotik and Linksys.
Large botnets also provide the simple compute power to run all sorts of automated attacks, for example “credential stuffing” campaigns that simply try lists of breached email address and password combinations at intervals such that the logins appear to be legitimate attempts.
The tip of the iceberg?
Ben Seri, VP of Research at Armis, believes that this revelation is just the beginning in terms of government-backed APT groups making use of IoT botnets as cyber-weapons: “This leak shows a few critical things. First, how certain nation state actors may use this technique to carry out similar DDoS attacks. Second, how they may distance their core operation from it, in an attempt to hide behind the benign looking IoT devices. Third, we are only seeing the beginning of these kinds of reports, given that IoT devices represent the easiest route into a business.”