An investigation into the FSB’s digital surveillance and disinformation contractor

Key Takeaways

• 0Day Technologies (0DT) is a private company contracted by the FSB to develop surveillance and disinformation capabilities.

• 0DT were compromised by hacktivist group Digital Revolution in 2019, who released stolen documents detailing the company’s products, employees, and clientele.

• 0DT’s surveillance work was mostly on SORM, the Russian government’s main surveillance technology. The company developed a suite of tools from deep packet inspection (DPI) to analysis, including social graphs for identifying dissidents and lawful intercept of social media and messaging apps.

• 0DT’s archived website reveals similarities between products offered to private clients and surveillance capabilities built for the FSB.

• 0DT’s clients include private Russian companies in the transportation, mining, financial and telecommunications sectors. Public clients include state-owned energy companies, government departments like the Ministry of Internal Affairs and intelligence agencies like the FSB.

• 0DT clients include FSB Unit 71330 (AKA DragonFly, EnergeticBear, Crouching Yeti), which was publicly blamed by the US and UK governments for attacking critical national infrastructure overseas.

• 0DT was also procured by FSB Unit 64829 to build Fronton, an Internet-of-Things (IOT) botnet inspired by Mirai. Fronton conducts mass internet scanning and brute forcing default passwords to infect devices.

• Fronton is used as command & control (C2) infrastructure for SANA, despite being incorrectly by media outlets as being used for DDoS attacks.

• SANA is a disinformation platform which allows users to rapidly spin up networks of social media bots. Bots use predetermined behaviour and reaction models to automatically target specified narratives, communities and accounts.

• 0DT uses Moscow State University (MSU) as a front for public procurement as well as recruiting grounds for employees. 0DT leadership includes current academics in MSU’s Faculty of Mathematics and Cybernetics.

Table of Contents

1. Key Takeaways
2. Table of Contents
3. Digital Revolution & 0DT
4. Oracle Filter
5. Analytics
6. Control (AKA “0Control”, “0MDM”)
7. Guardian (AKA “0Terminal”)
8. Fronton
9. SANA
10. Employees
11. Using MSU as a Front
12. Internal Functioning
13. Clientele
    1. FSB 
       1. 8th Center
       2. 16th Center (Unit 71330)
       3. 18th Center
14. Acknolwedgements

Digital Revolution & 0DT

On 18 March 2020, Russian hacktivist group Digital Revolution published leaked files obtained in April 2019 from 0Day Technologies LLC (OOO ЗИРОУДЭЙ ТЕХНОЛОДЖИС, AKA “0ДТ” or “0DT”), a private Russian company alleged to have developed digital surveillance capabilities for the FSB, Russia’s interior security intelligence agency.

The documents included official marketing documents, technical product specifications and internal documentation belonging to 0DT, demonstrating the group’s surveillance products, internal functioning, and links to the Russian intelligence community as well as a wider network of private clients.

Figure 1: 0DT internal documentation leaked by Digital Revolution

More importantly, the documents revealed the company’s work on digital surveillance tools for the FSB,  which includes work on SORM-2 the second generation of Russia’s SORM (System for Operative Investigative Activities) surveillance systems. In addition to developing technologies for deep-packet inspection (DPI) installed on telecommunications infrastructure, 0DT developed a suite of analysis tools that allow FSB operatives to aggregate, analyze and track data from a variety of social media and internet sources. One feature includes audience reaction monitoring to track reactions to state propaganda. The company has since repackaged surveillance capabilities developed for the FSB to be marketed corporate clients, putting digital surveillance tools in the hands of private companies to spy on both employees and the general public.

Of interest, as reported by Nisos in May 2022, the documents revealed 0DT’s work on developing tools for conducting information operations at scale, which includes Fronton, an Internet-of-Things (IoT) botnet based on Mirai serving as the backend for SANA, a front-end tool used by operatives to create autonomous social media bots, define automated behaviour and reaction models, and promote disinformation. Leveraging an IoT botnet allows SANA to circumvent social media platforms’ security measures and allows persistence for bots spreading disinformation.

Furthermore, the documents demonstrate a strong relationship between 0DT and MSU’s Faculty of Computational Mathematics and Cybernetics (VMK), as a majority of employees are either current faculty or alumni. 6 employees are believed to have been recruited by 0DT during their time in the department. The documents also provide insight into the 0DT’s clients, which includes several FSB departments, as  well as major Russian banks, telecommunications providers, and companies of various industry verticals, including mining, energy and transportation.

Label / “Metka”

According to leaked documents, 0DT developed “Label” (“Metka”), a tool for data collection and analysis embedded within SORM-2. 0DT boasted advantages to their product such as unlimited bandwidth and coverage of over 200 network protocols for data collection, with the ability for users to install additional add-ons developed by the company, such as add-ons for intercepting VoIP and messages on gaming platforms such as Discord and TeamSpeak. Once installed, the tool parses and analyses packets from captured traffic, labelling data based on 2000 parameters, which can include the following fields: (Figure 2)

• Subscriber account name
• Phone number / IMEI / IMSI
• IP and MAC Address
• Email address
• VoIP account ID
• IM handle
• ICQ (VoIP + IM)
• URLs
• FTP Resource address
• Application layer protocol code

Figure 2: Interface for 0DT’s “label” system

Supported sources include (Figure 2):

• Facebook
• Twitter
• VKontakte
• Telegram
• WHatsapp
• Odnolassniki
• Viber
• SMS
• RSS Feeds
• Radio & television broadcasting and logs

Figure 3: Data extraction, analysis and visualisation process as illustrated by 0DT

Figure 4: Translated diagram

Figure 5: List of sources for data collection by Label

Once collected, data can be visualized and analysed by operators on a web interface. The tool conducts several data analysis routines to detect suspicious behaviour and correlate target’s physical location, movements, and actions including: detecting the use of anonymizing technologies, building a movement map based on metadata, and extracting geographic data from target’s map app. Location data would then be correlated with the geographic position of nearby public transport locations as well as CCTV footage and photos in the targets’ area in real time.

In addition, the data is automatically aggregated from various social media and analysed to identify targets’ social networks and “nodes of influence”, including public opinion. This type of analysis is common in counter-terrorism analysis methods, which includes the use of “information cascades”- the behavioural analysis of networks to determine influential nodes which are likely to be coordinating other nodes, such as ISIS chiefs coordinating specific cells.

Data would also be analysed to identify “moods, interests and activity” of social networks as well as any legal entities connected to the subject, such as companies, organisations or NGOs.

Figure 6: Social graph determined by Label

Figure 7: Social graph determined by Label

According to the leaked documents, data collected on targets is used by operators to automatically build “dossiers” on targets’ actions, using advanced behavior modelling and pattern-of-life analysis (Figure 5).

Figure 8: Target profile and behavior modelling based on VKontakte data

The tool also includes features designed to monitor audience reactions to state media and propaganda organs. The below examples show monitoring of audience reactions to broadcasts on Vkontakte, with analysis the distribution of users’ gender, age and city of residence.

Figure 9: Audience analysis features described in leaked 0DT documents

Repackaging for private clients

Figure 10: Archive of 0DT’s website

While 0DT’s website (0day[.]llc) is currently offline, OSINT has revealed archived versions of their public website, which contains an “About” section, a presentation of the company’s products, contact details and a client login page (as of October 26, 2020).

The “Products” section reveals that the company advertised four main products: “Oracle” AKA Oracle Filter, “Analytics”, “Control” AKA 0Control and “Guardian” AKA 0Terminal.

Figure 11: Products listed on 0DT’s archived website

While the descriptions of these tools is heavily marketed towards corporate use, OSINT reveals that these products are likely repackaged versions of analytical tools developed for SORM, due to a similarity in the advertised capabilities and even the use of similar language.

Oracle Filter

Oracle Filter is marketed as a filtering application for “monitoring, analyzing and applying access policies for network traffic” on corporate networks. The tool includes capabilities such as, controlling access to network resources, monitoring user activity, and compiling reports on user activity over time.

Figure 12: Product sheet for Oracle on 0DT’s archived website

The tool’s specifications go on to specify that network activity is correlated with “subjects” and presented in “human-readable format”, hinting at the analysis and visualisation tools developed as part of 0DT’s Label product.

A distribution kit “with installation and usage guide” is linked at the bottom of the page, linking to a resource on 0DT’s website named hxxps://0day[.]llc/static/dpi/oracle-filter-distro.zip. Based on the resource path, this product likely uses DPI technology developed for SORM under government contracting work.

Analytics

0DT’s “Analytics” tool is a competitive intelligence and due diligence tool that leverages data aggregated from social media in order to paint a “social portrait” of competitors in view of completing a risk assessment. The product’s fact sheet poses the following questions asked by prospective clients that the tool can help answer: How successful are competitors? Are contractors honest? Are counterparties blacklisted? Who is the new employee?

Figure 13: Product sheet for “Analytics” on 0DT’s archived website

At risk of sounding familiar, the tool collects and aggregates data from “various social networks”, allowing clients to “combine information about one subject from disparate data sources”. Based on collected data, 0DT claims that clients will be able to automate the collection of data and tracking of “authors”. Having collected sufficient data, clients would be able to draw up the “social portrait” of a subject based on identified patterns, build a behavioral model and maintain a “detailed dossier”, including “abnormal deviations in behavior”. The platform would also form a “relationship graph” between entities, allowing further investigation of the subject.

The tool boasts further FININT data collection capabilities for corporate entities, including, historical financial statements, borrowed capital, participation in public procurement, staff turnover, as well as bespoke “information retrieval” capabilities by 0DT “specialists”.

The development of behavioral models and social networks based on collected data is a direct echo to capabilities advertised for Label in leaked documents, demonstrating how a product marketed as “competitive intelligence” is in fact a fully-fledged surveillance tool initially developed for Russian intelligence. 

Control (AKA “0Control”, “0MDM”)

0Control is allegedly a Mobile Device Management (MDM) system designed to manage “workstations and mobile devices” by using centralized security policies. Amongst the listed capabilities that distinguish 0Control from competitor products according to 0DT:

• Wide range of supported devices (IOS/Android)
• “Ability to fine-tune to a specific business model”
• “Energy-efficient methods for determining geographic location”

Figure 14: Product sheet for 0Control on 0DT’s archived website

We were able to verify the product’s geographic location services from leaked documents, with several screenshots of web UIs labelled as “0MDM”(Figure 12, Figure 13). These screenshots show that the tool has the capability of placing users on maps, tracking movement, as well as monitoring mobile updates, added or modified contacts, private messages, installed applications, downloaded files, and connected SD Cards.

Figure 15: Leaked 0Control/0MDM control panel UI

Figure 16: Leaked 0Control/0MDM control panel UI

Figure 17: List of applications installed by employees on the 0Control UI

This product likely leverages monitoring and mapping capabilities from the Label project in order to allow 0DT clients to spy on employees. OSINT was not able to reveal how these MDM apps are distributed and installed on employee devices, as they are not openly listed on app stores.

Guardian (AKA “0Terminal”)

Guardian is a product stated to use DPI and sandbox technologies to protect corporate networks, preventing critical information from “getting on the internet”. Beyond this, the product’s technical description remains vague, and does not reveal any further capabilities. A potential codename for the product would be “0Terminal”, as the product’s specification page was hosted on the following URL: 0day[.]llc/products/0Terminal.

Disinformation Tooling

According to findings from cybersecurity firm Nisos, one of the tools commissioned by the FSB and developed by 0DT is a disinformation platform s dubbed SANA, which Nisos researchers believe may stand for Social media Analytical Scientific Apparatus (Соцсетный Аналитичесный Научный Аппарат.) SANA allegedly includes a suite of analysis and visualisation tools built on top of Fronton, an IoT botnet inspired by Mirai, a popular botnet amongst cybercriminals. Devices compromised by Fronton are automatically enrolled into the botnet, allowing SANA to leverage a wider network of compromised devices from which FSB operators can automatically create bots on social media platforms, allowing the FSB to circumvent social media platform checks for authenticity by routing all bot traffic via compromised devices and anonymized servers, including TOR.

Fronton

Fronton is an IoT botnet which draws heavy inspiration from existing botnets, such as Mirai. One of the leaked documents includes an overview of existing botnets, explaining their functioning, advantages and shortcomings. The document provides step-by-step functioning of the Mirai botnet in particular, indicating a desire to replicate some of the methodologies used by Mirai developers.

Leaked documents translated by security researcher Swithak demonstrate that 0DT developed a tool with a web interface to automatically scan the internet for vulnerable IoT devices based on “Fingerprints”, which are likely digital signatures used by the scanner to identify specific types of IoT devices (Figure 17). Operators of the tool can also specify which IP ranges and ports to scan for on devices, with ports 22 (SSH), 80 (HTTP), 445 (SMB) and 56123 set as defaults.

Figure 17: UI for the scanning applications’ fingerprinting feature

Having identified vulnerable devices, operators are then able to conduct dictionary brute-forcing attacks against them. Dictionaries of usernames and passwords are configurable within the tool, allowing the operators to upload lists of common default username and password configurations for specific device models (such as “admin”/”admin” or “user”/”password”, Figure 18). Changelog documents also suggest that Fronton uses Hydra, a penetration-testing tool for brute-force attacks.

Figure 18: Instructions for operators to add password dictionaries for brute-force attacks

Figure 19: Changelog document asking for the replacement of keywords like “hydra”, potentially demonstrating the use of Hydra, a brute-force penetration testing tool

Requests are then anonymized using preconfigured “anonymisation chains” provided by 0DT (Figure 19). Leaked documents show that these chains use several techniques for maintaining operational security (OPSEC) when scanning the internet for vulnerable devices, including:

• Routing traffic through VPNs from third party providers
• Code obfuscation
• Removal of Russian-language strings and Cyrillic characters
• Anonymization of authentication into compromised devices
• Closing of unused ports on compromised devices

Figure 20: Specifications of Fronton’s OPSEC and anonymization measures

SANA

Having established a botnet of compromised IoT devices, 0day developed a comprehensive disinformation platform with a web interface dubbed SANA, which used Fronton and a distributed transport system for controlling compromised devices remotely.

SANA allows users to seamlessly create accounts on social media platforms including Facebook, Twitter, Instagram and VKontakte, whose activity is then automated using behavioural models which can be preset by operators. Digital Revolution posted a video on March 19, 2020 showing a walkthrough of the SANA UI. including how users can create new accounts, configure their behaviour, and operate them. 

The platform contains a comprehensive visual builder for behavioural models for new accounts. When creating a new model, operators can define how many weekly likes, comments, photo uploads, reposts, joined communities and added friends an account can accumulate. 

Operators can also define time ranges in the day for when accounts operate, which would allow them to spoof activity timezones, a common marker used by disinformation researchers to detect accounts operating in specific timezones. Timezones can be potential markers of attempted coordinated inauthentic behavior (CIB), as networks of accounts posing as American or British citizens may be posting in ranges of time closer to daylight in Moscow or Beijing.

SANA also allows users to create “reaction models” which will define how bots interact with posts. In addition to setting hard limits on the amount of likes and comments that can be posted by each bot, the platform also lets users define the tone for reactions, including which types of topics or posts to comment on. While the default value is set to “positive/universal” posts, users can select a mood (“positive”, “neutral” or “neutral”) as well as types of topics, such as “universal”, “sport”, “movie”, “games”, and more interestingly, “political”. In order to evade detection from social media platforms, reaction models can be configured to act at specific time delays and models, between 0 and 180 minutes.

The platform also offers a builder for full disinformation botnets, by creating batches of fake users in “groups”. Having defined the behaviour of accounts for a new botnet, either by using custom-built models built in the platform or presets like “Office Workers”,  operators can also specify dictionaries of first names and surnames to randomly attribute to the group of  bots. Although name dictionaries are likely to be customised by operators, default presets include names both in Russian and English, suggesting that this tool can likely be used to create social media bots posing as English-speaking users.

Users of the platform can then choose a third-party SIM service for receiving one-time passwords (OTPs) for registering on social media platforms. The tool has integrations with a variety of Russian-hosted services, including SIMSMS, SMS-REG, SMS Activate, and others. This would enable users to further bypass social media platform registration policies by allocating unique numbers to each generated bot, which can then be used to register accounts with phone numbers, considerably speeding up the sign-up process. Users can then define the age range of bot accounts in the group from 18 to 65 as well as the quantity of bots to generate for the group. Users are then populated under the group page with randomized passwords, birth dates and genders. “Edward Aramov” is born.

A script then automatically opens Facebook in a browser, populates the user registration form with the bot’s name, last name, phone number, birth date, password and gender. Upon registration, SANA automatically fetches the OTP from the selected third-party OTP service, which users need to manually paste into the browser window to successfully register on Facebook.

Once SANA users have registered a sufficient number of accounts, they can start operating entire campaigns via the platform. “Newsbreaks” is likely the name given by 0DT to specific campaigns waged by operators, where SANA users can instruct groups of bots to react to specific topics by selecting a source, group, and reaction module. Further settings allow SANA users to specify Facebook pages to follow as well as a community ID, which suggests that the tool can also post in Facebook groups or other closed communities. Users can also specific keywords to trigger reactions from botnets, as well as a set of tones for reactions, with default presets including “Approval” and “Condemnation”.

Based on the reaction, bots are then prompted to identify relevant posts on the target page. An automated script navigates to the page, follows it and posts a comment determined by the bots’ reaction model as well as the “infopod” settings. In the example demonstrated in the video leaked by Digital Revolution, a bot operating on the “Office Worker” behaviour model, between the ages of 20 and 30, identified a target page, StopGame.ru, and a target post mentioning the video game Cyberpunk 2077, the name of which was defined as a keyword trigger by the SANA user. Based on a tone setting set to “Approval”, the user posts a glowing review on StopGame’s post: “I can’t disagree”.

Company Profile

Employees

The leaked documents named 8 employees working at 0DT:

• Ruslan Radjabovich Gilyazov
• Vladimir Anatolyevich Zakharov
• Vladimir Sergeevich Anashin
• Andrey Alexandrovich Kosinov (LinkedIn)
• Alexander Igorevich Mischenko
• Nikolai Igorevich Mischenko (named in the documents but no online source found)
• Maxim Vladimirovich Nikloaev
• Olga Khramtsova 

Using OSINT, we were able to identify a further 4 employees:

• Anton Zhabolenko
• Pavel Sitnikov (LinkedIn)
• Alexander Eliseev (LinkedIn)
• Nathan Vlasenko

This tally of 12 employees matches the number of employees listed online for the company. Furthermore, the identified employees demonstrate the company’s strong connection with Moscow State University (MSU)’s Faculty of Computational Mathematics and Cybernetics (Department of Information Security), suggesting that the company’s director Gilyazov is using MSU as a front for 0DT’s activities.

Pavel Sitnikov (AKA Freedomf0x, Flatl1ne) is a former Russian cybercriminal arrested in May 2021 by Russian authorities for selling malware source code on his Telegram channel. Nisos’ report on Fronton publicly linked him to 0DT by identifying the company listed under his Linkedin account, assessing that Sitnikov “likely has extensive knowledge of the functionality of the Fronton infrastructure.” According to an interview in July 2022, Sitnikov took up employment at 0DT in August 2021 after being contacted by Gilyazov prior to the start of his trial, as “a plus in the eyes of the court”. Sitnikov claimed he was employed in a strict consultancy role, and was not involved in the development of Fronton. Furthermore, Sitnikov claimed that Fronton was an elaborate ploy used by intelligence agencies to justify higher budgets. He quit 0DT in May 2022 (LinkedIn) and started X-Panamas, a cybersecurity company, with another 0DT employee, Olga Kharamtsova.

Using MSU as a Front

The company, established by Ruslan Radjabovich Gilyazov in December 2011, uses MSU’s Faculty of Computational Mathematics and Cybernetics (VMK) as a cover for its activities and as a recruiting platform, enrolling students from the faculty into research on its projects. Leaked correspondence between Gilyazov and the Russian Ministry of Communications demonstrates that Gilyazov uses MSU and 0DT interchangeably to exchange with the Russian government, explaining that it is “easier to work through 0DT”, calling MSU administrators “money-hungry crocodiles”. He further notes that it is also easier to work through the private venture as 0DT and MSU, as “in practice [0DT] is the same as MSU, because it uses the same pool of University [sic, refers to MSU] employees” and that, in any case, “0DT is equal to MSU in terms of information security”(Figure 2, Figure 3). We were able to verify this claim by enumerating the list of 0DT employees above- Gilyazov, Anashin and Zakharov are all listed as faculty on VMK’s website. Zhabolenko, Eliseev (LinkedIn) and Nikolaev are all MSU alumni. These academics have long lists of published academic papers on the topics of information security, data analytics and cryptography.

Figure 21: Leaked correspondence between Gilyazov and the Ministry of Communications

Figure 22: Translated document

Furthermore, the correspondence mentions that 0DT DPI technology is “based on MSU technologies after 10 years of research”, and that 0DT is supported by “FSB center 12 and 18”. (Figure 4, Figure 5) This further demonstrates the deep relationship between the company and MSU, in addition to the relationship between 0DT and Russian intelligence.

Figure 23: Leaked correspondence between Gilyazov and the Ministry of Communications

Figure 24: Translated document

Internal Functioning

Digital Revolution also leaked a document dated 19 February 2018 containing contractual terms for 0DT employees. The document reveals that employees were asked to clock in and out of work by sending messages to Olga Khramtsova via Telegram, referring to Khramstrova as the “Administrative and Economic” (“АХЧ”) Director. Maxim Nikolaev is also mentioned as manager, and GIlyazov as the General Director.

Figure 25: Leaked internal document

Clientele

The leaked documents reveealed that the following companies are clients of 0Day Technologies:

Sector	Name
Mining	JSC UEK
Mining	JSC UK Kuzbassrazrezugol
Mining	JSC UMMC
Transport	Russian Railways
Transport	NPK Uralvagonzavod JSC
Transport	New Fowarding Company JSC
Transport	TransGroup AS LLC
Financial	Sberbank
Financial	Petrocommerce
Financial	Moscow Bank for Reconstruction and Development
Telecommunications	Rostelecom
Telecommunications	Vimpelcom
Energy	Rosatom
Energy	JSC Technsabexport
Energy	Mosenegro
Government	Ministry of Health
Government	FSB (8th Center, 16th Center, 18th Center)
Government	Ministry of Internal Affairs (Bureau of Special Technical Measures)

FSB 

8th Center

The FSB’s 8th Center (AKA Center for Information Protection and Special Communications) is the FSB’s defensive cybersecurity unit.

16th Center (Unit 71330)

The FSB’s 16th Center (AKA Unit 71330, Center for Electronic Communications Surveillance, TsRRSS) is a SIGINT unit within the FSB. Unit 71330 houses teams which conducted cyberattacks on critical national infrastructure between 2013 and 2020, as publicly attributed by the US DOJ and UK’s NCSC in March and April 2022 respectively. The UK and US governments have also attributed activity associated with Energetic Bear (AKA DragonFly, Crouching Yeti, Berserk Bear) to teams within Unit 71330. While the unit has been known to target CNI overseas in the US, UK and Europe, the UK government also believes that Unit 71330 is responsible for conducting cyber operations against domestic targets, including dissidents, prominent critics of the Kremlin, as well as the general Russian public.

Figure 26: Structure of Russian APT groups

Espionage against domestic targets conducted by Unit 71330 includes attempts at gaining access to the email inbox of an associate of Aleksey Navalny, the main opposition leader, in September 2017. Russian oligarch-in-exile Mikhail Khodorkovskiy was also targeted by the unit in 2020, including attempts to spear-phish the oligarch’s press secretary as well as gathering intelligence on dossier[.]center, a leak website set up by Khodorkovskiy to expose corruption in the Kremlin. The website notably hosted information on the FSB.

18th Center

The FSB’s 18th Center (AKA, Center for Information Security, Unit 64829) is the branch responsible for SORM, counterintelligence, and internal surveillance. Despite this remit, hackers from Unit 64829 were indicted by the US DoJ in March 2017 for breaching Yahoo in 2014, resulting in the theft of information pertaining to over 500 million Yahoo accounts. Unit 64829 was also accused by the US of targeting critical infrastructure in 2021.The unit was also the main point of contact for cooperation with Western law enforcement agencies such as the FBI to crack down on cybercrime.

The documents leaked by Digital Revolution reveal that 0Day’s work on Fronton was procured by Unit 64829.

Where are they now?

Nisos’ report on Fronton in May 2022 was able to identify an active demo instance for SANA (sana.0day[.]llc) on 0DT’s main domain (0day[.]llc- previously 0day[.]ru). 0DT’s public infrastructure is no longer accessible, and has been put behind Cloudflare infrastructure (172.67.179[.]90).

0DT’s employment history may indicate that the company is still active, with new hires joining as recently as March 2022.

Acknolwedgements

Special shout-out to @Swithak for providing access to the leaks and general guidance.

Thanks to @_John_Doyle for additional info on attribution to Unit 71330.