Skip to main content
Rostelecom data center, December 2015
stories

Suspicious sniffers Programmer discovers thousands of phone numbers, addresses, and geolocations apparently leaked by Russia’s ‘SORM’ surveillance tech

Источник: Meduza
Rostelecom data center, December 2015
Rostelecom data center, December 2015
Andrey Rudakov / Bloomberg / Getty Images

On August 25, Russian programmer Leonid Evdokimov delivered a presentation at the “Chaos Constructions” IT conference in St. Petersburg, where he presented a paper titled “SORM Defects” about the public availability of Russian Internet users’ personal data. Meduza summarizes his findings and reexamines the industry that might be responsible for this leak.

It turns out that Russians’ mailing addresses, telephone numbers, login names, and geolocation coordinates are openly available 

Evdokimov says an acquaintance drew his attention in April 2018 to an IP address on the Rostelecom network that openly hosted certain statistics about user traffic. He says he initially guessed this was the IP address of a so-called “packet sniffer,” which Rostelecom was presumably using to intercept and log traffic to try to track the various means by which the instant messenger Telegram evades the Russian federal censor’s blocking efforts. 

But Evdokimov didn’t find any direct evidence that equipment was involved in monitoring Telegram traffic. Instead, based on the nature of the traffic distribution, depending on the time of day, he speculated that it was “part of the real-time equipment used in wiretapping.” Using the open-source security scanner “ZMap,” Evdokimov found 30 more “suspicious packet sniffers” in the networks of at least 20 Russian Internet providers. 

On these devices’ IP addresses, Evdokimov found open FTP (File Transfer Protocol) servers, as well as certain “live traffic,” where — among other data — he discovered “something very similar” to the mobile phone numbers of the providers’ clients, their logins, email addresses, network addresses, messenger numbers, and even the GPS coordinates clearly transmitted by inadequately protected smartphones running outdated firmware. “All these data make it possible to determine exactly whose traffic this is, and which clients they are,” Evdokimov concluded.

Evdokimov found evidence that this personal data was published by equipment the government uses to spy on Internet traffic

“Like any honest person, the first thing I did was reach out to the Internet providers about this, to find out what was going on. They told me that this is a standard ‘box’ from the SORM developer and ‘Revizor’ [Auditor] system,” Evdokimov explains. In his presentation, he also shared excerpts from his online correspondence with an unnamed employee at an Internet provider, who states directly that the sniffer equipment in question was manufactured by “MFI Soft” — one of the largest suppliers of SORM equipment. Evdokimov clarified to Meduza that this exchange took place in May 2018.

In correspondence with Evdokimov, staff at MFI Soft refused to believe that the company’s hardware was the source of the data leaks, and attributed them instead to the “corporate information security systems” operated by the telecoms’ clients. Evdokimov told Meduza, however, that two of the 30 addresses contained in the published data packages explicitly mentioned MFI Soft.

An excerpt from Leonid Evdokimov’s correspondence with an employee at a Russian telecom:

“This is a standard box from MFI Soft. When we were buying this kind of thing, nobody told us about any ‘features’ like this. Theoretically, it shouldn’t be looking at the Internet, but the vendor should be keeping an eye on this, so he’s requesting remote access. So it’s part of the deal to be able to turn it inside out. One operator posts an ACL [access-control list], and the other hopes the vendor is right in the head. The reasoning is something like ‘FSB – security.’ [...] In principle, it’s still pretty innocuous statistics [...] but who knows what else is there.”
Leonid Evdokimov

“These addresses hosted FTP servers with publicly accessible copies of certain computer programs that were marked as software from this vendor [MFI Soft],” Evdokimov explains. With the other 28 addresses, he says, the equipment manufacturer wasn’t directly identified, but “pretty typical statistics page templates” were accessible. Because pages like these aren’t standardized, they generally reflect the patterns used by the equipment manufacturers. Evdokimov admits that this isn’t a smoking gun against MFI Soft, and he points out that the data could theoretically be coming from MFI Soft hardware designed to collect “some kind of marketing information,” but he says he’s never heard of a SORM developer creating such equipment. 

In his presentation, the programmer showed how he was able to use the published data reliably to calculate different routers’ MAC addresses and even the geographical coordinates of dozens of people living in the Dagestani village of Novosilske.

The published data even includes information from residents of Sarov, a “closed town” where Russia conducts secret nuclear research

Another device located in Moscow revealed dozens of ICQ numbers, the IMEI numbers of several hundred mobile phones, and the devices' telephone numbers. These data likely belong to individuals, not corporate entities, insofar as the database populates just as actively on weekdays and holidays as any other time, Evdokimov says, adding that several of the leaked logins also resemble usernames.

In the Moscow equipment’s logs, Evdokimov also found more than 300,000 GPS coordinates sent from users’ devices to different tracking services. After weeding out duplicates and rounding out the numbers, he determined that 9,000 out of 10,000 coordinates “were concentrated in our country’s nuclear capital, Sarov” (formerly Arzamas-16). Also, he discovered that some of the telephone numbers published by the equipment corresponded to classified ads in the Kolyuchi Sarov (Prickly Sarov) local newspaper.

A slide from Leonid Evdokimov’s presentation showing a map of Sarov and Internet users’ geolocations

The coordinates from Sarov were distributed evenly across the city (as was the data from the Dagestani village), which strongly suggests that they belong to individual users, not telecoms’ corporate clients, Evdokimov says. In the Sarov data, he also found email subject lines apparently sent by contractors working for Russia’s Federal Nuclear Center and other research organizations in the closed city.

It took more than a year to patch the vulnerability discovered by Evdokimov

In June 2018, after Evdokimov’s inquiries, Russian Internet providers started closing the pages he discovered, but six of these IP addresses still remained accessible as of August 25, 2019, and they were only shut down once and for all on August 26, when the Telegram channel unkn0wnerror published Evdokimov’s conference presentation. 

MFI Soft and another four organizations that provide SORM hardware solutions belong to the “Citadel” group, which is in turn part of Anton Cherepennikov’s business empire. According to a report by RBC on August 7, 2019, Cherepennikov is partners with Alisher Usmanov, one of the wealthiest people in Russia. (Usmanov's representatives told Meduza that the billionaire is no longer partners with Anton Cherepennikov.) According to its biggest competitor, the Citadel group controls between 60 and 80 percent of Russia’s SORM market. 

Of all the SORM equipment suppliers, MFI Soft enjoyed the most dynamic growth last year, with revenues soaring 294 percent to 10.3 billion rubles ($154.5 million), and profits jumping 298 percent to almost 2.1 billion rubles ($31.5 million). 

The Citadel group did not respond to Meduza’s request for a comment about the contents of Evdokimov’s conference presentation. Evdokimov told Meduza that he spoke to a Citadel group employee in June 2019 who said newer versions of the company’s firmware have patched the problem he discovered.

Story by Petr Lokhov

Translation by Kevin Rothrock