Russian government procured powerful botnet to shift social media trending topics

Sun May 22 03:28:40 PDT 2022

https://www.nisos.com/blog/fronton-botnet-report/

An Investigative Report – May 2022

In March 2020, a hacktivist group called “Digital Revolution” claimed
to have hacked a subcontractor to the FSB, the Federal Security
Service of the Russian Federation. They claimed the hack occurred in
April 2019. They released documents and contracts about a botnet
system of Internet of Things (IoT) devices built by a contractor, 0day
Technologies. This botnet is known by the codename Fronton (Фронтон).
Media outlets went crazy. Headlines called it a tool that could be
used to “turn off the Internet in a small country.”[1] Most analyses
assumed that the goal of the system was distributed denial of service
(DDoS). A day later, another tranche of documents, images, and a video
were released, with significantly less fanfare.

Nisos research focused on the distribution of the numerous content
types. This release noted that DDoS “is only one of the many
capabilities of the system.”[2] Nisos analyzed the data and determined
that Fronton is a system developed for coordinated inauthentic
behavior on a massive scale. This system includes a web-based
dashboard known as SANA that enables a user to formulate and deploy
trending social media events en masse. The system creates these events
that it refers to as Инфоповоды, “newsbreaks,” utilizing the botnet as
a geographically distributed transport.

SANA creates social media persona accounts, including provisioning of
an email and phone number.. In addition, the system provides
facilities for creating these newsbreaks on a schedule or a reactive
basis. Two example lists of posting source dictionaries were included
in the data. One, involving comments around a squirrel statue in
Almaty, Kazakhstan may have affected the reporting on a BBC story. As
of April 2022, 0day technologies has changed its domain from 0day[.]ru
to 0day[.]llc. An instance of the SANA system appears to be up at
https://sana.0day[.]llc . Nisos assessed that this is possibly a
testing or demo instance, and is not currently used by the FSB.

Nisos researchers conducted open source research[3] to discover 0day
is known as 0Dt, full name Zeroday Technologies LLC (0Дт, OOO ЗИРОУДЭЙ
ТЕХНОЛОДЖИС) based at Ulitsa Profsoyuznaya, D. 125, Etazh Tsokolnyi
Pomesht. I, Kom. 14 Moscow; Moscow; Postal Code: 117647.

Additional research indicated well-publicized Russian hacker Pavel
SITNIKOV (known by his alias FlatL1ne) may be employed by 0Dt.
SITNIKOV previously bragged about his connections with APT28, aka
Fancy Bear, and was arrested by Russian authorities in 2021.[4] Nisos
assessed that he likely has extensive knowledge of the functionality
of the Fronton infrastructure and SANA front-end systems.

To learn more, download the complete Nisos Research report.[5]

1: https://www.bbc.com/russian/news-51951933
2: http://web.archive.org/web/20200322062701/http://www.d1g1r3v.net/
3: https://www.emis.com/php/company-profile/RU/0Dt_OOO__0%D0%94%D1%82_%D0%9E%D0%9E%D0%9E__en_4765737.html
4: https://therecord.media/an-interview-with-russian-hacker-pavel-sitnikov-there-is-no-hacking-scene-now-only-commerce/
5: https://6068438.fs1.hubspotusercontent-na1.net/hubfs/6068438/fronton-report.pdf