{
	"id": "680de62a-e6f7-4503-9b7f-0b24a43aa0eb",
	"created_at": "2026-04-06T00:12:14.139247Z",
	"updated_at": "2026-04-10T03:37:00.249965Z",
	"deleted_at": null,
	"sha1_hash": "2353811dd28d961509443ba68b8c440311493ebb",
	"title": "Hackers breach FSB contractor and leak details about IoT hacking project",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 407269,
	"plain_text": "Hackers breach FSB contractor and leak details about IoT hacking\r\nproject\r\nBy Written by Catalin Cimpanu, ContributorContributor March 20, 2020 at 10:23 a.m. PT\r\nArchived: 2026-04-05 16:01:16 UTC\r\nSpecial feature\r\nRussian hacker group Digital Revolution claims to have breached a contractor for the FSB -- Russia's national\r\nintelligence service -- and discovered details about a project intended for hacking Internet of Things (IoT) devices.\r\nThe group published this week 12 technical documents, diagrams, and code fragments for a project called\r\n\"Fronton.\"\r\nZDNet has also seen the documents first hand, along with BBC Russia, who first broke the news earlier this week.\r\nFronton -- the FSB's IoT botnet\r\nAccording to screenshots shared by the hacker group, which ZDNet asked security researchers to analyze, and\r\nbased on BBC Russia's report from earlier this week, we believe the Fronton project describes the basics of\r\nbuilding an IoT botnet.\r\nThe technical Fronton documents were put together following a procurement order placed by one of the FSB's\r\ninternal departments, unit No. 64829, which is also known as the FSB Information Security Center.\r\nThe documents charge InformInvestGroup CJSC, a Russian company with a long history of fulfilling orders for\r\nthe Russian Ministry of Internal Affairs, with building an IoT hacking tool.\r\nhttps://www.zdnet.com/article/hackers-breach-fsb-contractor-and-leak-details-about-iot-hacking-project/\r\nPage 1 of 3\n\nAccording to the BBC, InformInvestGroup appears to have sub-contracted the project to Moscow-based software\r\ncompany ODT (Oday) LLC, which Digital Revolution claims to have hacked in April 2019.\r\nBased on file timestamps, the project appears to have been put together in 2017 and 2018. The documents heavily\r\nreference and take inspiration from Mirai, an IoT malware strain that was used to build a massive IoT botnet in\r\nlate 2016, which was then used to launch devastating DDoS attacks against a wide range of targets, from ISPs to\r\ncore internet service providers.\r\nThe documents propose building a similar IoT botnet to be made available to the FSB. Per the specs, the Fronton\r\nbotnet would be able to carry out password dictionary attacks against IoT devices that are still using factory\r\ndefault logins and common username-password combinations. Once a password attack was successful, the device\r\nwould be enslaved in the botnet.\r\nFronton targeted IoT cameras and NVRs\r\nFronton specs say the botnet should specifically target internet security cameras and digital recorders (NVRs),\r\nwhich they deem ideal for carrying out DDoS attacks.\r\n\"If they transmit video, they have a sufficiently large communication channel to effectively perform DDoS,\" the\r\ndocuments read, as cited by BBC Russia.\r\nAround 95% of the entire botnet should be made up of these two types of devices, the documents say, and each\r\ninfected device should then carry out password attacks against other devices in order to keep the botnet alive.\r\nFurthermore, the botnet should be managed via a web-based administration panel hosted on a command and\r\ncontrol (C\u0026C) server, placed behind a network of VPN and proxy servers, in order to hide its real location.\r\nfronton-infra.jpg\r\nImage via Digital Revolution\r\nAccording to screenshots of the Fronton backend, the botnet was capable of targeting Linux-based smart devices,\r\nwhich account for the vast majority of IoT systems today. This would have allowed it to target more than just\r\nsmart cameras and NVRs.\r\nfronton-backend.png\r\nImage via Digital Revolution\r\nPer the Fronton specs, the use of the Russian language and the Cyrillic alphabet was strictly forbidden throughout\r\nthe project and the source code.\r\nThe C\u0026C server also needed to be password-protected, and all unused ports should be shut down to prevent other\r\nhackers from taking over the botnet's backend infrastructure.\r\nRussian state hackers have a history of hacking IoT devices\r\nThe fact that Russian state-backed hackers are interested in acquiring IoT hacking capabilities is no surprise.\r\nhttps://www.zdnet.com/article/hackers-breach-fsb-contractor-and-leak-details-about-iot-hacking-project/\r\nPage 2 of 3\n\nIn August 2019, Microsoft said that it had observed one of Russia's elite state-sponsored hacking groups breaching\r\nIoT devices in order to gain access to a more important target's internal network.\r\nFurthermore, the same group, known as APT28, is also believed to have built and run the VPNFilter IoT botnet,\r\nwhich the FBI took down in 2018. Fronton and VPNFilter appear to be unrelated, according to security\r\nresearchers who spoke with ZDNet.\r\nThird FSB contractor hack\r\nThis week's leaks also mark the third time that Digital Revolution has leaked files from an FSB contractor.\r\nThe first victim was a company called Quatum, from where they leaked details in December 2018 about the FSB's\r\nsocial media monitoring projects.\r\nThe second was a company called SyTech, from where Ditigal Revolution hackers leaked details about six other\r\nFSB projects, ranging from Tor-busting tools to P2P hacking software:\r\nNautilus - a project for collecting data about social media users (such as Facebook, MySpace, and\r\nLinkedIn).\r\nNautilus-S - a project for deanonymizing Tor traffic with the help of rogue Tor servers.\r\nReward - a project to covertly penetrate P2P networks, like the one used for torrents.\r\nMentor - a project to monitor and search email communications on the servers of Russian companies.\r\nHope - a project to investigate the topology of the Russian internet and how it connects to other countries'\r\nnetwork.\r\nTax-3 - a project for the creation of a closed intranet to store the information of highly-sensitive state\r\nfigures, judges, and local administration officials, separate from the rest of the state's IT networks.\r\nThe world's most famous and dangerous APT (state-developed) malware\r\nSecurity\r\nSource: https://www.zdnet.com/article/hackers-breach-fsb-contractor-and-leak-details-about-iot-hacking-project/\r\nhttps://www.zdnet.com/article/hackers-breach-fsb-contractor-and-leak-details-about-iot-hacking-project/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.zdnet.com/article/hackers-breach-fsb-contractor-and-leak-details-about-iot-hacking-project/"
	],
	"report_names": [
		"hackers-breach-fsb-contractor-and-leak-details-about-iot-hacking-project"
	],
	"threat_actors": [
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434334,
	"ts_updated_at": 1775792220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2353811dd28d961509443ba68b8c440311493ebb.pdf",
		"text": "https://archive.orkl.eu/2353811dd28d961509443ba68b8c440311493ebb.txt",
		"img": "https://archive.orkl.eu/2353811dd28d961509443ba68b8c440311493ebb.jpg"
	}
}