Russia Has New Tool For Massive Internet Shutdown Attack, Leaked Documents Claim

As the world hunkers down in coronavirus isolation and relies on the internet more than ever, a group of dissidents has revealed that Russia has new tools to shut down internet services by tapping internet-connected cameras and similar smart devices.

It's a new version of an old weapon — a creator of botnets that can drive an internet service offline with floods of fake data — that puts to use a previously untapped source of computing power: the ever-growing “internet of things.”

The new botnet tool was revealed in documents that give instructions for using a suite of hacking apps called Fronton, Fonton-3D, and Fonton-18.

That doesn’t mean the Russian FSB security service will soon be peering through Americans’ cell phones and laptops or internet-connected doorbells. Instead, it means that the Russian government has a new tool for creating a DDoS-capable botnet. These botnets harness the computing power of millions of internet-connected things, direct them to spew random data at specific computers, and overwhelm vital services into uselessness. With millions of Americans newly teleworking during the COVID-19 pandemic, the United States has never been more dependent on the internet.

The internet of things, or IoT, is a term-of-art for the vast array of electronic products that connect to the internet, from refrigerators to medical equipment to automobiles. IoT vulnerabilities have long worried national security experts who say adversaries could exploit them to shut down entire sectors of digital capabilities and infrastructure.

The documents say “An attack on national DNS servers can make the Internet inaccessible for several hours in a small country.”

On Wednesday, the group Digital Revolution claimed to have obtained technical documents that detail a suite of hacking tools — Fronton, Fonton-3D, and Fonton-18 — and offer advice for tapping into smart devices, including security cameras. Created in 2017 and 2018 by Russia’s FSB Information Security Center, the documents explain how to use the tools to make large botnet attacks on critical national services. 

“Why is our own government spying on us through the IoT? In fact, spies on the whole world. How do they do it?” Digital Revolution asked on Twitter.

Почему наше собственное правительство шпионит за нами через IoT? По сути, шпионит за всем миром. Как это им удается? #ФРОНТОН https://t.co/1Ju6Wlef9Bhttps://t.co/i44eSY5CvL pic.twitter.com/rBEdAElcpP

— DigitalRevolution (@D1G1R3V) March 18, 2020

Defense One is unable to verify the authenticity of the documents. The group made its Internet debut in December 2018 with a claim that they had hacked into the network of Russian security contractor the Quantum Research Institute and taken screenshots purporting to prove that they had administrator access.

#квантнаш #d1g1r3v #digirev @andrey_malgin @Dobrokhotov @Alexey__Kovalev @XakepRU @d_olex @unkn0wnerror pic.twitter.com/BsFmAkWc7d

— DigitalRevolution (@D1G1R3V) December 1, 2018

Later that month, they published 300 pages of internal documents from the company detailing software for social media monitoring.

In February 2019, the group published a second set of Quantum documents showing various tracking tools, including one that can de-anonymize TOR users.

Russia is known for conducting large-scale cyber attacks in foreign countries. 

“Exploring how hacked internet of things devices could bring a small country or groups of websites offline also comports with Russia's previous cyber behavior,” said Justin Sherman, fellow at the Atlantic Council's Cyber Statecraft Initiative. “While Moscow denies involvement in many cases, incidents like the DDOS attacks against Estonia in 2007 highlight that breaking into connected devices, using them to redirect web traffic, and overwhelming servers to the point of total stalling or shutdown are a tried-and-true tactic for the Russian security apparatus."

Samuel Bendett, an adviser at the CNA Corporation and a senior fellow at the Center for a New American Security, said the leak serves as another reminder that the internet of things is not secure, and that adversaries are exploiting its weaknesses. It’s a security concern that is well known, but not being taken seriously enough, by manufacturers — and not known well enough by users.

“This is especially important now, as millions of individuals are moving to telework and are using more and more insecure devices for personal and professional goals,” Bendett said.

Sherman says that the docs show a consistent appetite among Russian security services to target the Internet infrastructure of perceived adversaries. “Russian security services, per the Russian domestic internet law, are clearly concerned about the vulnerability of physical internet infrastructure to exploitation and manipulation. That these leaked documents were created a couple of years ago underscores this fact, and may additionally indicate a similar interest on the part of the FSB in exploring how internet functionality could be compromised in other countries. The Mirai botnet is one cited example.” The Mirai botnet was 2016 attack against the servers of a company called Dyn. It caused significant disruption to Deutsche Telekom customers, routers in the United Kingdom, and elsewhere.

Said Bendett, Russia sees itself playing aggressive defense more than offense. “Russia considers itself the target of Western (or American-dominated) hacking and surveillance methods. Its military and security agency underscore this point more and more often. Therefore, actions meant to "safeguard" the country are presented as defensive, not offensive.”

If the leaked documents are proven authentic, Bendett said, then it’s one more example of how Moscow feels threatened by Western technology — and what they’re planning to do about it.