Expert found Russia’s SORM surveillance equipment leaking user data

A Russian security researcher has found that hardware wiretapping equipment composing Russia’s SORM surveillance system had been leaking user data.

The Russian researcher Leonid Evdokimov has found that hardware wiretapping equipment used by the Kremlin as part of the SORM surveillance system (Russian: Системаоперативно-разыскныхмероприятий, lit. ‘System for Operative Investigative Activities’) had been leaking data online.

The Russian Government obliges national ISPs to purchase and install the probes used by SORM system that allows the Federal Security Service (FSB) to monitor Internet traffic including online communications.

SORM is a mass surveillance system that allows the Government of Moscow to track online activities of single individuals thanks to the support of the Russian ISPs.

Leonid Evdokimov shared his findings at the “Chaos Constructions” IT conference in St. Petersburg on August 25, technical details of his study are reported a paper titled “SORM Defects.”

He found 30 SORM devices installed on the network of 20 Russian ISPs that were running unsecured FTP servers. The servers contained traffic logs related to surveillance activities conducted by the authorities.

“Using the open-source security scanner “ZMap,” Evdokimov found 30 more “suspicious packet sniffers” in the networks of at least 20 Russian Internet providers.”  reads the post published by website.

“On these devices’ IP addresses, Evdokimov found open FTP (File Transfer Protocol) servers, as well as certain “live traffic,” where — among other data — he discovered “something very similar” to the mobile phone numbers of the providers’ clients, their logins, email addresses, network addresses, messenger numbers, and even the GPS coordinates clearly transmitted by inadequately protected smartphones running outdated firmware.”

“All these data make it possible to determine exactly whose traffic this is, and which clients they are,” Evdokimov concluded.

Evdokimov discovered the wiretapping equipment on April 2018 and since June 2018 he worked with ISPs to secure the SORM equipment.

Data found by the expert on the unsecured FTP servers included:

  • GPS coordinates for residents of Sarov that hosts Russia’s center for nuclear research;
  • ICQ instant messenger usernames, IMEI numbers, and telephone numbers belonging to hundred mobile phones across Moscow;
  • MAC addresses of the routers and GPS coordinates for people living in the village of Novosilske;
  • GPS coordinates from smartphones running outdated firmware, from multiple locations.

The 30 SORM devices remained unsecured online until Evdokimov made his presentation at the conference.

Some of the SORM devices found by the researcher were manufactured by the Russian MFI Soft. But, while other surveillance equipments were created by other vendors.

“In correspondence with Evdokimov, staff at MFI Soft refused to believe that the company’s hardware was the source of the data leaks, and attributed them instead to the “corporate information security systems” operated by the telecoms’ clients.” continues Meduza.

According to Meduza, of all the SORM equipment suppliers, MFI Soft had the best performance last year, with revenues soaring 294 percent to 10.3 billion rubles ($154.5 million), and profits jumping 298 percent to almost 2.1 billion rubles ($31.5 million).

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase