A Mirai-Like IoT BotNet Project by Russian Intelligence

A hacking group (Digital Revolution) recently released documents of an alleged project by Russian intelligence to build an IoT botnet that functions like Mirai Botnet. The project, aliased Fronton, is linked with the Federal Security Service (FSB). Digital Revolution claims that the documents, created between 2017 and 2018 were retrieved from 0Day in 2019. 0Day happens to be a contractor for FSB and word on the net suggests that the main contractor is InformInvestGroup CJSC.

Technical details of the project suggest that the botnet is similar to Mirai which made its entry into the cyber world in 2016. To understand the rudiments of Fronton’s botnet, we will look at it from the Mirai perspective.

What is a Mirai Botnet?

Mirai is a malware that infiltrates smart devices running on Argonaut RISC Core ARC processors. It turns these processors into a network of bots that can be controlled remotely, like zombies. These network of bots (Botnets) are thereafter used to launch distributed denial-of-service (DDoS) attacks. It scans the internet for IoT devices running on ARC processors. Linux operating systems run on these processors; hence they come with default username and passwords. If these default login credentials are not changed, it becomes vulnerable to Mirai Botnets.

When Mirai was released in 2016, IoT devices like webcams and baby monitors were the main targets. Now it is 2020, IoT devices comprises of many domestic and enterprise tools, from healthcare to military, down to transportation, chat bots and many more. This is why the Fronton Project is a big deal.

About FSB’s Botnet

The released documents by Digital Revolution suggest that this particular botnet is targeted at IP cameras and digital video recorders. 95% of the whole botnet is to attack any of these two devices, thereafter, proceed to carry out password attacks on other devices to keep the botnet going. The management of the botnet is proposed to be managed by FSB’s contractors through a web-based administrative panel that will be hosted on a C&C (command and control) server, which will be placed behind a VPN to hide the location.

You might want to ask, “How true is this leak by Digital Revolution?” Well, this week’s leak is not the first but the third time that Digital Revolution is leaking documents from an FSB contractor in three years. The first victim of their leaks was in 2018; a company called Quantum. Quantum was working on a project that will enable FSB monitor social media activities. Last July, SyTech fell victim, and Digital Revolution hackers leaked files on six FSB projects, namely, Nautilus, Tax-3, Hope, Reward, Mentor, and Nautilus-S.

Defending Against IoT Botnet

  1. Take inventory of all IoT assets regularly
  2. Change all default username and passwords on IoT devices: In a situation where passwords cannot be changed, ensure that the network on which they operate is segregated.
  3. Set up good firewall practices to restrict public access over the internet.
  4. Ensure that IoT interactions are encrypted.