The hack of an FSB contractor has exposed details of the Russian intelligence agency’s cyber weapons program aimed at exploiting vulnerabilities in IoT devices.

Digital Revolution, a Russian hacking group, has claimed credit for the April 2019 breach of subcontractor ODT (Oday) LLC, which was working with frequent Russian Ministry of Internal Affairs contractor InformInvestGroup CJSC, and published 12 technical documents revealing what the FSB has dubbed the Fronton Program.

Inspired by the Mirai botnet, the program developed in 2017 and 2018, according to a ZDNet report, suggests creating an IoT botnet for the FSB marshalling devices – particularly internet security cameras and digital recorders – that still use default logon credentials or easy-to-crack user names and passwords.

Once pulled into the botnet, the devices could be used to execute DDoS attacks. “If they transmit video, they have a sufficiently large communication channel to effectively perform DDoS,” the report cited an expose by BBC Russia as saying.

The FSB’s unit 64829, or FSB Information Security Center, apparently placed a procurement order for the project.

“This is the first time the use of IoT botnets by nation-state actors has been revealed as fact,” said Ben Seri, vice president of research at Armis. “This illustrates the tip of the iceberg in terms of IoT attacks taking place in the wild by a wide array of threat actors.”

But the technique of taking advantage of unsecured IoT devices, to create a powerful army of devices that can carry out massive DDoS attacks tried and true. “This leak shows a few critical things. First, how certain nation state actors may use this technique to carry out similar DDoS attacks,” said Seri. “Second, how they may distance their core operation from it, in an attempt to hide behind the benign looking IoT devices.”

Finally, he contended, this is only the beginning, “given that IoT devices represent the easiest route into a business.” 

“This is the first time the use of IoT botnets by nation-state actors has been revealed as fact,” said Ben Seri, vice president of research at Armis. “This illustrates the tip of the iceberg in terms of IoT attacks taking place in the wild by a wide array of threat actors,”

But the technique of taking advantage of unsecured IoT devices, to create a powerful army of devices that can carry out massive DDoS attacks tried and true. “This leak shows a few critical things. First, how certain nation state actors may use this technique to carry out similar DDoS attacks,” said Seri. “Second, how they may distance their core operation from it, in an attempt to hide behind the benign looking IoT devices.”

Finally, he contended, this is only the beginning, “given that IoT devices represent the easiest route into a business.” 

This isn’t the first time the FSB has suffered an embarrassing breach. Hackers reportedly stole 7.5 TB of data from the intelligence service’s contractor SyTech, which revealed details on several of its activities or prospective projects, including the collecting of information on users of social media services Tor and P2P networks.

SyTech, has worked for FSB’s radio-electronic intelligence unit 71330 since 2009. The July 13 breach reportedly exposed details on “Nautilus,” a plan to gather information on users of Facebook, MySpace, LinkedIn and similar services; “Nautilius-S,” a project to deanonymize Tor traffic using Tor servers; and “Reward,” a scheme to secretly penetrate P2P networks.