On Wednesday, July 13th, 2019, Russia’s Federal Security Service (FSB) was the target of a massive security breach that led to the exfiltration of 7.5 terabytes of data. Among this information were details of ongoing confidential projects that aim to de-anonymize Tor traffic and collect social media data from users of popular sites.

Several sources are labeling the breach as ‘The Largest Data Breach in History‘ not due to the content of information uncovered, but rather because of the simplicity through which it was accomplished. The described breach emphasizes how third-party contractors, vendors, and consultants can pose a threat to a company’s information and become the source of a security breach.

1 terabyte of data is capable of holding 500 hours worth of movies.
Tor Traffic allows users to disguise their identity while browsing, anonymizing their traffic from advertisers, ISPs, and web sites.

What happened and who’s responsible?

A group of hackers calling themselves 0v1ru$ successfully targeted an FSB contractor named SyTech by stealing copious amounts of data outlining numerous cyber activities. The group released the names and corresponding details of the agency’s non-public projects, some of which include:

  • Nautilus – aims to collect data about social media users from popular sites such as Facebook and LinkedIn (also known as social media scraping)
  • Nautilus-S – a project with the goal of deanonymizing individuals using Tor browsers by decrypting Internet traffic
  • Reward – a project to covertly penetrate peer-to-peer (P2P) networks in order to spy on torrent users
  • Mentor – attempts to monitor and search email communications of Russian companies
  • Hope – a project that aims to allow the country to develop a “Russian Internet”, separate from the rest of the world
  • Tax-3 – focuses on the creation of a private intranet to store sensitive government information that is only accessible by those permitted

The data retrieved was then passed along to a larger, more well-known hacking group called Digital Revolution who proceeded to share the files with various media outlets as well as their online Twitter community. Many sources suggest that the projects were contracted by the FSB’s Military Unit 71330, the same individuals accused of sending spyware files to Ukranian intelligence officers back in 2015.

What are the important lessons to be learned?

Allowing third party contractors access to sensitive or confidential data can lead to the loss of control over a company’s security. The breach of Russia’s Secret Intelligence is one of many examples where high-level contractors have been the either the target or source of sensitive data exfiltration/disclosure. Some other well-known examples include Edward Snowden, an NSA subcontractor who leaked highly classified government information. More recently, an ex-NSA contractor by the name of Harold Martin was sentenced to nine years for hoarding stolen documents.

With this threat, it is vital that a company understands the risk and regulations that are involved when introducing a third party into their business. Additionally, stricter security policies, procedures, and guidelines should be followed for contractors when compared to regular employees in order to minimize the risk of third parties. Outlining how a contractor may access or store company property and data are crucial aspects and are often detailed within Service Level Agreements. Any time a company is looking to outsource their services and allow a contractor access to private information, terms and conditions should be communicated and detailed explicitly to prevent unauthorized and/or intentional data disclosure.