Fuxnet: Disabling Russia's Industrial Sensor And Monitoring Infrastructure

2024.04.11
Credit: ruexfil
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

MOSCOLLECTOR TAKEDOWN - 9th of April 2024 --------------------------------------------------------------- Russia's Industrial Sensor and Monitoring Infrastructure has been disabled: [moscollector.ru](https://www.moscollector.ru/) Hacked data is available at [https://ruexfil.com/mos](https://ruexfil.com/mos/) It includes Russia's Network Operation Center (NOC) to monitors and control Gas, Water, Firealarm and many others, including a vast network of remote sensors and IoT controllers. A total of 87,000 sensors have been disabled. Milestones: - Initial access June 2023. - Access to [112 Emergency Service](https://ruexfil.com/mos/takedown/112-emergency-service.png) . - 87,000 [sensors](https://ruexfil.com/mos/takedown/sensors) and controls have been disabled (including Airports, subways, gas-pipelines, ...). - [Fuxnet](https://ruexfil.com/mos/takedown/fuxnet/) (stuxnet on steroids) was deployed earlier to slowly and physically destroy sensory equipment (by NAND/SSD exhaustion and introducing bad CRC into the firmware). - Fuxnet has now started to flood the RS485/MBus and is sending 'random' commands to 87,000 embedded control and sensory systems (carefully excluding hospitals, airports, ...and other civilian targets). - All servers have been deleted. All routers have been reset to factory reset. Most workstations (including the admins workstations) have been [deleted](https://ruexfil.com/mos/takedown/) . - Access to the office building has been disabled (all key-cards have been invalidated). - Moscollector has recently been [certified by the FSB](https://ruexfil.com/mos/takedown/FSB/fsb-certifies-mos.jpg) for being 'secure & trusted' (picture included) - Defaced the webpage (https://web.archive.org/web/20240409020908/https://moscollector.ru/) The media pack, screenshots and videos are available here: [https://ruexfil.com/mos/takedown](https://ruexfil.com/mos/takedown/) ( [.onion](http://cnqdc7cn4y5t6l5mxmyhwrp6wbneialihcdidc6a6ctdcrhktzmdbiqd.onion/) ) It contains: - GPS coordinates of all 87,000 sensors - Database of their internal and [secure Messaging](https://ruexfil.com/mos/takedown/dumps/) Platform (Dialog; used by Moscollector employees). - Screenshots of the Network Operation Centre - Screenshots of servers, routers, databases, ... - Screenshots of maps, blueprints of buildings, ... etc etc - Screenshots accessing their domain registrar - Screenshots of FuxNet source code and mode of operation - Video of FuxNet deploying and disabling the sensors The Op was conducted by BlackJack. --- After takedown report - About 1,700 sensor routers were destroyed. The central command-dispatcher and DataBase has been destroyed. => All 87,000 [sensors are offline](https://ruexfil.com/mos/takedown/fuxnet/) - Key-cards to enter the office and server rooms have been invalidated - All databases have been [wiped](https://ruexfil.com/mos/takedown/) . - All mail has been [wiped](https://ruexfil.com/mos/takedown/) . - A total of 30TB of data has been wiped. Including the backup drives. - Zabbix and other internal staging and monitoring servers have been wiped. - All admin workstations and most user workstations have been wiped. - Exhausted the corporate credit card. - Took control of their [domain](https://ruexfil.com/mos/takedown/domain/we-now-own-their-domain.png) "moscollector.ru". => Our server stats: [WEB Traffic](https://ruexfil.com/mos/takedown/domain/domain-stolen-traffic.png) , [Email Traffic](https://ruexfil.com/mos/takedown/domain/domain-stolen-emails.png) - Took down their [Firewall](https://ruexfil.com/mos/takedown/takedown_firewall.png) and disabled their Internet. - Webpage has been defaced: https://web.archive.org/web/20240409020908/https://moscollector.ru/ - Took over their Facebook: [Blackjack Was Here](https://ruexfil.com/mos/takedown/facebook_blackjack-was-here.png) , [Slava Ukraini](https://ruexfil.com/mos/takedown/facebook_ukraine.png) - Disabled 566 of their [SIM cards](https://ruexfil.com/mos/takedown/phone-sims-disabled.png) / [phones](https://ruexfil.com/mos/takedown/phone-sims-disabled2.png) . - Data published at [https://ruexfil.com/mos/takedown](https://ruexfil.com/mos/takedown/) . Sent with [Proton Mail](https://proton.me/) secure email.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top