MOSCOLLECTOR TAKEDOWN - 9th of April 2024
---------------------------------------------------------------
Russia's Industrial Sensor and Monitoring Infrastructure has been disabled:
[moscollector.ru](https://www.moscollector.ru/)
Hacked data is available at
[https://ruexfil.com/mos](https://ruexfil.com/mos/)
It includes Russia's Network Operation Center (NOC) to monitors and control Gas, Water, Firealarm
and many others, including a vast network of remote sensors and IoT controllers. A total of 87,000
sensors have been disabled.
Milestones:
- Initial access June 2023.
- Access to
[112 Emergency Service](https://ruexfil.com/mos/takedown/112-emergency-service.png)
.
- 87,000
[sensors](https://ruexfil.com/mos/takedown/sensors)
and controls have been disabled (including Airports, subways, gas-pipelines, ...).
-
[Fuxnet](https://ruexfil.com/mos/takedown/fuxnet/)
(stuxnet on steroids) was deployed earlier to slowly and physically destroy sensory equipment
(by NAND/SSD exhaustion and introducing bad CRC into the firmware).
- Fuxnet has now started to flood the RS485/MBus and is sending 'random' commands to 87,000 embedded
control and sensory systems (carefully excluding hospitals, airports, ...and other civilian targets).
- All servers have been deleted. All routers have been reset to factory reset. Most workstations (including
the admins workstations) have been
[deleted](https://ruexfil.com/mos/takedown/)
.
- Access to the office building has been disabled (all key-cards have been invalidated).
- Moscollector has recently been
[certified by the FSB](https://ruexfil.com/mos/takedown/FSB/fsb-certifies-mos.jpg)
for being 'secure & trusted' (picture included)
- Defaced the webpage (https://web.archive.org/web/20240409020908/https://moscollector.ru/)
The media pack, screenshots and videos are available here:
[https://ruexfil.com/mos/takedown](https://ruexfil.com/mos/takedown/)
(
[.onion](http://cnqdc7cn4y5t6l5mxmyhwrp6wbneialihcdidc6a6ctdcrhktzmdbiqd.onion/)
)
It contains:
- GPS coordinates of all 87,000 sensors
- Database of their internal and
[secure Messaging](https://ruexfil.com/mos/takedown/dumps/)
Platform (Dialog; used by Moscollector employees).
- Screenshots of the Network Operation Centre
- Screenshots of servers, routers, databases, ...
- Screenshots of maps, blueprints of buildings, ... etc etc
- Screenshots accessing their domain registrar
- Screenshots of FuxNet source code and mode of operation
- Video of FuxNet deploying and disabling the sensors
The Op was conducted by BlackJack.
--- After takedown report
- About 1,700 sensor routers were destroyed. The central command-dispatcher and DataBase has been destroyed.
=> All 87,000
[sensors are offline](https://ruexfil.com/mos/takedown/fuxnet/)
- Key-cards to enter the office and server rooms have been invalidated
- All databases have been
[wiped](https://ruexfil.com/mos/takedown/)
.
- All mail has been
[wiped](https://ruexfil.com/mos/takedown/)
.
- A total of 30TB of data has been wiped. Including the backup drives.
- Zabbix and other internal staging and monitoring servers have been wiped.
- All admin workstations and most user workstations have been wiped.
- Exhausted the corporate credit card.
- Took control of their
[domain](https://ruexfil.com/mos/takedown/domain/we-now-own-their-domain.png)
"moscollector.ru".
=> Our server stats:
[WEB Traffic](https://ruexfil.com/mos/takedown/domain/domain-stolen-traffic.png)
,
[Email Traffic](https://ruexfil.com/mos/takedown/domain/domain-stolen-emails.png)
- Took down their
[Firewall](https://ruexfil.com/mos/takedown/takedown_firewall.png)
and disabled their Internet.
- Webpage has been defaced:
https://web.archive.org/web/20240409020908/https://moscollector.ru/
- Took over their Facebook:
[Blackjack Was Here](https://ruexfil.com/mos/takedown/facebook_blackjack-was-here.png)
,
[Slava Ukraini](https://ruexfil.com/mos/takedown/facebook_ukraine.png)
- Disabled 566 of their
[SIM cards](https://ruexfil.com/mos/takedown/phone-sims-disabled.png)
/
[phones](https://ruexfil.com/mos/takedown/phone-sims-disabled2.png)
.
- Data published at
[https://ruexfil.com/mos/takedown](https://ruexfil.com/mos/takedown/)
.
Sent with [Proton Mail](https://proton.me/) secure email.