Hacking Book | Free Online Hacking Learning


wikileaks exposes russian prism project: sorm

Posted by bassolino at 2020-03-04

E-security September 20 WikiLeaks released a batch of new documents yesterday, exposing the monitoring technology of Russian Internet and mobile users, which is the first time Wikileaks has leaked materials directly related to the Russian state.

Julian Assange, the founder of WikiLeaks, was accused of being linked to Russia last year after WikiLeaks released a large number of black DNC emails at a crucial time in the US election. As a result, Wikileaks / Assange has come forward to divulge Russian documents, possibly in order to overturn such accusations.

Although monitoring traffic has become a global phenomenon, the legal and technical framework of each country is different. Russian laws, especially the newly promulgated "yarovaya law", do not clearly define the legal monitoring and large-scale monitoring implemented by the state intelligence agencies without court order. Russian law requires communication providers to install SORM (СистемаОперативно - Розскнох Меропритий) monitoring components provided by FSB at their own expense. The SORM infrastructure is developed and deployed by the FSB, the Russian Ministry of interior and the Russian monitoring contractor.

About SORM

SORM is the technical infrastructure for monitoring in Russia. Its history can be traced back to 1995, from sorm-1 (capture telephone and mobile communication) and sorm-2 (intercept Internet traffic, 1999) to today's sorm-3. SORM can now collect various forms of communication and store all information and data of users for a long time, including actual recording and geographical location. The system continues to expand, and social media platforms were introduced in 2014. The Ministry of communications of Russia requires enterprises to install new devices with deep packet inspection (DPI) function. In 2016, sorm-3 added classified supervision function applicable to all Internet service providers in Russia. The European Court of human rights held that SORM violated the European Convention on human rights of 2015.

On September 19, Wikileaks announced that it had leaked a batch of "Russian spy documents" from the Russian company Петер - СерВис (Peter service). This batch contains 209 documents (34 basic documents of different versions) from 2007 to 2015.

Peter-service, established in St. Petersburg in 1992, is a provider of billing solutions and soon became the main software provider in the Russian mobile telecommunications industry. Today, the company has offices in major cities in Russia and Ukraine, with more than 1000 employees in Russia. The software developed and deployed by peter-service is far from the traditional billing program, and has already entered the monitoring and control industry. Although Russia has strict monitoring legal requirements, peter-service seems to be quite active in seeking business cooperation with Russian intelligence agencies.

In fact, peter-service is a quite unique monitoring partner, because the products it provides can master the user data of Russian mobile operators, and the precious metadata can be seen from peter-service, including mobile phone and information records, device identifier (IMEI, MAC address), IP address, base station information, etc. Russia is particularly interested in these metadata, and the use of Russian authorities has become a core component of the system architecture.

Some components of peter-service software

The infrastructure of Peter service (svc_base) software includes data retention components (DRS [en], [Ru]), SORM long-term storage components (SSP, СП - ПУ service), IP traffic analysis components (traffic data mart, TDM), interfaces (adapters) for national institutions to access archive files.

Traffic data mart (TDM)

Traffic data mart is a system for recording and monitoring IP traffic of all mobile devices. TDM will provide a list of classified domain names, covering almost all areas of interest to Russia. These categories include blacklist websites, crime websites, blogs, web mail, weapons, botnets, drugs, gambling, aggression, racism, terrorism, etc. According to the collected information, the system creates user equipment reports (through IMEI / TAC, brand, model identification) in a specific time range: classification of large traffic, websites with large traffic, websites with long visit time, protocol usage (browsing, mail, telephone, bitstream) and traffic / time distribution.

Data retention system (DRS)

The data retention system is a component that is mandatory by Russian law for operators to use to store all local communication metadata for up to three years. Russian National Intelligence uses protocol 538 adapter built into DRS to access storage information. Peter-service claims that the DRS solution can handle 500 million connections per day in a cluster, while the average time to retrieve user records per day is 10 seconds..

СП - ПУ service

In the SORM architecture, the call monitoring function is concentrated in the control point (понктахправления, ПУ), while the control point is connected to the network operator. СП - ПУ service is a data exchange interface based on HTTPS between SVC Φ base / DRS and SORM components. This interface is responsible for receiving search requests from national intelligence and returning search results to the originator of the request. Search requests that are legally monitored according to court orders are also processed by the same system operation.

DPI products

The leaked documents also include Valery, development director of peter-service Syssik) presentation at the Russian broadband forum in 2013 titled "DPI / big data / data mining technologies and solutions for information collection and analysis, and ways to predict social and business trends - key to national, corporate digital and economic ownership in the 21st century.". The presentation appears to be publicly available on the peter-service website. This paper is not aimed at ordinary telecommunication providers, but at a group of internal personnel from the FSB, the Russian Ministry of interior and the three pillars of power (legislature, executive and judiciary).

It was written a few months after Edward Snowden, an American NSA contractor employee, leaked the NSA's massive monitoring program. The document brings together law enforcement agencies, intelligence agencies and other stakeholders to build a data mining operation comparable to the prism program of the United States. Peter-service claims to have obtained the vast majority of mobile phone call records and Internet traffic in Russia, and claims to have deployed deep packet detection technology, which includes not only the IP packet header, but also the content. Peter-service is a natural ally of Russian intelligence agencies in the monitoring industry.

However, the core of the presentation is a product "DPI * grid" - a hardware solution for deep packet detection, which is a "black box" that can handle 10Gb / s traffic. National Internet providers aggregate Internet traffic in the infrastructure and redirect / copy all traffic to DPI * grid units, which are responsible for checking, analyzing traffic (the presentation does not describe the specific process in detail), and collecting metadata and extracted information in the database for further investigation. Regional providers can use similar small-scale solution "MDH / DRS" to send aggregated IP traffic to MDH for processing through 10Gb / s connection.

Peter-service claims to have rich experience in SORM technology, especially DPI, as well as the ability to collect, manage and analyze "big data" for business and intelligence purposes. Peter-service said that Peter has experience in SORM DPI solutions, contextual advertising and solutions. Peter is coordinating scalable national solutions to control digital networks, and the company strives to achieve effective cooperation in the Symbolic Network Alliance (operator manufacturer search engine enterprise state organ).

The figure above shows the nodes of Russian backbone infrastructure and major providers (running DPI * grid system components in different regions). Node "topgun" most likely refers to DPI system developed by peter-service.

For WikiLeaks' disclosure of Russian documents, please click here:


Note: This article is compiled and reported by e security. For reprint, please indicate the original address


Related reading:

FSB of Russian Federation or responsible for national cyber attack response system

Russia has launched its first VR and AR master's courses to cultivate top "hackers"

Gazer: embassies and consulates around the world are monitored by turla, a Russian apt organization

Why is Russia rich in top hackers?

WikiLeaks: Protego missile control system

WikiLeaks: CIA's data stealing tool - highrise

WikiLeaks: Thunderbird provides technical information to the CIA's remote development department

▼ click "read the original" to see more highlights