Russian SORM/СОРМ ISP Spyware Revealed (by Nokia Grunt)

Russia’s infrastructure for spying on its citizens has been revealed this week. An errant Nokia employee put terabytes of secret data on the internet by mistake.

Oops. Perhaps I should say “ex-employee”?

But Nokia’s response to the leak was fairly tardy, too. In today’s SB Blogwatch, we break out the жареные кукурузные зерна.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: People.


What’s the craic, Zack? Mister Whittaker reports, “Data leak exposes SORM surveillance at Russia’s top telco”:

 Across Russia, large boxes in locked rooms are directly connected to the networks of … phone and internet companies. …[They] house equipment that gives the Russian security services access to the calls and messages of millions of citizens … providing “lawful intercept” capabilities … which Russia mandates by law.

[SORM] was first developed in 1995 as a lawful intercept system to allow the Federal Security Services (FSB, formerly the KGB) to access telecoms data. … Tech companies, including messaging apps like Telegram, also have to comply with the law.

But [leaked] documents … offer new insight into [SORM] and how Russian authorities gain access to the calls, messages and data of customers of the country’s largest phone provider, Mobile TeleSystems (MTS). The documents were found on an unprotected backup drive owned by an employee of Nokia Networks.

The exposed data — close to 2 terabytes in size — contain mostly internal Nokia files. But a portion … reveals Nokia’s involvement in providing “lawful intercept” capabilities. [They] show that the installed SORM device on each … network has direct access to the data that passes through each phone exchange, including calls, messages and data.

Another set of documents shows that the “modernized” SORM capabilities … also allow the government access to the telco’s home location register (HLR) database, which contains records on each subscriber allowed to use the cell network, including their … IMSI and SIM card details.

Alexander Isavnin, an expert at Roskomsvoboda and the Internet Protection Society, [said] work related to SORM … is “classified,” [and] Russia’s surveillance program is flawed and puts citizens at risk. [He] said Russia’s view of lawful intercept goes far beyond other Western nations with similar laws. He described SORM as “bulk wiretapping.” … “Only the FSB knows what they collect. … There is no third-party scrutiny.”

“After this came to our attention, we contacted the employee and the machine was disconnected,” … said Nokia spokesperson Katja Antila. … MTS spokesperson Elena Kokhanovskaya did not respond to several emails requesting comment.

Dude! You’re getting Dell Cameron—“Exposed Files Leak Details on SORM”:

 A California-based security company on Wednesday revealed its researchers had discovered … proprietary telecommunications data left publicly online, including hardware specifications for a lawful surveillance device used throughout the Russian Federation. … Approved for use by the FSB … Russian law mandates that telecom operators install and maintain the devices [but] other Russian agencies may also tap into the data … including the SBP, President Vladimir Putin’s personal security service.

With passage of the Yarovaya law in 2016, Russian telcos are required to store text messages, phone conversations, and other communications for up to six months. Metadata, likewise, for up to three years. Authorities do not require a court order to access it.

Who discovered it? UpGuard’s Chris Vickery—“How Russian Telco Infrastructure was Exposed”:

 Until recently the files were hosted on a rsync server configured for public accessibility. … Nokia states the data set “was a hand-over folder” from a Nokia employee to an unnamed third party. The unnamed third party then “failed to follow his company’s business processes, security policies and his personal responsibility to protect it.” The rsync server was not directly hosted by Nokia.

In 2014, a new generation of equipment known as SORM-3 was mandated, and companies like MTS had to comply, requiring a nationwide infrastructure refresh. Much of the data exposed in this collection details the 2014-2016 installation of SORM hardware by Nokia. … Dozens of other companies were also involved—one spreadsheet … lists 64 subcontractors.

Exposing any data related to a system with the power and secrecy of SORM to the public internet is an event. [But] leaking what appears to be an inventory of the most recent generation of installed hardware for a nation’s largest telecom provider is unprecedented.

The contents of the exposed files pertained to the inner workings of one of the world’s most advanced state surveillance systems. … Anyone with an internet connection could have downloaded the … documents revealing system architecture, installation sites, … credentials [for] administrative platforms … barcodes, serial numbers, … locale-specific engineering documentation, … bootloaders and other software for use with the associated hardware, … sensitive location details for the many types of network devices involved, … IP addresses, names of employees, … tips regarding how to physically enter project sites [and] information detailing the power distribution units and batteries that run the systems.

If ambitious adversaries were to seek ways in which to go from digital compromise to physical facility harm, these are the types of documents that would provide an initial roadmap. … Information that would normally require penetrating several layers of physical security can be gathered from thousands of miles away when those records are … stored insecurely.

[Our] first attempt at emailing Nokia took place in the afternoon of September 9, 2019 (to which no response was received). … During the morning of September 10th, [I] reached an individual identifying himself as a Nokia Security Manager [who said they] had “no time to deal with” the data breach notification.

On September 11, 2019, [we] reached out to a U.S. government regulator in order to seek the contact information of someone more receptive. [We spoke to] Nokia’s New York law firm. [Then] Nokia’s Head of Information Security in Finland called [me]. The rsync server was still open well into the night of September 12th, [but] on the morning of September 13th, the files were no longer publicly accessible.

But is this surprising? Jeffrey Jay Blatt—@TechLawExpert—is … uh … an expert in tech law: [You’re fired—Ed.]

 Not surprising. Global tech vendors, like Nokia and many others, provide equipment to telecoms to comply with local lawful access laws. We may not like the laws, or how they are used, but the vendors sell equipment and services as a business.

Somebody’s in big trouble. So gracchus ponders a lawsuit headed toward the Nokia employee:

 Although “lawsuit”, translated from the Russian, means “polonium cocktail” in these cases.

ikr? James Linkin—@JamesLinkin—has a more subtle take:

My condolences to the families of the staff responsible.

What’s the view from Mother Russia? Михаил Климарев is lost in translation—“Information about SORM accidentally leaked”:

 The FSB doesn’t spend a dime on SORM. It’s all built at the expense of operators, which aren’t interested in making the system work.

There are a lot of cases when all these magnificent pieces of iron are simply switched off for various reasons … for months. SORM can’t do anything with modern cryptography. The FSB potentially has control over only half-open means of communication: telephone calls, SMS and old sites that don’t use encryption.

And anyway, why is Nokia, a Western company, working on secret systems? … And who checked for … backdoors? … If Western intelligence is really spying in Russia, then there is simply no better way to gain access to communications than via such a company.

At least the NSA and FBI are competent, right? Robert Lou Dobbs III—@realRobertDobbs—gets real:

 Doesn’t the US do basically the same thing? I remember reading an article a few years ago where a network guy at AT&T was like, “Oh hey, what’s in this room? A cray with a split of the trunk feeding into it—that’s peculiar.”

Meanwhile, I’m reminded of this Anonymous Coward’s insight:

 At least Russia tells you they’re monitoring you in advance. In the US, you’re monitored 24/7 all year round and you only find out about it through evil “traitors” like Snowden.

And Finally:

POGO – People

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: UpGuard

Richi Jennings

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 148 posts and counting.See all posts by richi