- ‘Fronton’ is the FSB’s IoT botnet project
The hacker group Digital Revolution says it has obtained details about an an internet-of-things botnet “Fronton” that is or was allegedly being developed by a contractor for the FSB, Russia’s intelligence agency.
The botnet appears to target internet security cameras and digital recorders (NVRs), which the developers say are ideal for carrying out DDoS attacks.
BBC Russia first broke the news earlier this week.
“The group published this week 12 technical documents, diagrams, and code fragments for a project called ‘Fronton,’” reports Catalin Cimpanu for ZDnet’s Zero Day:
The technical Fronton documents were put together following a procurement order placed by one of the FSB’s internal departments, unit No. 64829, which is also known as the FSB Information Security Center.
The documents charge InformInvestGroup CJSC, a Russian company with a long history of fulfilling orders for the Russian Ministry of Internal Affairs, with building an IoT hacking tool.
According to the BBC, InformInvestGroup appears to have sub-contracted the project to Moscow-based software company ODT (Oday) LLC, which Digital Revolution claims to have hacked in April 2019.
Based on file timestamps, the project appears to have been put together in 2017 and 2018. The documents heavily reference and take inspiration from Mirai, an IoT malware strain that was used to build a massive IoT botnet in late 2016, which was then used to launch devastating DDoS attacks against a wide range of targets, from ISPs to core internet service providers.
The documents propose building a similar IoT botnet to be made available to the FSB. Per the specs, the Fronton botnet would be able to carry out password dictionary attacks against IoT devices that are still using factory default logins and common username-password combinations. Once a password attack was successful, the device would be enslaved in the botnet.
Fronton specs say the botnet should specifically target internet security cameras and digital recorders (NVRs), which they deem ideal for carrying out DDoS attacks.
“If they transmit video, they have a sufficiently large communication channel to effectively perform DDoS,” the documents read, as cited by BBC Russia.
Around 95% of the entire botnet should be made up of these two types of devices, the documents say, and each infected device should then carry out password attacks against other devices in order to keep the botnet alive.