Russian government procured powerful botnet to shift social media trending topics

A subcontractor for Russia’s Federal Security Service is accused of creating a powerful botnet that had the ability to not only launch damaging DDoS attacks but also manipulate trending topics on social media platforms, according to cybersecurity firm Nisos.

In a report released this week, the company explained that it analyzed documents, images and a video stolen from 0day Technologies, a Russian government contractor that was attacked by a hacktivist group named “Digital Revolution” in March 2020. 

While initial media reports on the documents obtained by the hacktivists' focused on how the botnet — named Fronton — could be used to “turn off the Internet in a small country,” a deeper analysis showed that it was primarily developed “for coordinated inauthentic behavior on a massive scale,” Nisos said.

The company said the system included a dashboard named SANA that allowed users to “formulate and deploy trending social media events en masse” by creating fictitious social media accounts. 

“The system creates these events that it refers to as Инфоповоды, ‘newsbreaks,’ utilizing the botnet as a geographically distributed transport. SANA provides for the creation of social media persona accounts, including email and phone number provisioning. In addition, the system provides facilities for creating these newsbreaks on a schedule or reactive basis,” Nisos explained. 

The report explains in detail 0day Technologies’ ties to the Russian government and criminal underground groups, including infamous hackers like Pavel Sitnikov, who has connections to the hacking group known as APT28 or Fancy Bear, and was arrested by Russian officials in 2021.

“We assess that he likely has extensive knowledge of the functionality of the Fronton infrastructure and SANA front-end systems,” Nisos said. 

At the time of the initial hack in 2020, the documents revealed that in 2017 and 2018, the Russian government was interested in building a large IoT botnet similar to Mirai. The specs laid out a plan to create a botnet out of a web of compromised internet security cameras and digital recorders. 

But in the documents obtained by Nisos, the researchers say the “primary purpose” of Fronton “is not to create Denial of Service attacks, but to lay groundwork for massively scalable coordinated inauthentic behavior.”

The botnet "consists of a layer of compromised IoT devices that communicate with front-end server infrastructure. These servers then pass their data over VPNs or the TOR network to back-end servers,” Nisos explained. “While the system could not exist without this groundwork, it is not the focal point of the Fronton network. This base layer is then utilized by the SANA platform in order to coordinate inauthentic behavior and propagate disinformation at a global scale.”

Digital Revolution even released a video showing how SANA would work. The platform is customizable based on whether it is used for social media platforms like Facebook and Twitter or blogs, media sites, forums and other websites.

“It also allows an operator to configure how many likes, comments, and reactions a bot account should create, as well as how often it should create photos and interact with groups on a weekly basis. An operator can also specify a numeric range of the number of friends a bot should maintain,” the Nisos researchers noted.

The documents show the tool was used throughout 2018 and that it was mostly centered around the “newsbreak” feature – which allowed users to create media attention and buzz around any topic of interest. 

SANA provided users with tools to select a group of botnet users with which to react positively, negatively or indifferently using one of the predefined reaction models.

Twitter and Facebook did not respond to requests for comment.

Management of likes, comments and reposts

The tool allowed users to program the weekly frequency of likes, comments, and reposts while also providing a list of response patterns that could be used.

Users could even set the minimum frequency of actions and well as the intervals between actions. 0day Technologies created a machine learning system that could be turned on and off related to behavioral trends on social media.

“Groups are auto-generated sets of accounts created by the system that are organized by platform and country," Nisos explained.

"The operator can choose from a list of names and a dictionary of surnames. The operator can then select the SMS API platform to use in order to create a phone number to automatically respond to two-factor authentication requests and other platform text requests.”

In recent years, several social media companies have begun releasing reports on inauthentic behavior, highlighting the global prevalence of fake accounts used for a range of political purposes.

Last month, Facebook parent company Meta released an Adversarial Threat Report that found a network based in Saint Petersburg, Russia that targeted Nigeria, Cameroon, Gambia, Zimbabwe and the Democratic Republic of the Congo with news critical of France’s influence across the African continent. 

Meta said it was able to tie the activity to the notorious Russian Internet Research Agency, an organization well-known for its role in interfering in the US presidential election in 2016

The Meta report also highlighted a range of bot activity, espionage and coordinated attacks on Facebook and Instagram in a number of countries, including Azerbaijan, Brazil, Costa Rica, the Philippines, El Salvador and Iran. 

Jonathan Greig

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

No previous article
No new articles