MOSCOLLECTOR TAKEDOWN - 9th of April 2024
<HR>
<PRE>

Russia's Industrial Sensor and Monitoring Infrastructure has been disabled: <a href=https://www.moscollector.ru>moscollector.ru</A>
Hacked data is available at <a href="https://ruexfil.com/mos/">https://ruexfil.com/mos</A>

It includes Russia's Network Operation Center (NOC) to monitors and control Gas, Water, Firealarm
and many others, including a vast network of remote sensors and IoT controllers. A total of 87,000
sensors have been disabled.

Milestones:
- Initial access June 2023.
- Access to <a href="takedown/112-emergency-service.png">112 Emergency Service</A>. 
- 87,000 <a href="takedown/sensors">sensors</A> and controls have been disabled (including Airports, subways, gas-pipelines, ...).
- <a href="takedown/fuxnet/">Fuxnet</A> (stuxnet on steroids) was deployed earlier to slowly and physically destroy sensory equipment
  (by NAND/SSD exhaustion and introducing bad CRC into the firmware). (<a href="https://youtu.be/CE6lMslmLLo">YouTube Video 1</A>, <a href="https://youtu.be/TeIiQx8jgXQ">YouTube Video 2</A>).
- Fuxnet has now started to flood the RS485/MBus and is sending 'random' commands to 87,000 embedded
  control and sensory systems (carefully excluding hospitals, airports, ...and other civilian targets).
- All servers have been deleted. All routers have been reset to factory reset. Most workstations (including
  the admins workstations) have been <a href="takedown/">deleted</A>.
- Access to the office building has been disabled (all key-cards have been invalidated).
- Moscollector has recently been <a href="takedown/FSB/fsb-certifies-mos.jpg">certified by the FSB</A> for being 'secure &amp; trusted' (picture included)
- Defaced the webpage (https://web.archive.org/web/20240409020908/https://moscollector.ru/)

The media pack, screenshots and videos are available here: <a href="takedown/">https://ruexfil.com/mos/takedown</a> (<a href="http://cnqdc7cn4y5t6l5mxmyhwrp6wbneialihcdidc6a6ctdcrhktzmdbiqd.onion/">.onion</a>)

It contains:
- GPS coordinates of all 87,000 sensors
- Database of their internal and <a href="takedown/dumps/">secure Messaging</A> Platform (Dialog; used by Moscollector employees).
- Screenshots of the Network Operation Centre
- Screenshots of servers, routers, databases, ...
- Screenshots of maps, blueprints of buildings, ... etc etc
- Screenshots accessing their domain registrar
- Screenshots of FuxNet source code and mode of operation
- Video of FuxNet deploying and disabling the sensors
- Selected <a href="takedown/dumps/">dumps</A> of their firewall and router configs.


The Op was conducted by BlackJack.

--- After takedown report, 9th of April 19:58 UTC
- About 1,700 sensor routers were destroyed. The central command-dispatcher and DataBase has been destroyed.
  =&gt; All 87,000 <a href="takedown/fuxnet/">sensors are offline</A>
- Key-cards to enter the office and server rooms have been invalidated
- All databases have been <a href="takedown/">wiped</A>.
- All mail has been <a href="takedown/">wiped</A>.
- A total of 30TB of data has been wiped. Including the backup drives.
- Zabbix and other internal staging and monitoring servers have been wiped.
- All admin workstations and most user workstations have been wiped.
- Exhausted the corporate credit card.
- Took control of their <a href="takedown/domain/we-now-own-their-domain.png">domain</A> "moscollector.ru".
  =&gt; Our server stats: <A HREF="takedown/domain/domain-stolen-traffic.png">WEB Traffic</A>, <A HREF="takedown/domain/domain-stolen-emails.png">Email Traffic</A>
- Took down their <a href="takedown/takedown_firewall.png">Firewall</A> and disabled their Internet.
- Webpage has been defaced: <a href="https://web.archive.org/web/20240409020908/https://moscollector.ru/">https://web.archive.org/web/20240409020908/https://moscollector.ru/</A>
- Took over their Facebook: <a href="takedown/facebook_blackjack-was-here.png">Blackjack Was Here</A>, <a href="takedown/facebook_ukraine.png">Slava Ukraini</A>
- Disabled 566 of their <a href="takedown/phone-sims-disabled.png">SIM cards</A> / <a href="takedown/phone-sims-disabled2.png">phones</A>.
- Data published at <a href="takedown/">https://ruexfil.com/mos/takedown</a>.
--- Addendum, 15th of April 13:47 UTC
- The fine people at <a href="https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware">Team82 wrote a report</a> on FuxNet
- Updated <a href="takedown/post-hack-update">https://ruexfil.com/mos/takedown/post-hack-update</a> with all 2,659 IPs of the sensor-gateways
  that were attacked. The list comes from bash_history, smvu and smvu2 databases found
  on various hosts of the target.
- About 1,700 of the sensor-gateways were reachable and successfully attacked.
- Uploaded some more screenshots about the multi-arch FuxNet binary and the Meter-Bus fuzzer/flooder.
- We disabled smsd and all other means to reboot the sensor-gateways. Thus the sensor-gateways
  will keep flooding the Meter-Bus until somebody physially turns off the gateways.
- The most under-reported dataset are the <a href="takedown/sensors/gps_location_all_sensors.csv">GPS coordinates</A> of all sensors.
  It shows sensors with GPS coordinates in and around the Kremlin and sensors in other cities (not just Moscow).
--- Addenum, 20th Jun 2024:
- <a href="https://youtu.be/JVWZOMbyLFU">Video: SANS ICS Security Summit on FuxNet</A>
- <a href="https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware">Claroty Team82 on FuxNet</a>
- <a href="https://foresiet.com/blog/unveiling-the-blackjack-groups-fuxnet-malware-a-stealthy-cyber-threat">Unveiling FuxNet</A>
- <a href="https://www.theregister.com/2024/10/28/moscow_sewage_plume">Q4/2024 Exploding Sewage Pipes</A>