Fuxnet: Disabling Russia’s Industrial Sensor And Monitoring Infrastructure
MOSCOLLECTOR TAKEDOWN – 9th of April 2024
—————————————————————
Russia’s Industrial Sensor and Monitoring Infrastructure has been disabled:
[moscollector.ru](https://www.moscollector.ru/)
Hacked data is available at
[https://ruexfil.com/mos](https://ruexfil.com/mos/)
It includes Russia’s Network Operation Center (NOC) to monitors and control Gas, Water, Firealarm
and many others, including a vast network of remote sensors and IoT controllers. A total of 87,000
sensors have been disabled.
Milestones:
– Initial access June 2023.
– Access to
[112 Emergency Service](https://ruexfil.com/mos/takedown/112-emergency-service.png)
.
– 87,000
[sensors](https://ruexfil.com/mos/takedown/sensors)
and controls have been disabled (including Airports, subways, gas-pipelines, …).
–
[Fuxnet](https://ruexfil.com/mos/takedown/fuxnet/)
(stuxnet on steroids) was deployed earlier to slowly and physically destroy sensory equipment
(by NAND/SSD exhaustion and introducing bad CRC into the firmware).
– Fuxnet has now started to flood the RS485/MBus and is sending ‘random’ commands to 87,000 embedded
control and sensory systems (carefully excluding hospitals, airports, …and other civilian targets).
– All servers have been deleted. All routers have been reset to factory reset. Most workstations (including
the admins workstations) have been
[deleted](https://ruexfil.com/mos/takedown/)
.
– Access to the office building has been disabled (all key-cards have been invalidated).
– Moscollector has recently been
[certified by the FSB](https://ruexfil.com/mos/takedown/FSB/fsb-certifies-mos.jpg)
for being ‘secure & trusted’ (picture included)
– Defaced the webpage (https://web.archive.org/web/20240409020908/https://moscollector.ru/)
The media pack, screenshots and videos are available here:
[https://ruexfil.com/mos/takedown](https://ruexfil.com/mos/takedown/)
(
[.onion](http://cnqdc7cn4y5t6l5mxmyhwrp6wbneialihcdidc6a6ctdcrhktzmdbiqd.onion/)
)
It contains:
– GPS coordinates of all 87,000 sensors
– Database of their internal and
[secure Messaging](https://ruexfil.com/mos/takedown/dumps/)
Platform (Dialog; used by Moscollector employees).
– Screenshots of the Network Operation Centre
– Screenshots of servers, routers, databases, …
– Screenshots of maps, blueprints of buildings, … etc etc
– Screenshots accessing their domain registrar
– Screenshots of FuxNet source code and mode of operation
– Video of FuxNet deploying and disabling the sensors
The Op was conducted by BlackJack.
— After takedown report
– About 1,700 sensor routers were destroyed. The central command-dispatcher and DataBase has been destroyed.
=> All 87,000
[sensors are offline](https://ruexfil.com/mos/takedown/fuxnet/)
– Key-cards to enter the office and server rooms have been invalidated
– All databases have been
[wiped](https://ruexfil.com/mos/takedown/)
.
– All mail has been
[wiped](https://ruexfil.com/mos/takedown/)
.
– A total of 30TB of data has been wiped. Including the backup drives.
– Zabbix and other internal staging and monitoring servers have been wiped.
– All admin workstations and most user workstations have been wiped.
– Exhausted the corporate credit card.
– Took control of their
[domain](https://ruexfil.com/mos/takedown/domain/we-now-own-their-domain.png)
“moscollector.ru”.
=> Our server stats:
[WEB Traffic](https://ruexfil.com/mos/takedown/domain/domain-stolen-traffic.png)
,
[Email Traffic](https://ruexfil.com/mos/takedown/domain/domain-stolen-emails.png)
– Took down their
[Firewall](https://ruexfil.com/mos/takedown/takedown_firewall.png)
and disabled their Internet.
– Webpage has been defaced:
https://web.archive.org/web/20240409020908/https://moscollector.ru/
– Took over their Facebook:
[Blackjack Was Here](https://ruexfil.com/mos/takedown/facebook_blackjack-was-here.png)
,
[Slava Ukraini](https://ruexfil.com/mos/takedown/facebook_ukraine.png)
– Disabled 566 of their
[SIM cards](https://ruexfil.com/mos/takedown/phone-sims-disabled.png)
/
[phones](https://ruexfil.com/mos/takedown/phone-sims-disabled2.png)
.
– Data published at
[https://ruexfil.com/mos/takedown](https://ruexfil.com/mos/takedown/)
.
Sent with [Proton Mail](https://proton.me/) secure email.
آسیبپذیریهای جدید و وصلههای امنیتی بهصورت مداوم منتشر میشوند و عدم بروزرسانی بهموقع میتواند امنیت سرویسهای حیاتی را به خطر بیندازد. خدمات مدیریت و پشتیبانی سرور آفاق هاستینگ شامل پایش امنیتی، بروزرسانی نرمافزارها، نصب Patchهای امنیتی و سختسازی سرورها است.
خدمات مدیریت و امنیت سرور