{"id":56200,"date":"2024-04-10T20:21:31","date_gmt":"2024-04-10T16:21:31","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178007\/moscollection-ru.txt"},"modified":"2024-04-10T20:21:31","modified_gmt":"2024-04-10T16:21:31","slug":"fuxnet-disabling-russias-industrial-sensor-and-monitoring-infrastructure","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/fuxnet-disabling-russias-industrial-sensor-and-monitoring-infrastructure\/","title":{"rendered":"Fuxnet: Disabling Russia&#8217;s Industrial Sensor And Monitoring Infrastructure"},"content":{"rendered":"<p>MOSCOLLECTOR TAKEDOWN &#8211; 9th of April 2024<br \/>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;<\/p>\n<p>Russia&#8217;s Industrial Sensor and Monitoring Infrastructure has been disabled:<br \/>[moscollector.ru](https:\/\/www.moscollector.ru\/)<br \/>Hacked data is available at<br \/>[https:\/\/ruexfil.com\/mos](https:\/\/ruexfil.com\/mos\/)<br \/>It includes Russia&#8217;s Network Operation Center (NOC) to monitors and control Gas, Water, Firealarm<br \/>and many others, including a vast network of remote sensors and IoT controllers. A total of 87,000<br \/>sensors have been disabled.<\/p>\n<p>Milestones:<br \/>&#8211; Initial access June 2023.<br \/>&#8211; Access to<br \/>[112 Emergency Service](https:\/\/ruexfil.com\/mos\/takedown\/112-emergency-service.png)<br \/>.<br \/>&#8211; 87,000<br \/>[sensors](https:\/\/ruexfil.com\/mos\/takedown\/sensors)<br \/>and controls have been disabled (including Airports, subways, gas-pipelines, &#8230;).<br \/>&#8211;<br \/>[Fuxnet](https:\/\/ruexfil.com\/mos\/takedown\/fuxnet\/)<br \/>(stuxnet on steroids) was deployed earlier to slowly and physically destroy sensory equipment<br \/>(by NAND\/SSD exhaustion and introducing bad CRC into the firmware).<br \/>&#8211; Fuxnet has now started to flood the RS485\/MBus and is sending &#8216;random&#8217; commands to 87,000 embedded<br \/>control and sensory systems (carefully excluding hospitals, airports, &#8230;and other civilian targets).<br \/>&#8211; All servers have been deleted. All routers have been reset to factory reset. Most workstations (including<br \/>the admins workstations) have been<br \/>[deleted](https:\/\/ruexfil.com\/mos\/takedown\/)<br \/>.<br \/>&#8211; Access to the office building has been disabled (all key-cards have been invalidated).<br \/>&#8211; Moscollector has recently been<br \/>[certified by the FSB](https:\/\/ruexfil.com\/mos\/takedown\/FSB\/fsb-certifies-mos.jpg)<br \/>for being &#8216;secure &amp; trusted&#8217; (picture included)<br \/>&#8211; Defaced the webpage (https:\/\/web.archive.org\/web\/20240409020908\/https:\/\/moscollector.ru\/)<\/p>\n<p>The media pack, screenshots and videos are available here:<br \/>[https:\/\/ruexfil.com\/mos\/takedown](https:\/\/ruexfil.com\/mos\/takedown\/)<br \/>(<br \/>[.onion](http:\/\/cnqdc7cn4y5t6l5mxmyhwrp6wbneialihcdidc6a6ctdcrhktzmdbiqd.onion\/)<br \/>)<\/p>\n<p>It contains:<br \/>&#8211; GPS coordinates of all 87,000 sensors<br \/>&#8211; Database of their internal and<br \/>[secure Messaging](https:\/\/ruexfil.com\/mos\/takedown\/dumps\/)<br \/>Platform (Dialog; used by Moscollector employees).<br \/>&#8211; Screenshots of the Network Operation Centre<br \/>&#8211; Screenshots of servers, routers, databases, &#8230;<br \/>&#8211; Screenshots of maps, blueprints of buildings, &#8230; etc etc<br \/>&#8211; Screenshots accessing their domain registrar<br \/>&#8211; Screenshots of FuxNet source code and mode of operation<br \/>&#8211; Video of FuxNet deploying and disabling the sensors<\/p>\n<p>The Op was conducted by BlackJack.<\/p>\n<p>&#8212; After takedown report<br \/>&#8211; About 1,700 sensor routers were destroyed. The central command-dispatcher and DataBase has been destroyed.<br \/>=&gt; All 87,000<br \/>[sensors are offline](https:\/\/ruexfil.com\/mos\/takedown\/fuxnet\/)<br \/>&#8211; Key-cards to enter the office and server rooms have been invalidated<br \/>&#8211; All databases have been<br \/>[wiped](https:\/\/ruexfil.com\/mos\/takedown\/)<br \/>.<br \/>&#8211; All mail has been<br \/>[wiped](https:\/\/ruexfil.com\/mos\/takedown\/)<br \/>.<br \/>&#8211; A total of 30TB of data has been wiped. Including the backup drives.<br \/>&#8211; Zabbix and other internal staging and monitoring servers have been wiped.<br \/>&#8211; All admin workstations and most user workstations have been wiped.<br \/>&#8211; Exhausted the corporate credit card.<br \/>&#8211; Took control of their<br \/>[domain](https:\/\/ruexfil.com\/mos\/takedown\/domain\/we-now-own-their-domain.png)<br \/>&#8220;moscollector.ru&#8221;.<br \/>=&gt; Our server stats:<br \/>[WEB Traffic](https:\/\/ruexfil.com\/mos\/takedown\/domain\/domain-stolen-traffic.png)<br \/>,<br \/>[Email Traffic](https:\/\/ruexfil.com\/mos\/takedown\/domain\/domain-stolen-emails.png)<br \/>&#8211; Took down their<br \/>[Firewall](https:\/\/ruexfil.com\/mos\/takedown\/takedown_firewall.png)<br \/>and disabled their Internet.<br \/>&#8211; Webpage has been defaced:<br \/>https:\/\/web.archive.org\/web\/20240409020908\/https:\/\/moscollector.ru\/<br \/>&#8211; Took over their Facebook:<br \/>[Blackjack Was Here](https:\/\/ruexfil.com\/mos\/takedown\/facebook_blackjack-was-here.png)<br \/>,<br \/>[Slava Ukraini](https:\/\/ruexfil.com\/mos\/takedown\/facebook_ukraine.png)<br \/>&#8211; Disabled 566 of their<br \/>[SIM cards](https:\/\/ruexfil.com\/mos\/takedown\/phone-sims-disabled.png)<br \/>\/<br \/>[phones](https:\/\/ruexfil.com\/mos\/takedown\/phone-sims-disabled2.png)<br \/>.<br \/>&#8211; Data published at<br \/>[https:\/\/ruexfil.com\/mos\/takedown](https:\/\/ruexfil.com\/mos\/takedown\/)<br \/>.<\/p>\n<p>Sent with [Proton Mail](https:\/\/proton.me\/) secure email.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>MOSCOLLECTOR TAKEDOWN &#8211; 9th of April 2024&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212; Russia&#8217;s Industrial Sensor and Monitoring Infrastructure has been disabled:[moscollector.ru](https:\/\/www.moscollector.ru\/)Hacked data is available at[https:\/\/ruexfil.com\/mos](https:\/\/ruexfil.com\/mos\/)It includes Russia&#8217;s Network Operation Center (NOC) to monitors and control Gas, Water, Firealarmand many others, including a vast network of remote sensors and IoT controllers. A total of 87,000sensors have been disabled. Milestones:&#8211; Initial access &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56200","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56200","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56200"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56200\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56200"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56200"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56200"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}