loader gif

How an unprotected backup drive exposed details on Russia’s surveillance system

How an unprotected backup drive exposed details on Russia’s surveillance system
  • The exposed data includes schematics, administrative credentials, email archives, office spreadsheets, backup files, and other materials relating to telecom infrastructure projects.
  • The exposed data also includes photographs and installation instructions for SORM.

What is the issue?

An unprotected backup drive that contains 1.7 terabytes of data has exposed the installation details of SORM hardware by Nokia in coordination with Mobile TeleSystems (MTS).

What is SORM?

System for Operative Investigative Activities, also known as SORM is a surveillance system by which telecommunications can be intercepted and inspected by Russia’s FSB and other law enforcement agencies.

  • Russian authorities use this system to monitor, log, and enforce blacklist censorship on traffic passing through the telecom service provider's network.
  • SORM system can access user IDs, emails, text messages, IP addresses, phone numbers, and more.

What was exposed?

The unprotected drive includes data from at least 64 Russian telecommunications providers, however, the primary entities impacted by the data leak are Nokia and Mobile TeleSystems.

  • The exposed data includes schematics, administrative credentials, email archives, backup files, access databases, office spreadsheets, and other materials relating to telecom infrastructure projects.
  • The exposed data also includes photographs and installation instructions for SORM.

The numbers that matter

  • Of the 1.7 terabytes exposed data, 700 GBs (578,000) of it were photographs that show a vast inventory of Russian infrastructure hardware.
  • Over 245 GBs were Microsoft Outlook email archives in PST format that exposes logistical planning, confidential attachments, private conversations, and plain text credentials.
  • The exposed data also includes 197,343 PDFs that contain contractual agreements between telecom providers and the companies contracted to install and maintain physical hardware.

What’s the conclusion?

UpGuard researchers who uncovered the data leak contacted Nokia on September 9, 2019, and notified them about the exposure. To which no response was received.

Later, on September 11, 2019, UpGuard reached out to a U.S. government regulator in order to secure the exposed files. Upon which, Nokia's Head of Information Security in Finland called UpGaurd and provided the IP address of the exposed rsync server. The exposed server was then secured and the files were no longer publicly accessible.

“Even as data exposures are endemic to digital business, this case stands out for its potential nation-level consequences. In particular, it highlights the concerns that arise when data exposures intersect with federal systems: whenever power is centralized in software, the inevitable exposure of that information gives whatever power the owner had to unknown third parties,” UpGuard researchers said in a blog.

loader gif