Hacking Group Claims to Have Uncovered Massive Russian Domestic Spying Program

A hacking group has dumped of 128 gigabytes of documents it says are from Convex, a Russian internet service provider, and claimed they reveal the Kremlin is engaged in an extensive domestic monitoring operation of citizens and private corporations in the country.

“They are actively transmitting data to Moscow. It’s not just preemptive tapping,” claimed one hacker with knowledge of this specific dump when speaking to Kyiv Post, adding that this “is illegal, as under Russian law, as a search warrant must be issued before surveillance can be done.”

In an email sent to Kyiv Post, the hacker collective taking credit for the document dump, CAXXII, stated that the “existence of a project called ‘Green Atom,’ is perhaps the most amazing discovery.”

“‘Green Atom’ (TS ORM fsb) refers to the installation and maintenance of wide-ranging surveillance equipment that is used to monitor the online activity of all traffic in and out of Convex.

“This can be classified as espionage, unauthorized wiretapping, and surveillance of civilians without a warrant, which circumvents the laws of the Russian Federation and all public statements of the Russian authorities.

“Documents confirming the existence of this project, as well as the correspondence of Convex employees with the FSB, are now available not only to us, but also to you.”

Other Topics of Interest

Germany Arrests Two Over Military Base Attack Plot for Russia, Aimed at Undermining Support for Ukraine

The main accused, Dieter S., is alleged to have scouted potential targets for attacks, "including facilities of the US armed forces" stationed in Germany.

The group claims the alleged secret eavesdropping operation is operated by the country’s Federal Security Service (FSB). Its existence had not been known before today’s release of information.

The data dump also released the information of thousands of Russian citizens who were clients of the Russian corporations whose data was released.

A technology expert consulted by Kyiv Post for this article indicated that the data released could make the hundreds of companies and government offices, whose data has now been put on the internet, susceptible to being further hacked by other outside hackers not affiliated with the CAXXII collective.

Russia is known to domestically spy on its citizens using a network called System for Operative Investigative Activities (known as SORM, per its Russian acronym). The system, first established in the 1990s, has been upgraded many times and operates as a large “back door” for the government to snoop on telecommunications, which is permitted under Russian legislation. However, automatically capturing all data passing through the internet is not allowed according to Russian law.

“We found that they were mirroring all of the traffic for every company,” the hacker told Kyiv Post, claiming that Green Atom gives Russian intelligence carte blanche to “record phone calls, transmit any data that passes through the servers, etc.,” including the ability to “track credit card transactions, emails,” and “monitor social media.”

The hacker hinted that there was perhaps more information, not yet released, which may relate to the Russian intelligence services’ intelligence gathering capabilities.

The email sent to Kyiv Post continues: “Snowden showed the world NSA espionage. We will show the world the operation of the FSB ‘SORM.’ The whole world will see the FSB spying on companies and receiving copies of their data by Moscow in real time.”

Included in the email were 23 photos of documents, allegedly detailing engineering blueprints for Russian intelligence gathering, including SORM, and even a letter purporting to be the FSB document ordering the surveillance. 

The letter purporting to be the FSB document ordering the surveillance. 

The extent of the alleged eavesdropping is reminiscent of that conducted by the U.S. and discovered by former U.S. National Security Agency (NSA) operative Edward Snowden in 2013.

The hacker told Kyiv Post: “Snowden had cause for concern with domestic spying, but our government (Russia) has taken this to a whole new level and they’ve got everyone fooled.”

Snowden’s revelations led to his flight from the U.S. and relocation to Russia where he has described himself as being a fighter for individual liberty from the American governments’ domestic spying.

When Snowden first arrived in Moscow, Russian President Vladimir Putin gave the fugitive American the status of being a political asylee.

The Russian leader was quoted as saying publicly to Snowden, “We can talk as professionals: We have extremely strict rules [in Russia] about the use of special equipment and methods by the secret services – listening into conversations, intercepting internet communications… It requires a court’s permission for us to monitor individuals, so there is no mass monitoring, and the law would not permit it.”

At the time of Snowden’s initial leak, Russian press took advantage of the Snowden files to argue that Russia was freer and more respectful of its citizens’ privacy and rights than the United States.

The hacker involved in this dump said that what they have uncovered proves Putin’s earlier statements to be “totally false.” The hacker claimed the Russian government was “mirroring traffic directly from every switch in most of the largest regions.”

They added: “It went so far as to complete data servers just to be able to clone terabytes worth of live traffic – transmitting it live to Moscow.”

The hacker collective taking credit for the hack, known simply by the letters CAXXII, has for months been posting videos on Telegram of their hacking of Russian IPTV stations across the country. The modus operandi of the group is to hack into the IPTV network before replacing regular, pro-government television content with anti-Putin and pro-opposition videos.

A search from the videos online was unable to trace them, which is to be expected when content is an original production.

Nothing is known of the collective’s membership other than that they are not the same as the earlier reported Russian National Republican Army (NRA). However, it is not clear whether members of CAXXII could be members, or are former members, of the NRA. Aside from wishing to do harm to the Putin Government, neither the email nor hacker indicated what the political objectives of the hacking collective are.

Russian hacker groups have grown in their activities since the launch of Putin’s full-scale invasion of Ukraine, which has led to hundreds of thousands of Russian young men being drafted for military service or being forced to flee Russia to avoid the draft. Earlier hackers have specifically stated that opposition to their own mobilization was what had inspired them to take cyber-action against their own government.

The email that Kyiv Post received indicated that many Russian citizens’ information had also been leaked in the gigabytes of data, including “addresses, personal contacts, MySQL and FTP passwords, bank accounts, passports, locations of companies’ network equipment, employee passwords, IP addresses of internal assets of a wide range of companies, both civilian and state supporters of the Putin regime... The list is endless.”