By Aaron Kesel
The international whistleblower coalition WikiLeaks who have had their sights on the CIA, pivoted their focus to Russia’s own surveillance, offering a look at technical details of how Moscow spies on its citizens’ mobile data online.
— WikiLeaks (@wikileaks) September 19, 2017
The 35 documents in the WikiLeaks “Spy Files Russia” dump pertain to a St. Petersburg-based company called Peter-Service, a software and technology vendor that contracts on Russian government surveillance projects dated between 2007 and 2015. Several of the documents describe how Peter-Service participates in Russia’s digital surveillance operation known as System for Operative Investigative Activities (SORM).
“A lot of people try to uncover things about SORM,” Andrei Soldatov, a Russian journalist told Wired. “So any new technicalities are good. There is some surveillance equipment which is installed on the premises of telecoms and ISPs, which is pretty well described because it’s produced by commercial companies. We know pretty much all about those things. What is a big mystery is what’s going on on the end of the FSB, not just in Moscow, but in every Russian town, because every local branch of the FSB has this equipment and is connected to the local ISPs.”
This latest release comes after countless baseless claims made by public figures and the mainstream media that WikiLeaks and its founder Julian Assange are influenced or controlled by the Russian government, as the organization has put a lot of focus on exposing U.S. secrets.
The alleged leak shows that Peter-Service is installing software infrastructure all over Russia, thanks to governmental approval, which allows Russian state agencies to spy on its citizens’ online and mobile activity.
PETER-SERVICE is uniquely placed as a surveillance partner due to the remarkable visibility their products provide into the data of Russian subscribers of mobile operators, which expose to PETER-SERVICE valuable metadata, including phone and message records, device identifiers (IMEI, MAC addresses), network identifiers (IP addresses), cell tower information and much more. This enriched and aggregated metadata is of course of interest to Russian authorities, whose access became a core component of the system architecture.
Former NSA Whistleblower Edward Snowden who is living in Russia and has previously criticized Russia for its own spying on citizens chimed in tweeting, “Plot twist:
@Wikileaks publishes details on Russia’s increasingly oppressive internet surveillance industry.”
— Edward Snowden (@Snowden) September 19, 2017
“PETER-SERVICE claims to already have access to a majority of all phone call records as well as Internet traffic in Russia,” WikiLeaks wrote. One document revealed that the company has access to specific information about your phone and your online payments if you live in Russia.
Under Russian law service operators must maintain a Data Retention System (DRS) that requires them to store data for up to three years.
“The Peter-Service DRS system allows Russian state agencies to query the database of all stored data to search for information such as calls made by a certain telephone company customer, the payment systems used, the cell that served the specific mobile. The manuals published by WikiLeaks contain the images of the interfaces that allow agents to search within this huge trove of data, so access is simple and intuitive,” wrote Stefania Maurizi, on the Italian media outlet La Repubblica.
According to WikiLeaks, Peter-Service’s DRS solution can handle 500,000,000 connections per day in just one cluster, the system has high performance, and the claimed average search time for subscriber related-records from a single day is ten seconds.
“The data retention system is a mandatory component for operators by law; it stores all communication (meta-)data locally for three years. State intelligence authorities use the Protocol 538 adapter built into the DRS to access stored information,” continues Wikileaks.
One of the systems in place covered in the WikiLeaks dump was referred to as Traffic Data Mart, “records and monitors” IP traffic for all cell phones registered with the company.
The TDM maintains a list of categorized domain names — “which cover all areas of interest for the state. These categories include blacklisted sites, criminal sites, blogs, webmail, weapons, botnet, narcotics, betting, aggression, racism, terrorism and many more”.
“Based on the collected information the system allows the creation of reports for subscriber devices (identified by IMEI/TAC, brand, model) for a specified time range: Top categories by volume, top sites by volume, top sites by time spent, protocol usage (browsing, mail, telephony, bittorrent) and traffic/time distribution.”
Wikileaks adds that “the national providers are aggregating Internet traffic in their infrastructure and are redirecting/duplicating the full stream to DPI*GRID units. The units inspect and analyse traffic (the presentation does not describe that process in much detail); the resulting metadata and extracted information are collected in a database for further investigation. A similar, yet smaller solution called MDH/DRS is available for regional providers who send aggregated IP traffic via a 10Gb/s connection to MDH for processing.”
WikiLeaks also notes that the presentation was written “just a few months after Edward Snowden disclosed the NSA mass surveillance program and its cooperation with private U.S. IT-corporations such as Google and Facebook.”
“Drawing specifically on the NSA Prism program, the presentation offers law enforcement, intelligence, and other interested parties, to join an alliance in order to establish equivalent data-mining operations in Russia,” The group adds.
It’s important to note that the WikiLeaks documents don’t actually make any reference to Russia’s spy agency, the FSB, instead they only make the attribution to “state agencies.”
The detailed documents show a similar state-funded mass surveillance program to the ones utilized by the U.S.’s NSA and by GCHQ in the U.K.