Fuxnet: Disabling Russia's Industrial Sensor And Monitoring Infrastructure

MOSCOLLECTOR TAKEDOWN - 9th of April 2024---------------------------------------------------------------Russia's Industrial Sensor and Monitoring Infrastructure has been disabled:[moscollector.ru](https://www.moscollector.ru/)Hacked data is available at[https://ruexfil.com/mos](https://ruexfil.com/mos/)It includes Russia's Network Operation Center (NOC) to monitors and control Gas, Water, Firealarmand many others, including a vast network of remote sensors and IoT controllers. A total of 87,000sensors have been disabled.Milestones:- Initial access June 2023.- Access to[112 Emergency Service](https://ruexfil.com/mos/takedown/112-emergency-service.png).- 87,000[sensors](https://ruexfil.com/mos/takedown/sensors)and controls have been disabled (including Airports, subways, gas-pipelines, ...).-[Fuxnet](https://ruexfil.com/mos/takedown/fuxnet/)(stuxnet on steroids) was deployed earlier to slowly and physically destroy sensory equipment  (by NAND/SSD exhaustion and introducing bad CRC into the firmware).- Fuxnet has now started to flood the RS485/MBus and is sending 'random' commands to 87,000 embedded  control and sensory systems (carefully excluding hospitals, airports, ...and other civilian targets).- All servers have been deleted. All routers have been reset to factory reset. Most workstations (including  the admins workstations) have been[deleted](https://ruexfil.com/mos/takedown/).- Access to the office building has been disabled (all key-cards have been invalidated).- Moscollector has recently been[certified by the FSB](https://ruexfil.com/mos/takedown/FSB/fsb-certifies-mos.jpg)for being 'secure & trusted' (picture included)- Defaced the webpage (https://web.archive.org/web/20240409020908/https://moscollector.ru/)The media pack, screenshots and videos are available here:[https://ruexfil.com/mos/takedown](https://ruexfil.com/mos/takedown/)([.onion](http://cnqdc7cn4y5t6l5mxmyhwrp6wbneialihcdidc6a6ctdcrhktzmdbiqd.onion/))It contains:- GPS coordinates of all 87,000 sensors- Database of their internal and[secure Messaging](https://ruexfil.com/mos/takedown/dumps/)Platform (Dialog; used by Moscollector employees).- Screenshots of the Network Operation Centre- Screenshots of servers, routers, databases, ...- Screenshots of maps, blueprints of buildings, ... etc etc- Screenshots accessing their domain registrar- Screenshots of FuxNet source code and mode of operation- Video of FuxNet deploying and disabling the sensorsThe Op was conducted by BlackJack.--- After takedown report- About 1,700 sensor routers were destroyed. The central command-dispatcher and DataBase has been destroyed.  => All 87,000[sensors are offline](https://ruexfil.com/mos/takedown/fuxnet/)- Key-cards to enter the office and server rooms have been invalidated- All databases have been[wiped](https://ruexfil.com/mos/takedown/).- All mail has been[wiped](https://ruexfil.com/mos/takedown/).- A total of 30TB of data has been wiped. Including the backup drives.- Zabbix and other internal staging and monitoring servers have been wiped.- All admin workstations and most user workstations have been wiped.- Exhausted the corporate credit card.- Took control of their[domain](https://ruexfil.com/mos/takedown/domain/we-now-own-their-domain.png)"moscollector.ru".  => Our server stats:[WEB Traffic](https://ruexfil.com/mos/takedown/domain/domain-stolen-traffic.png),[Email Traffic](https://ruexfil.com/mos/takedown/domain/domain-stolen-emails.png)- Took down their[Firewall](https://ruexfil.com/mos/takedown/takedown_firewall.png)and disabled their Internet.- Webpage has been defaced:https://web.archive.org/web/20240409020908/https://moscollector.ru/- Took over their Facebook:[Blackjack Was Here](https://ruexfil.com/mos/takedown/facebook_blackjack-was-here.png),[Slava Ukraini](https://ruexfil.com/mos/takedown/facebook_ukraine.png)- Disabled 566 of their[SIM cards](https://ruexfil.com/mos/takedown/phone-sims-disabled.png)/[phones](https://ruexfil.com/mos/takedown/phone-sims-disabled2.png).- Data published at[https://ruexfil.com/mos/takedown](https://ruexfil.com/mos/takedown/).Sent with [Proton Mail](https://proton.me/) secure email.