Russian Federal Security Service (FSB) contractor SyTech lost documents in a cyber breach. One of the exposed secret Russian projects, dubbed Knockout, is targeting Western media in the US, Great Britain, Germany, France, and other countries. Knockout maps mass media IT infrastructure, extracts media metadata and collects their vulnerabilities.
SyTech/FSB breach materials were exposed in July 2019 and were widely discussed in cybersecurity circles. SyTech is connected to the Research and Development Institute Kvant – another entity controlled by FSB (APT 29) hackers. Kvant was previously profiled by Wapack Labs as it was buying Hacking Team exploits for the FSB. Several leaked SyTech secret projects were being studied thanks to the breach. Some concerning spying on Russian opposition in emails, social media, TOR and trying to isolate the Russian Internet. In this report, we concentrate on another notable SyTech project called Knockout-S (Knockout, in Russian: “Нокаут-С”) that targets Western mass media.
On 22 July 2019, several files describing Russian secret project Knockout were leaked by Digital Revolution hackers. It was in a sample of a larger SyTech breach by 0V1ru$ hackers. These Knockout files are sometimes in incomplete draft form and not all the documentation is made available. At the same time, they show several stages of the Knockout development, such as: planning, financing the project, initial findings, and targeting.
Geographically two main regions targeted by The Knockout, according to the leaked documents, are Europe and Northern America. Specifically, in Europe, they target mass media in Germany, Great Britain, and France. In North America, they specifically looked into mass media in the US, but Canada was additionally on their list of possible targets.
There were five categories of the US mass media that The Knockout project looked into:
- Major New TV channels: Fox News, CNN, and MSNBC (Figure 2).
Figure 2. Knockout gathers audience data for Fox News, CNN, MSNBC to choose worthy targets.
- TV broadcasters with local presence such as ABC, CBS, NBC.
- News agency: Associated Press.
- European branches of the US media with international footprint such as CNN International.
- Top 20 popular new sites such as Yahoo News, Google News, NYT, Washington Post, etc.
Note that the available Knockout documents are neither final or complete, so the real use targeting may include other countries and media entities.
Overall, Knockout documents set the following goal: “Results of gathering and classification of the main modern methods of the preparation, editing, storing, and broadcasting of the multimedia content by the TV Operators and Electronic Mass Media” (the Russian text uses the abbreviation OTESMI).
We can divide the Knockout objectives into three groups:
- Generally speaking, the project looks into gathering and documenting information about Internet-technologies used by various TV Operators and Electronic Mass Media. They gather information about web-services, cloud technologies, virtual networks, file-sharing networks, etc.
- Vulnerability database, analysis for the vulnerability database. According to the Knockout plan, every vulnerability is being exported as a separate Mediawiki page describing the list of vulnerable hardware or software.
When analyzing a mass media, some of the items the hackers document are information to include server types (Win32, Linux, FreeBSD), databases (Oracle Database, Microsoft SQL Server, other), client (thin/Win32-/Java-), information protection such as system access control on OS and database level, adjusted access control, LDAP (Microsoft Active Directory) integration, packet loss prevention tools; search functions (AND, OR, NOT, “*”, “?”, and other).
- Extracting metadata from multimedia content. They analyze and plan to use the functionality of ExifTool and Metadata Anonymisation Toolkit. They are interested in four major metadata types: Tools/owner, Change history, Geolocation, and Nationality. (See Appendix A for a Knockout review of the metadata extraction).
Review of the Knockout financial documents, presentations, plans, and reports indicate an intelligence focus. The nature of the data that is being collected (such as vulnerabilities) and the name “Knockout” itself, suggest that Russia is stockpiling data on Western media with one of the objectives of knocking Western mass media out or to influence and manipulate the flow of information in some other way. Metadata extraction reinforces Knockout advantage over the media and may expose some additional data such as sources of information, and undercover journalist identities.
Wapack Labs is located in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
Appendix A. Notes for Knockout Review of the Metadata Extraction.
A Knockout draft document, timestamped with “12.03.2018”, provides details when researching media types of interest and how to extract metadata from those organizations. Nine formats for multimedia content are specifically listed:
1) QuickTime (MOV);
3) Matroska (MKV);
4) MP4 (MPEG/MPG);
Three main metadata formats:
- Exchangeable Image File Format (EXIF);
- IPTC Photo Metadata Standard (photo);
- Adobe’s Extensible Metadata Platform (XMP).
Information in XMP format may be included in various image formats (JPG, JP2, TIFF, GIF, EPS, PDF, PSD, IND, INX, PNG, DJVU, SVG, PGF, MIFF, XCF, CRW, DNG, various TIFF-based images), video (MOV, AVI, ASF, WMV, FLV, SWF and MP4, and WMA) and audio formats with ID3v2 support.
Report Date: 08212019
Country: RU, US, GE, GB, FR, CA
Industries: Political, Media
Prepared by: Yury Polozov
https://files.slack.com/files-pri/T71KHUTDM-F8J76QHM0/download/hacking_team_russian_connections_final_30_nov_15.pdf Wapack Labs Priority Intelligence Report, 30 November 2015.
See 2.3.6. in the document marked with v.5.3_201700324.