FSB’s Fronton DDoS tool was actually designed for ‘massive’ fake info campaigns, researchers say

In March 2020, a Russian hacktivist group published a dozen documents showing that the Russian Federal Security Service was seeking technology to create an Internet of Things botnet capable of temporarily disabling the internet in entire countries.

A flurry of news stories covered the documents that the hacking group calling itself “Digital Revolution” released, which exposed a project known as “Fronton” that was an alleged tool for carrying out massive distributed denial-of-service (DDoS) attacks that flood targeted networks or computers with phony traffic to render them inaccessible.

But DDoS was actually just one of several functions of the tool, researchers with cyber intelligence firm Nisos said in an analysis published Thursday, noting that the tool also allow for “coordinated inauthentic behavior on a massive scale” through an online dashboard called SANA that enabled users “to formulate and deploy social media events en masse.”

A live instance of the SANA application appears to still be online, the researchers said, hosted by 0day technologies, one of the original developers involved in the project. The instance is possibly a testing or demo site, and is likely not in use by the Federal Security Service (FSB), they note.

The researchers revisited the Frontan matter amid newly identified associations between 0day technologies — also known as 0Dt — and Pavel Sitnikov, an outspoken Russian hacker who’d claimed ties with the APT28 Russian military intelligence hacking group. Sitnikov was arrested in 2021 by Russian authorities who accused him of distributing malware via Telegram.

It’s not clear whether the tool was ever used, either by the FSB or others. A text file analyzed by the Nisos researchers called “squirrel negative” included negative phrases criticizing the July 2018 installation of a large wooden squirrel in Kazakhstan financed with public funds. Negative social media comments about the squirrel appeared in a BBC article, but it’s not clear whether those comments were Russian disinformation, the researchers noted.

More broadly, there have been numerous examples of coordinated inauthentic behavior (that is, fake or misleading) operations in Russia, the U.S. and other countries over the years, posting messages on everything from the 2016 presidential elections to discord around the COVID-19 vaccine to Russia’s war ongoing war on Ukraine.

Facebook parent company Meta publishes regular reports exposing coordinated inauthentic behavior campaigns on its platforms, and Twitter has, at times, done so as well.

The researchers analyzed SANA based on a tranche of documents, images and a video released the day after the initial stories broke, but received far less attention. Part of the subsequent release showed that Fronton was developed as part of a research project dating to 2017 related to social media and “spreading manipulative models in information spaces” or “a controlled method of information dissemination to a target audience,” the researchers note.

Fronton, they say, was actually the backend infrastructure of a social media disinformation platform, where DDoS was not the primary purpose. The design of the system, the researchers concluded after reviewing the documents, was intended to “coordinate inauthentic behavior and propagate disinformation at a global scale.”

The system had a variety of capabilities: the bulk management of bot accounts; using behavior models to allow bots to be indistinguishable from normal users; creating and managing dictionaries to store quotes and comments for social media responses as positive, negative or neutral; and albums of photo sets for bot accounts.

The system also allowed a user to create “newsbreaks,” which are methods of creating attention and buzz around a topic of interest by posting topical “news” and commentary via press releases or other statements to various websites. The SANA system would then allow the control of inauthentic reaction to that material.

One of the files showed snippets of text expressing support for the Nur Otan political party in Kazakhstan, the ruling party in that country since 1999.

The researchers noted that the contractor, 0day technologies, has also developed lawful intercept technologies within Russia, and has other connections with the FSB. The research identified Sitnikov as a company employee.