Will the real covert comms officer please stand up
A few weeks back, the Security Service of Ukraine (SBU)
released photos of “hacking” equipment seen in this composite.
Images: Security Service of Ukraine.
Since then, they have made a number of other arrests and seized similar gear.
They arrested the user and described him as a “hacker who provided mobile communication to the occupiers in Ukraine.”
Our assessment is that this arrest is quite different from the others. Our analysis is that his role was much more likely to be that of a covert communications operator, probably employed by the GRU – think the Nicky Parsons character played by Juliet Stiles in The Bourne Identity. We’re certain he’s not as attractive as she is, but he seems to share her soft hands based on the photo below (LOL). Nice bracelets, too.
A few sites have described the units in his arrest as “SIM boxes.” While that is “sort of" what they are, the primary unit is much more interesting, and we’ll go into it in detail below.
First, some background – SIM boxes go back a couple of decades. Most people think they are cell towers, aka base transceiver stations (BTS). They are not.
Think of a rack of cell phones, each one acting like your crazy ex – literally – sending you thousands of text messages and stealing your money.
SIM boxes were most commonly used to send out SMS spam and to commit fraud against mobile network operators (MNOs and MVNOs) via a number of different methods. They are basically computer-linked cellular modems attached to some very simple software. Some of these units are so simple they’re controlled by Arduino units, because they’re just endlessly sending spam. We’ll skip all the different ways they can be used for fraud, but note that this is a common source of cash for crime syndicates. Something something money laundering and cash outs…
“Standard” SIM boxes are definitely what have been found in the other arrests. It’s also clear, based both on what has been seized and from statements from the SBU, that the other “hacker” arrests were just pushing out SMS spam. The dead giveaway is stacks and stacks of SIM cards, still in their plastic credit card-sized carriers.
Basically, you drop the entire card into the unit (below) and “burn it down.” You send SMS messages either until you have used all the value of the card or until the SIM is locked out of the mobile network because it’s been sending SMS spam. You then toss the credit-card SIM carrier, drop in a new one, and repeat the process. You don’t have to waste time breaking the SIM out of the plastic carrier and carefully loading it into a unit. It’s a simple batch-process.
The units below are set up quite “professionally," with each unit of 64 cellular modems in its own drawer. This operation had over 500 modems in operation, which is definitely one of the larger seizures we’ve seen. It speaks to the fact that they probably intended to push out a very large number of SMS messages in a short time period.
Most mobile network operators have systems in place to look for such activity and shut it down. Our assessment is that this operation was intended to be used once, burning all its cards down and knowing they were going to be detected and seized. Maybe they assumed they’d be forgiven by Putin’s new puppet government, but so far that hasn’t happened anywhere except a few cities that have replaced local governments in Ukraine’s Eastern region. The SBU reports that they arrested seven such operations.
BUT one of these is not like the others. The first arrest used completely different gear from the “standard” SIM boxes above.
The interesting unit is the gray box in the center of the photo below. That’s a SIM virtualization unit. They are not common in the United States and not really an item known to US law enforcement (more on that and some of our past work later).
When SIM virtualization units are encountered, it’s usually assumed that they’re just being used for fraud, which was their original purpose. They can MINT money in the right hands – literally millions of dollars a day, but that was back when 2G was much more common. It’s still possible now, but with more modern units, AND it now requires an inside compromise from within the mobile network operator.
We don’t think that’s what was going on here. We think this operation had a much more insidious use – running comms for covert agents and assassins – things Russia is known for.
Now, before you go telling us we’ve watched the Bourne series one too many times, we’re just going to drop this page and wait for you to scroll all the way to the bottom counting the number of names: List of Soviet and Russian assassinations.
Get the idea? Now, back to our analysis.
Humans are very social creatures, and we all operate in groups. That includes most “bad guys.” Even “lone wolves” typically interact with others to obtain training and supplies, so virtually all nation states track them via social graph analysis.
This was all over the news as a result of Edward Snowden’s leaks. Within those leaks, people may remember discussion of “call-chain analysis.” There’s a bunch of systems that do that around the world, but basically you’re looking at telephone records to link people into chains via social graph analysis. If you want to geek out on this topic, there’s a fantastic blog post of the system here: Section 215 bulk telephone records and the MAINWAY database.
That brings us back to the SIM virtualization unit. We note that it has been carefully populated randomly with SIMs, and we think this speaks to what it was being used for. Unlike the other arrests which featured stacks and stacks of identical SIMs, this unit was clearly loaded with different types of SIMs from different MNOs and MVNOs.
With the right software, this device can defeat call-chain analysis for a group of key users. It’s a math problem, and we’re not going to get into that here, because we really don’t want to aid anyone in how to configure one of these to avoid law enforcement. We can’t say absolutely that’s what this unit was for, but based on what we know about their operation, and the press release from the SBU, that is an almost certainty.
Think of it as the ultimate burner-phone switchboard.
It looks like they populated about half of it (half is 64 and we count 53, so their math is off). They did a good job. The variable color of the SIMs means they’re cutouts from various MNOs/MVNOs, so likely not traceable to a single purchaser, etc.
The other reason this particular hardware unit is helpful in such an operation is that – because of its SMS spam origin – it has IMEI forgery and spoofing as core capabilities. Again, “with the right software” this unit can match virtual cell-phone avatars with specific communication paths. This is a critical ability for breaking call-chain analysis. Having each SIM and IMEI virtually in software means that you can do some sophisticated spoofing and other tricks.
Worth noting is that this is relatively old gear. We own one of these and purchased it at least 4 years ago. Most are Chinese-made with lots of variations in size and capability. They are insecure as all hell unless you know what you’re doing. We also developed techniques to detect and counter such a system, so if anyone thinks we’re giving away the farm here, we’re not.
And that's where things get fun for us. The author of this article has briefed DHS and a closed-door security conference in Europe – whose attendees included law enforcement, cybersecurity professionals including financial-services security, researchers and academia – on the EXACT gear in the photos.
The title of the briefing was “Open-Source Signals Intelligence: Origins and Future” and included gear that, if encountered by law enforcement, should be immediately seized because there is no legal use for it. The briefing included “Recommendations & Counter-Measures.”
Text from the SBU press release:
The SBU detained a hacker who provided mobile communication to the occupiers in Ukraine
With this collaborator, the enemy:
▪️ anonymously made phone calls from the Russian Federation to mobile phones of invaders in Ukraine;
▪️ sent SMS to Ukrainian security forces and civil servants with proposals to surrender and defect to the side of the occupiers;
▪️ transmitted commands and instructions to advanced groups of Russian invaders.
As the SBU established, up to a thousand calls passed in one day because of this hacker. Currently, the collaborator has been detained, all equipment has been seized from him. The attacker was announced to suspicion.”
Now, remember that scene in The Bourne Identity and what Nicky was specifically tasked with? Her most crucial act when the SHTF?
By capturing this gear, the SBU would have instantly been able to reconstruct the call-chain analysis this system was blocking. It’s likely that they would also learn from it not the just the IMSI of agent’s phones, but also their IMEI.
Gosh, I wonder why the SBU has been dumping so many call intercepts into social media?
It’s a mystery.
FIN