Hey Russia, your data is leaking!

Alon Gal — Under the Breach
5 min readFeb 7, 2020

The era of big data is upon us and it doesn’t seem like it is going away.

This is evident in governments buying location data[1] :

Large firms looking to capitalize on your information[2]:

And even shady individuals looking to buy and trade data for countless purposes.

This is all known and had been known for a while now.

I find it fascinating how having enough information could help you solve just about any investigation.

An organization that excels in that aspect is Bellingcat[1]- an investigative journalism website that specializes in fact-checking and open-source intelligence (OSINT).

I’ve recently read some of Bellingcat’s investigations and found something eerily similar in their methods:

We can see very internal databases from banks and other Russian government entities.

It seems that Bellingcat are using some type of Russian databases, and these databases helped solve complicated cases ranging from revealing the identities of Russian assassins to finding how Russia issues fake passports to operatives in Ukraine.

But how do you find these databases and where are they coming from?

Well after some digging I found these two posts by a journalist working for Bellingcat:

And:

Turns out they’re using a software named Cronos to download databases from some shady Russian sites.

I didn’t know what Cronos was but after some digging I found a user asking for help with his Cronos software (see how the UI of the software appears to be the same as the one in Bellingcat’s tweets):

After some more digging I found which “shady sites” they were referring to.

Turns out that there is a very active “underground” forum where Russian individuals trade databases with each other:

The official database trading threads on the forum have a combined 8 million views and 22,000 replies!

I looked into the content posted on the forum and was stunned to discover how deep the rabbit hole go:

Databases ranging from Traffic police and Government offices to banks, phone companies, and even Cryptocurrencies!

Right after browsing through pages and pages of what seems like any nation’s greatest fear, having its most sensitive data tossed around the dark corners of the internet, I wanted to understand how it even came to be.

I went ahead and approached a prominent user on the forum, he was kind enough to reply with an answer I couldn’t expect:

So basically what he is saying is that the data on the forum comes from improper database configuration which is typical for database leaks, but more interestingly, he claims that some of the data that is being shared on the forum is obtained by ex-employees who are taking a USB to work, loading it with sensitive data and then selling it.

He explains that data stolen by ex-employees is coming from organizations because low fines and lack of data protection laws make it worthwhile for the employee to take the risk, while government databases are more “open source” materials that can be accessible by state employees.

While talking to this member I had a feeling he was underestimating the significance of the data being shared on the forum, perhaps because like he claims, there isn’t much effort into implementing data protection laws around Russia and people are misguided as to whats defined as “state security”

Looking at the database above, it indeed seems unrelated to state security but it only depends on what you use it for, for example- if a government uses this database and finds out an important Russian figure was hospitalized and is in fact terminally ill, it could change the entire dynamics of the political game and I would definitely categorize it as state security!

We kept talking and I wanted to emphasize the significance of “trivial data” by showing him an example of Bellingcat using the exact data posted on the forum to solve some of the world’s most complicated crimes:

The member claimed that indeed, there are useful databases containing old information that could no longer be changed and therefore will always be true.

He also mentioned an important aspect to these leaks, newer data can be changed.

By now Russia knows perfectly well that Bellingcat is using these databases and Russia are especially known for their disinformation operations.

That means they could easily change pieces of data here and there to paint a false picture of how things really are, and that is kind of terrifying, the member hasn’t encountered any specific case of that sort though.

In conclusion:

  1. Even the most trivial data could be used maliciously with enough efforts which is why our data protection laws are so important
  2. You cannot rely on information without verifying its origins and its validity, on the bright side, while there are countless lies, there is only one truth!

I’d like to thanks In4security for answering my questions, he has a Telegram channel (https://t.me/in4security) where he covers the world of information security in Russian, you can still use it with Google Translate and understand most of it.

If you liked this article please retweet/share it, if I see enough people enjoy my articles I will continue writing them!

Connect with me — https://www.linkedin.com/in/alon-gal-utb/

References:

1- https://www.bellingcat.com/

2- https://www.wsj.com/articles/federal-agencies-use-cellphone-location-data-for-immigration-enforcement-11581078600

3- https://www.theatlantic.com/technology/archive/2019/07/amazon-pays-users-access-browser-data/594199/

--

--