rosgosstrakh hack

main
maia arson crimew 2023-10-27 03:45:14 +02:00
parent 8f33c6af2e
commit 6d1b0740d9
20 changed files with 103 additions and 6 deletions

View File

@ -5,14 +5,11 @@
"tags": [
"nyancrimew",
"maia arson crimew",
"android",
"switzerland",
"hacktivism",
"lucerne",
"developer",
"hacktivism"
"developer"
],
"twitter": "@maiaarson",
"twitter": "@awawawhoami",
"name": "maia arson crimew",
"pronouns": "it/she",
"language": "en",

View File

@ -67,13 +67,54 @@ footer,
}
#content {
max-width: 900px;
max-width: 1000px;
margin-left: auto;
margin-right: auto;
padding-top: 2em;
padding-bottom: 2em;
}
table {
display: block;
overflow-x: auto;
border-collapse: collapse;
white-space: nowrap;
border: none;
th, td {
border: 1px solid;
padding-top: 4px;
padding-bottom: 4px;
padding-left: 6px;
padding-right: 6px;
text-align: center;
}
th, tr td:first-child {
border: 1.5px solid;
background-color: $semi-bg;
font-weight: bold;
}
th {
border-top: none;
}
tr {
th, td:first-child {
border-left: none;
}
td, th:last-child {
border-right: none;
}
}
tr:last-child td {
border-bottom: none;
}
}
.byline {
font-size: 0.75rem;
}

View File

@ -9,6 +9,7 @@ tags:
- politics
- hack
- far right
- osint
---
earlier this year, [the popular far right fediverse instance poast was hacked](https://www.dailydot.com/debug/leak-poast-kiwi-farms/) leaking user profiles with emails, posts and DMs. today i was sent a special little treat, [a singular html file](/files/posts/meet-the-shitpoasters/meet-the-shitpoasters.html) containing all the poa.st and bae.st profiles with linkedin profiles associated to their e-mail addresses, all their linkedin info, their top 5 worst posts as ranked by sentiment analysis and their DMs. i will leave proper in depth analysis of this data to extremism researchers and journalists, but a few interesting people i can find at a glance are:

View File

@ -0,0 +1,58 @@
---
title: "EXCLUSIVE: second biggest russian insurance company hacked"
date: 2023-10-27
description: "unique insights into one of the biggest russian financial institutions"
feature_image: /img/posts/rosgosstrakh-hack/cover.jpg
feature_alt: "a glitchy edited photo of the rosgosstrakh headquarter with their logo in front of it"
tags:
- leak
- analysis
- osint
- politics
- russia
---
after taking a two month long hiatus (for mental health reasons, nothing to get into deeper here), i decided catch up again with some sources a few weeks ago. one of them started bringing up some massive hacks they had been doing in russia, making it clear they had financial motivations and planned on selling the data rather than leaking it publicly. this of course immediately piqued my interest and i tried to find a way to make a story happen anyways and after a bit of discussion we ended up striking a deal, i get exclusive access to the data for this piece but won't share it any further and they still get to sell it.
## the target
[rosgosstrakh (RGSL/росгосстрах)](https://en.wikipedia.org/wiki/Rosgosstrakh) is the second biggest russian insurance company, behind [SOGAZ](https://en.wikipedia.org/wiki/Sogaz) with an annual revenue of around 90 billion rubles ([2022](https://www.reuters.com/markets/companies/rgss.mm/financials/income-annual)). RGSL has been [subject to US sanctions](https://www.hstoday.us/subject-matter-areas/intelligence/new-sanctions-top-ten-russian-financial-institutions-now-under-u-s-restrictions/) since the start of the russian invasion of ukraine in february 2022. my source gained full access to their investment and life insurance department with data going back to 2010, giving them full access to ~3 million bank statements, data on 730k people/holders (around 80k of which with SNILS (russian ssn) and another 45k with full bank routing info), and all life insurance policies/contracts. they are also able to access all attachments to the former data, such as passports and scanned documents (i was only provided with a small selection of this data, but all of it is included in the purchasable dataset). the source further claims that they most likely have the ability to authorize and create bank transfers if they wanted to do so.
![two screenshots of the adinsure software used by RGS](/img/posts/rosgosstrakh-hack/adinsure.jpg)
two screenshots of the [adinsure](https://www.adacta-fintech.com/platform) software used by RGS captured by the hackers during the attack
## analysis
![a screenshot of a json file containing some of the data on Anatoly Alexandrovich Safronov](/img/posts/rosgosstrakh-hack/json.jpg)
with access to an overwhelming 22gbs of plain json data i did what i always do when i get big datasets like this and first try to find interesting organizations or persons. in this case this was especially easy - public officials (or their direct relatives/spouses) are marked with `"isPublicOfficial": true`, making them super quick to find. i did this (and all my other searches) the lazy way, just searching over the directory with [ripgrep](https://github.com/BurntSushi/ripgrep) rather than indexing the data to a database, but it worked, finding a number of customers marked as public officials (it is highly likely there are way more officials in the dataset left unmarked due to how RGS's system is designed). it was now just a matter of using [OSINT](https://en.wikipedia.org/wiki/Open-source_intelligence) to link the provided data to existing people. the table below includes everyone out of those i was conclusively able to identify, with the data from this dataset and any publicly findable info to complete the picture.
| id | name | name (transliterated) | birth date | function | sanctioned | phone number | email | passport number | [INN](https://www.nalog.gov.ru/eng/exchinf/inn/) | documents | links | insurance coverage |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 724630 | Соболев Александр Михайлович | Sobolev Alexander Mikhaylovich | 1976-02-08 | Head of the Investigative Directorate of the [Investigative Committee of the Russian<br> Federation (SKR)](https://en.wikipedia.org/wiki/Investigative_Committee_of_Russia) for the Yaroslavl Oblast (Major General of Justice) | [yes](https://sanctions.nazk.gov.ua/en/sanction-person/6854/) | +7 (996) 136 19 76 | | 7820460001 | | [passport scan](/files/posts/rosgosstrakh-hack/documents/724630/Паспорт_Паспорт.pdf) | | critical illness insurance with coverage of 12mil rub,<br> disability insurance of 650k rub, secondary critical illness insurance of 650k rub |
| 300276 | Сафронов Анатолий Александрович | Safronov Anatoly Alexandrovich | 1959-12-09 | military helicopter pilot, hero of the russian federation, participated in the chechen war,<br> Deputy Plenipotentiary Representative of the President of the Russian Federation in the<br> Southern Federal District, russian state advisor | no | +7 (905) 768 58 57 | safronov13aa@mail.ru | 4507186232 | | [passport scan](/files/posts/rosgosstrakh-hack/documents/300276/Rostov_2023_03_02_19_13_13_147.pdf) | [wikipedia](https://ru.wikipedia.org/wiki/%D0%A1%D0%B0%D1%84%D1%80%D0%BE%D0%BD%D0%BE%D0%B2,_%D0%90%D0%BD%D0%B0%D1%82%D0%BE%D0%BB%D0%B8%D0%B9_%D0%90%D0%BB%D0%B5%D0%BA%D1%81%D0%B0%D0%BD%D0%B4%D1%80%D0%BE%D0%B2%D0%B8%D1%87) [ufo.gov.ru official resources](http://ufo.gov.ru/polpred/zams/zam4/) | life insurance with coverage of around 7.5mil rub since march 2023 |
| 696346 | Торкунова Ирина Геннадиевна | Torkunova Irina Gennadievna | 1951-06-26 | wife of [Anatoly Torkunov](https://en.wikipedia.org/wiki/Anatoly_Torkunov) (rector of the [MGIMO](https://en.wikipedia.org/wiki/Moscow_State_Institute_of_International_Relations) and diplomat) | [Anatoly is sanctioned](https://sanctions.nazk.gov.ua/en/sanction-person/2807/) | +7 (903) 724 43 62 | | 4504301145 | 770405781300 | [passport scan](/files/posts/rosgosstrakh-hack/documents/696346/%D0%9F%D0%B0%D1%81%D0%BF%D0%BE%D1%80%D1%82_%D0%94%D0%A3%D0%9B_%D0%A2%D0%BE%D1%80%D0%BA%D1%83%D0%BD%D0%BE%D0%B2%D0%B0%20%D0%98.%D0%93._07.12.2021.pdf) | [property ownership](https://rublevka.proekt.media/person/torkunova-irina-gennadyevna/), [company registrations](https://www.rusprofile.ru/person/torkunova-ig-770405781300) | a life insurance worth over 15mil rub (18mil rub coverage), Anatoly is the beneficiary
| 371652 | Амочкин Константин Сергеевич | Amochkin Konstantin Sergeyevich | 1995-02-21 | 'Criminalistics Department Senior Lieutenant of Justice' in the Nizhny<br> Novgorod Oblast, [voted best criminal investigator in the region](https://nn-news.net/incident/2023/04/01/558253.html), [SKR agent](https://en.wikipedia.org/wiki/Investigative_Committee_of_Russia) | no | +7 (910) 796 97 11 | | 2214354822 | | - | [futsal player profile](https://futsal-nn.ru/player/2208779), [article about his visit<br> to schools (has an image of him)](https://studyvolga.com/news/2506/) | life insurance coverage over ~430k rub since 2019,<br> his mom (Амочкина Равия Сулеймановна / Amochkina Ravia Suleymanovna) is the beneficiary |
| 365615 | Меркулова Ольга Ивановна | Merkulova Olga Ivanovna | 1979-10-01 | [head of department at Voronezh State Technical University](https://cchgeu.ru/university/employees/4543/), wife of Меркулов<br> Дмитрий Викторовиц (Merkulov Dmitry Viktorovich), [who is a judge at the Southern<br> District Military Court in Rostov](https://base.garant.ru/320745360/), he is the beneficiary of her life insurance | no | +7 (928) 014 78 9 | las_to44ka@mail.ru | 6021058816 | 782094008038 | passport scan: [1](/files/posts/rosgosstrakh-hack/documents/365615/%D0%B7%D0%B0%D0%B2%D0%B5%D1%80%D0%B5%D0%BD%D0%BD%D1%8B%D0%B9%20%D0%BF%D0%B0%D1%81%D0%BF%D0%BE%D1%80%D1%82_%D0%BF%D0%B0%D1%81%D0%BF%D0%BE%D1%80%D1%82%20%D1%81%D1%82%D1%80%D0%B0%D1%85%D0%BE%D0%B2%D0%B0%D1%82%D0%B5%D0%BB%D1%8F.pdf), [2](/files/posts/rosgosstrakh-hack/documents/365615/паспорт_страхователь.pdf);<br> beneficiary passport scan: [1](/files/posts/rosgosstrakh-hack/documents/365615/паспорт_выгодо-ль.pdf), [2](/files/posts/rosgosstrakh-hack/documents/365615/паспорт_паспорт.pdf) | | life insurance coverage of ~600k rub |
| 184779 | Топчилова Наталья Николаевна | Topchilova Natalya Nikolaevna | 1989-01-11 | [judge at the Central District Court of Novosibirsk](https://sudact.ru/regular/judge/6ydllhgw9IbV/) | no | +7 (951) 375 35 30 | vkv89@mail.ru | 5009708760 | | passport scan: [1](/files/posts/rosgosstrakh-hack/documents/184779/jpeg_OZ_2022_10_25_17_24_18_527-1.jpg), [2](/files/posts/rosgosstrakh-hack/documents/184779/jpeg_OZ_2022_10_25_17_24_18_527-2.jpg), [3](/files/posts/rosgosstrakh-hack/documents/184779/jpeg_OZ_2022_10_25_17_24_18_527-3.jpg) | | no insurance contract findable |
| 372532 | Куликов Борис Владимирович | Kulikov Boris Vladimirovich | 1976-02-28 | [judge at kamchatka oblast court](https://судьироссии.рф/sudii/view/id/24964/from/1) | no | +7 (914) 626 97 97 | gall-76@mail.ru | 3001084189 | | - | | life insurance with 1mil rub critical illness coverage |
i think it's quite interesting how even with so few people found we actually got some pretty big fish. i am publishing all their info publicly here in hopes of this being even more useful for other investigative journalists and researchers looking into russian government officials. this was quite a fun excersise in some more OSINT as well as my ability to decipher cyrillic :3.
let's get to some even meatier people. using the [molfar list of GRU operatives](https://molfar.com/en/gru) i searched the dataset by passport numbers, and BAAM, here we have 3 GRU agents of them:
| id | name | name (transliterated) | birth date | function | sanctioned | phone number | email | passport number | documents | insurance coverage |
|---|---|---|---|---|---|---|---|---|---|---|
| 498871 | Федосеев Алексей Константинович | Fedoseyev Alexey Konstantinovich | 1986-02-24 | unknown (posted at Siemens LLC according to Molfar) | no | - | - | 4508335107 | - | life insurance with ~1mil rub coverage,<br> beneficiary is AO UniCredit Bank |
| 479186 | Аверин Валерий Владимирович | Averin Valery Vladimirovich | 1980-03-05 | unknown (posted at Orgmarket LLC according to Molfar) | no | +7 (916) 221 53 91 | walerius@inbox.ru | 4504934427 | - | had life insurance with ~1.2mil rub coverage until 2018,<br> beneficiary was AO UniCredit Bank |
| 283673 | Фомивко Александр Федорович | Fomivko Alexander Fyodorovich | 1987-07-14 | unknown | no | +7 (985) 361 79 71 | old.atlas@yandex.ru | 0706926325 | - | has life insurance with ~2.3mil rub coverage since february 2023 |
there were unfortunately no attached documents for all three of them.
i didn't get much useful info out of contact details in this rather surface-level analysis and didn't yet have the time for a deeper dive, but i might do a follow up to this piece with some more analysis particularly of that data. however i decided to finally give [QGIS](https://qgis.org) a quick go and try to map out where customers are located, but even with just the 85k addresses that contain coordinates (just to see if geocoding the rest would be worth it) it already pretty much turned into a population map of russia, [which is of course already an xkcd punchline](https://xkcd.com/1138/). im still gonna put it here though because there still is a few small interesting takeaways.
![a map of russia with various dots on it showing where RGSL customers are located. the dots mostly line up with highly populated areas in russia](/img/posts/rosgosstrakh-hack/map.jpg)
as expected the customers are mostly spread out across the highly populated areas in south-western russia, but what's interesting is the not insignificant number of customers in crimea and the small number of customers in occupied mainland ukraine. i will probably also take a bit more of a look at some of those for a future update.
as the sale thread (`http://breachedu76kdyavc6szj6ppbplfqoz3pgrk3zw57my4vybgblpfeayd.onion/Thread-Rosgosstrakh-700K-Customers-400GB`) states my source attempted to negotiate with RGSL, but did not come to any agreement with them, meaning the dataset is now up for sale with an asking price of 50k usd in xmr. i reached out to RGSL for comment as i published this and will update if i hear anything back. as always feel free to contact me if you have any other data to publish or cover, have any fun vulns, or for journalistic inquiries.

Binary file not shown.

After

Width:  |  Height:  |  Size: 300 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 222 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 269 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 68 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 52 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 118 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 111 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 66 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.8 MiB