maia.crimew.gay/src/posts/rosgosstrakh-hack.md

12 KiB

title date description feature_image feature_alt tags
EXCLUSIVE: second biggest russian insurance company hacked 2023-10-27 unique insights into one of the biggest russian financial institutions /img/posts/rosgosstrakh-hack/cover.jpg a glitchy edited photo of the rosgosstrakh headquarter with their logo in front of it
leak
analysis
osint
politics
russia

after taking a two month long hiatus (for mental health reasons, nothing to get into deeper here), i decided catch up again with some sources a few weeks ago. one of them started bringing up some massive hacks they had been doing in russia, making it clear they had financial motivations and planned on selling the data rather than leaking it publicly. this of course immediately piqued my interest and i tried to find a way to make a story happen anyways and after a bit of discussion we ended up striking a deal, i get exclusive access to the data for this piece but won't share it any further and they still get to sell it.

the target

rosgosstrakh (RGSL/росгосстрах) is the second biggest russian insurance company, behind SOGAZ with an annual revenue of around 90 billion rubles (2022). RGSL has been subject to US sanctions since the start of the russian invasion of ukraine in february 2022. my source gained full access to their investment and life insurance department with data going back to 2010, giving them full access to ~3 million bank statements, data on 730k people/holders (around 80k of which with SNILS (russian ssn) and another 45k with full bank routing info), and all life insurance policies/contracts. they are also able to access all attachments to the former data, such as passports and scanned documents (i was only provided with a small selection of this data, but all of it is included in the purchasable dataset). the source further claims that they most likely have the ability to authorize and create bank transfers if they wanted to do so.

two screenshots of the adinsure software used by RGS two screenshots of the adinsure software used by RGS captured by the hackers during the attack

analysis

a screenshot of a json file containing some of the data on Anatoly Alexandrovich Safronov

with access to an overwhelming 22gbs of plain json data i did what i always do when i get big datasets like this and first try to find interesting organizations or persons. in this case this was especially easy - public officials (or their direct relatives/spouses) are marked with "isPublicOfficial": true, making them super quick to find. i did this (and all my other searches) the lazy way, just searching over the directory with ripgrep rather than indexing the data to a database, but it worked, finding a number of customers marked as public officials (it is highly likely there are way more officials in the dataset left unmarked due to how RGS's system is designed). it was now just a matter of using OSINT to link the provided data to existing people. the table below includes everyone out of those i was conclusively able to identify, with the data from this dataset and any publicly findable info to complete the picture.

id name name (transliterated) birth date function sanctioned phone number email passport number INN documents links insurance coverage
724630 Соболев Александр Михайлович Sobolev Alexander Mikhaylovich 1976-02-08 Head of the Investigative Directorate of the Investigative Committee of the Russian
Federation (SKR)
for the Yaroslavl Oblast (Major General of Justice)
yes +7 (996) 136 19 76 7820460001 passport scan critical illness insurance with coverage of 12mil rub,
disability insurance of 650k rub, secondary critical illness insurance of 650k rub
300276 Сафронов Анатолий Александрович Safronov Anatoly Alexandrovich 1959-12-09 military helicopter pilot, hero of the russian federation, participated in the chechen war,
Deputy Plenipotentiary Representative of the President of the Russian Federation in the
Southern Federal District, russian state advisor
no +7 (905) 768 58 57 safronov13aa@mail.ru 4507186232 passport scan wikipedia ufo.gov.ru official resources life insurance with coverage of around 7.5mil rub since march 2023
696346 Торкунова Ирина Геннадиевна Torkunova Irina Gennadievna 1951-06-26 wife of Anatoly Torkunov (rector of the MGIMO and diplomat) Anatoly is sanctioned +7 (903) 724 43 62 4504301145 770405781300 passport scan property ownership, company registrations a life insurance worth over 15mil rub (18mil rub coverage), Anatoly is the beneficiary
371652 Амочкин Константин Сергеевич Amochkin Konstantin Sergeyevich 1995-02-21 'Criminalistics Department Senior Lieutenant of Justice' in the Nizhny
Novgorod Oblast, voted best criminal investigator in the region, SKR agent
no +7 (910) 796 97 11 2214354822 - futsal player profile, article about his visit
to schools (has an image of him)
life insurance coverage over ~430k rub since 2019,
his mom (Амочкина Равия Сулеймановна / Amochkina Ravia Suleymanovna) is the beneficiary
365615 Меркулова Ольга Ивановна Merkulova Olga Ivanovna 1979-10-01 head of department at Voronezh State Technical University, wife of Меркулов
Дмитрий Викторовиц (Merkulov Dmitry Viktorovich), who is a judge at the Southern
District Military Court in Rostov
, he is the beneficiary of her life insurance
no +7 (928) 014 78 9 las_to44ka@mail.ru 6021058816 782094008038 passport scan: 1, 2;
beneficiary passport scan: 1, 2
life insurance coverage of ~600k rub
184779 Топчилова Наталья Николаевна Topchilova Natalya Nikolaevna 1989-01-11 judge at the Central District Court of Novosibirsk no +7 (951) 375 35 30 vkv89@mail.ru 5009708760 passport scan: 1, 2, 3 no insurance contract findable
372532 Куликов Борис Владимирович Kulikov Boris Vladimirovich 1976-02-28 judge at kamchatka oblast court no +7 (914) 626 97 97 gall-76@mail.ru 3001084189 - life insurance with 1mil rub critical illness coverage

i think it's quite interesting how even with so few people found we actually got some pretty big fish. i am publishing all their info publicly here in hopes of this being even more useful for other investigative journalists and researchers looking into russian government officials. this was quite a fun excersise in some more OSINT as well as my ability to decipher cyrillic :3.

let's get to some even meatier people. using the molfar list of GRU operatives i searched the dataset by passport numbers, and BAAM, here we have 3 GRU agents of them:

id name name (transliterated) birth date function sanctioned phone number email passport number documents insurance coverage
498871 Федосеев Алексей Константинович Fedoseyev Alexey Konstantinovich 1986-02-24 unknown (posted at Siemens LLC according to Molfar) no - - 4508335107 - life insurance with ~1mil rub coverage,
beneficiary is AO UniCredit Bank
479186 Аверин Валерий Владимирович Averin Valery Vladimirovich 1980-03-05 unknown (posted at Orgmarket LLC according to Molfar) no +7 (916) 221 53 91 walerius@inbox.ru 4504934427 - had life insurance with ~1.2mil rub coverage until 2018,
beneficiary was AO UniCredit Bank
283673 Фомивко Александр Федорович Fomivko Alexander Fyodorovich 1987-07-14 unknown no +7 (985) 361 79 71 old.atlas@yandex.ru 0706926325 - has life insurance with ~2.3mil rub coverage since february 2023

there were unfortunately no attached documents for all three of them.

i didn't get much useful info out of contact details in this rather surface-level analysis and didn't yet have the time for a deeper dive, but i might do a follow up to this piece with some more analysis particularly of that data. however i decided to finally give QGIS a quick go and try to map out where customers are located, but even with just the 85k addresses that contain coordinates (just to see if geocoding the rest would be worth it) it already pretty much turned into a population map of russia, which is of course already an xkcd punchline. im still gonna put it here though because there still is a few small interesting takeaways.

a map of russia with various dots on it showing where RGSL customers are located. the dots mostly line up with highly populated areas in russia

as expected the customers are mostly spread out across the highly populated areas in south-western russia, but what's interesting is the not insignificant number of customers in crimea and the small number of customers in occupied mainland ukraine. i will probably also take a bit more of a look at some of those for a future update.

as the sale thread (http://breachedu76kdyavc6szj6ppbplfqoz3pgrk3zw57my4vybgblpfeayd.onion/Thread-Rosgosstrakh-700K-Customers-400GB) states my source attempted to negotiate with RGSL, but did not come to any agreement with them, meaning the dataset is now up for sale with an asking price of 50k usd in xmr. i reached out to RGSL for comment as i published this and will update if i hear anything back. as always feel free to contact me if you have any other data to publish or cover, have any fun vulns, or for journalistic inquiries.