Fronton: A Botnet for Creation, Command, and Control of Coordinated Inauthentic Behavior

An Investigative Report – May 2022

In March 2020, a hacktivist group called “Digital Revolution” claimed to have hacked a subcontractor to the FSB, the Federal Security Service of the Russian Federation. They claimed the hack occurred in April 2019. They released documents and contracts about a botnet system of Internet of Things (IoT) devices built by a contractor, 0day Technologies. This botnet is known by the codename Fronton (Фронтон). Media outlets went crazy. Headlines called it a tool that could be used to “turn off the Internet in a small country.” Most analyses assumed that the goal of the system was distributed denial of service (DDoS). A day later, another tranche of documents, images, and a video were released, with significantly less fanfare. 

Nisos research focused on the distribution of the numerous content types. This release noted that DDoS “is only one of the many capabilities of the system.” Nisos analyzed the data and determined that Fronton is a system developed for coordinated inauthentic behavior on a massive scale. This system includes a web-based dashboard known as SANA that enables a user to formulate and deploy trending social media events en masse. The system creates these events that it refers to as Инфоповоды, “newsbreaks,” utilizing the botnet as a geographically distributed transport. 

SANA creates social media persona accounts, including provisioning of an email and phone number.. In addition, the system provides facilities for creating these newsbreaks on a schedule or a reactive basis. Two example lists of posting source dictionaries were included in the data. One, involving comments around a squirrel statue in Almaty, Kazakhstan may have affected the reporting on a BBC story. As of April 2022, 0day technologies has changed its domain from 0day[.]ru to 0day[.]llc. An instance of the SANA system appears to be up at https://sana.0day[.]llc . Nisos assessed that this is possibly a testing or demo instance, and is not currently used by the FSB.

Nisos researchers conducted open source research to discover 0day is known as 0Dt, full name Zeroday Technologies LLC (0Дт, OOO ЗИРОУДЭЙ ТЕХНОЛОДЖИС) based at Ulitsa Profsoyuznaya, D. 125, Etazh Tsokolnyi Pomesht. I, Kom. 14 Moscow; Moscow; Postal Code: 117647. 

Additional research indicated well-publicized Russian hacker Pavel SITNIKOV (known by his alias FlatL1ne) may be employed by 0Dt. SITNIKOV previously bragged about his connections with APT28, aka Fancy Bear, and was arrested by Russian authorities in 2021.Nisos assessed that he likely has extensive knowledge of the functionality of the Fronton infrastructure and SANA front-end systems. 

To learn more, download the complete Nisos Research report.

About Nisos®

Nisos is The Managed Intelligence Company®. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.