Typically used by Russian law enforcement, SORM (System for Operative Investigative Activities) helps agencies collect information such as IP addresses, IMEI and IMSI codes, MAC addresses, ICQ usernames, and email addresses spotted in POP3, SMTP or IMAP4 traffic, or in connections to webmail providers. At a conference recently a researcher disclosed his finding of 30 SORM tools that were installed on 20 different Russian ISPs running FTP servers in April of 2018. Through his findings, he discovered that these devices were not secured with a password. In June of 2018, the researcher began working with ISPs in an effort to lock down the devices, but six IP addresses stayed unclosed for over a year until they were recently closed earlier this week. Included in these unprotected servers were GPS coordinates for residents of Sarov (formerly Arzamas-16, a closed town, and Russia’s center for nuclear research), ICQ instant messenger usernames, IMEI numbers, telephone numbers for several hundred mobile phones across Moscow, router MAC addresses and GPS coordinates for residents of Novosilske, and GPS coordinates from smartphones running outdated firmware. It is unclear if this information fell into the wrong hands.
Analyst Notes
If SORM devices are being used, they should be updated regularly and secured with a strong password.