Nokia Employee Accidentally Leaks SORM Operations Data

Chris Vickery, a specialist at UpGuard, accidentally discovered a publicly accessible backup drive belonging to a Nokia employee. The drive contained about 1.7 TB of data shedding light on the operations of Russia’s SORM (System for Operative Investigative Activities), particularly within the networks of the telecom operator MTS.

According to Nokia representatives speaking to TechCrunch, one of their employees connected a USB drive with old work files to their home computer. Due to a configuration error, both the computer and the drive became accessible from the internet to anyone. UpGuard notified Nokia about the data leak immediately after its discovery on September 9, 2019, and it took the company four days to close the breach. Nokia representatives stated that they are still investigating the incident.

Nokia emphasized that they fully comply with Russian law: “Since this is a standard requirement for lawful interception in Russia, and SORM providers must be approved by the relevant authorities, we also work with other companies to implement SORM capabilities in the networks we provide,” said Nokia representatives, noting that one such company is Malvin Systems.

Details of the Exposed Documents

The leaked documents included descriptions of how SORM operates within MTS networks, as Nokia supplies equipment to the telecom operator. The documents showed installation diagrams for SORM equipment, various technical plans (including physical addresses, floor numbers, and the locations of each secure, isolated room with SORM equipment, which are off-limits to outsiders), and more.

The papers revealed information about SORM installations in at least sixteen cities besides Moscow: Vladimir, Lipetsk, Ivanovo, Kaluga, Kostroma, Bryansk, Smolensk, Ryazan, Belgorod, Voronezh, Kursk, Orel, Tula, Tver, Tambov, and Yaroslavl.

Additionally, the data included 700 GB of photographs (578,000 images), some of which clearly showed SORM equipment with visible serial numbers and barcodes.

Previous SORM Leaks and Potential Risks

This is not the first time information about SORM operations has appeared online. For example, in 2017, Wikileaks published documents about companies involved in the technical side of internet surveillance and how authorities force providers to install SORM at their own expense. However, experts believe this latest leak could be dangerous in new ways. Mikhail Klimarev, executive director of the Internet Protection Society, believes the leak could cause significant harm to MTS:

“No one knows who managed to download these archives. Potential terrorists could have obtained highly sensitive information and could inflict irreparable damage to MTS’s infrastructure. And no one can guarantee that something similar won’t happen to other major operators.”