TechCrunch has discovered that a Russian telecommunications firm specializing in technology for phone and internet providers to monitor and restrict online activity was breached, resulting in its website being vandalized and sensitive data being exfiltrated from its servers.
Originally established in Russia, Protei supplies telecom infrastructure to phone and internet companies in numerous nations, such as Bahrain, Italy, Kazakhstan, Mexico, Pakistan, and much of central Africa. Now based in Jordan, the company offers products for video conferencing, internet access, surveillance, and web filtering, including deep packet inspection tools.
The exact timing and method of the Protei breach remain uncertain, but an archived version of the company’s website on the Wayback Machine reveals it was altered on November 8. The site was quickly brought back online.
During the incident, the attacker accessed Protei’s web server, extracting approximately 182 gigabytes of data, including years’ worth of email correspondence.
DDoSecrets, a non-profit organization that curates and shares leaked datasets for public interest—including those from law enforcement, government bodies, and surveillance-related companies—received a copy of Protei’s stolen data.
Image Credits:TechCrunch (screenshot)
Mohammad Jalal, who leads Protei’s Jordan office, did not reply to inquiries regarding the security breach.
The perpetrator’s identity and reasons for the attack remain unknown, but the defaced website displayed the message: “another DPI/SORM provider bites the dust.” This appears to reference Protei’s involvement in selling deep packet inspection and internet filtering systems for the Russian-developed SORM lawful interception platform.
SORM serves as the primary lawful interception tool in Russia and is also deployed in other countries using Russian technology. Telecom operators are required to install SORM devices, enabling authorities to access customers’ calls, texts, and internet activity.
Deep packet inspection hardware enables telecom providers to detect and control online traffic based on its origin, such as social networks or messaging platforms, and to selectively restrict access. These technologies are commonly used for monitoring and censorship in areas with limited freedom of speech.
In 2023, Citizen Lab revealed that Iranian telecom company Ariantel had sought Protei’s expertise for tracking internet usage and blocking specific websites. Documents reviewed and released by Citizen Lab indicate that Protei promoted its systems’ capability to limit or deny website access to individuals or large groups.
