screenshot from Robtex
click to enlarge
Malware aimed at uncovering the anonymous identities of Tor users reportedly sent information to an IP address that belongs to the National Security Agency (NSA), routed through Science Applications International Corporation (SAIC).
Tor, an anonymity network originally short for The Onion Router, was developed with contributions from individuals who worked for the Navy and the NSA. This latest revelation comes as the NSA is under increasingly intense scrutiny around the world for their data harvesting activities.
It also comes on the heels of a report stating that the FBI regularly employs hackers to develop malware and an earlier report which stated that the US government is the world’s largest buyer of malware.
The vulnerability exploited was patched by Mozilla in June of this year and the patched version is part of the new Browser Bundle.
However, Ars points out that, “the TBB configuration of Firefox doesn’t include automatic security updates, so users of the bundle would not have been protected if they had not recently upgraded.”
Early investigations traced the IP address back to SAIC, which incidentally provides support to the Department of Defense in the areas of information technology and Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance (C4ISR).
The IP address was specifically tracked to the SAIC facility in Arlington, Virginia, though further analysis turned up that it went beyond the defense contractor.
Research using Robtex, a DNS record tool, found that the IP address was part of one of many blocks of IP addresses which have been permanently assigned to the NSA.
Ars Technica points out that this discovery is one of two things: a laughable mistake by someone working for either the NSA or SAIC, or “an intentional calling card as some analyzing the attack have suggested.”
An individual posting on Cryptocloud’s discussion forum speculated, “It’s psyops—a fear campaign… They want to scare folks off Tor, scare folks off all privacy services.”
Kevil Poulsen, writing for Wired’s Threat Level, on the other hand, believes that “the FBI is the prime suspect.”
“It just sends identifying information to some IP in Reston, Virginia,” Vlad Tsrklevich, a reverse-engineer, said to Wired. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.”
They note that if Tsrklevich and others are correct, it could be the FBI’s computer and internet protocol address verifier (CIPAV).
SAIC has not responded to attempts by Wired to get a comment on the story, and Poulsen notes that SAIC is a contractor for the FBI.
It also came after individuals involved with the Tor Project reported the disappearance of numerous so-called “hidden service addresses” that were used by Freedom Hosting.
“The confluence of the three events has prompted speculation that the de-anonymizing exploit is the work of the FBI or another organized group targeting child pornographers,” Ars Technica reports.
“Because this payload does not download or execute any secondary backdoor or commands it’s very likely that this is being operated by an LEA [law-enforcement agent] and not by blackhats,” Tsrklevich wrote, according to Ars.
It seems that the evidence indicating that the IP address is linked to the NSA is quite strong, though if that is the case, they almost certainly provided information to the FBI in relation to the Marques case mentioned above.
More information on this story will be added as it becomes available.
I’d love to hear your opinion, take a look at your story tips and even your original writing if you would like to get it published. I am also available for interviews on radio, television or any other format. Please email me at [email protected]
This article first appeared at End the Lie.
Madison Ruppert is the Editor and Owner-Operator of the alternative news and analysis database End The Lie and has no affiliation with any NGO, political party, economic school, or other organization/cause. He is available for podcast and radio interviews. Madison also now has his own radio show on UCYTV Monday nights 7 PM – 9 PM PT/10 PM – 12 AM ET. Show page link here: http://UCY.TV/EndtheLie. If you have questions, comments, or corrections feel free to contact him at [email protected]