Russian Secret Intelligence Contractor Tried to Deanonymize Tor Users

(Image credit: Shutterstock)

Hackers have leaked data obtained from Russia’s Federal Security Service (FSB), showing that a contractor called SyTech was trying to deanonymize users of the Tor anonymity network, as reported by Forbes. The group, called 0v1ru$, stole 7.5 terabytes of data by gaining access to SyTech’s entire network. 

SyTech Breached

The hacking group shared the data with Digital Revolution, a different hacking group that last year breached the servers of another FSB contractor, called Quantum. Digital Revolution then shared more details about SyTech’s data on Twitter and with Russian journalists. 

SyTech has been working on the Tor deanonymization project, Nautilus-S, since 2012. Academics from the Swedish university Karlstad were able to identify 25 malicious servers that attempted to deanonymize Tor users. Eighteen of those servers were located in Russia. 

Other SyTech/FSB Projects Leaked 

The leaked data revealed that SyTech has been working on a multitude of projects with the FSB and with Quantum since 2009, including:

  • Nautilus - targeting social media posts 
  • Nautilus-S - targets Tor users through rogue Tor servers
  • Reward - targets P2P networks, such as bittorrent networks
  • Mentor - allows the FSB to monitor and search for Russian companies’ emails
  • Hope - looks into how the Russian internet connects to other countries’ networks
  • Tax-3 - involves the creation of a closed network, where highly sensitive information on judges and government officials would be stored

BBC Russia, one of the recipients of the stolen SyTech data, said that the FSB was also spying on other applications and networks, including Jabber, ED2K (eDonkey) and OpenFT (enterprise file transfer), as well as on students and pensioners. 

Tor Deanonymization Attacks Are Not New

Spy agencies attempting to deanonymize Tor users is nothing new, and it’s likely that most of the largest nations attempt to do it. However, how successful they are is unclear.

In 2013, Edward Snowden revealed that the NSA regularly targeted Tor users primarily through the use of Tor browser exploits. The Tor browser was based on Firefox Extended Support Release (ESR), but the newer Tor browser brings a much improved Firefox sandboxing architecture, which should significantly limited the damage that exploits can cause.

In 2013, a group of researchers showed that a malicious attacker could potentially deanonymize a regular Tor user 50% of the time after three months of constant monitoring of the network and 80% of the time after six months. The Tor Project has received some significant improvements since then, so it’s not clear if these attacks work just as well today. At the time, the researchers suggested using "dummy traffic" to fool hackers, but it doesn't look like the Tor Project has implemented this technique yet, presumably because it would add a significant amount of latency to the network.

Correlation attacks remain a large problem for the Tor network, as long as too few volunteers keep Tor exit nodes alive. The lower the number of “clean” Tor exit nodes, the higher the chance a spy agency could deanonymize Tor users.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • digitalgriffin
    Surprise Surprise...NOT

    Artificially pumping the chain with controlled malicious nodes is one of the weaknesses I thought of years ago. While the data would be encrypted if they don't own the end to end, they could eventually point what IP's you were visiting and when.

    Creating lots of new entry/exit nodes is the only solution. But with that comes a tremendous amount of headache as law enforcement comes knocking on your door for breaking some law. Only Universities and other such public agencies have the resources to guard against this.
    Reply
  • AllanGH
    Next-up: The Kaspersky data breach?

    ;)
    Reply
  • Oleg Melnikov
    And how bout the VPN users' for example NordVpn have tor over vpn on double vpn network . so even if the able to get my ip or any other details , will they be able to get to me from that point?
    Reply
  • AllanGH
    If, hypothetically speaking, you are attempting to compromise the security of a communications session, and your IP addy is identified, you are subject to reciprocal surveillance. If you are stupid enough to natively run a microsoft Operating System while doing so, you are further subject to being completely owned.
    Reply