Hackers have leaked data obtained from Russia’s Federal Security Service (FSB), showing that a contractor called SyTech was trying to deanonymize users of the Tor anonymity network, as reported by Forbes. The group, called 0v1ru$, stole 7.5 terabytes of data by gaining access to SyTech’s entire network.
The hacking group shared the data with Digital Revolution, a different hacking group that last year breached the servers of another FSB contractor, called Quantum. Digital Revolution then shared more details about SyTech’s data on Twitter and with Russian journalists.
SyTech has been working on the Tor deanonymization project, Nautilus-S, since 2012. Academics from the Swedish university Karlstad were able to identify 25 malicious servers that attempted to deanonymize Tor users. Eighteen of those servers were located in Russia.
Other SyTech/FSB Projects Leaked
The leaked data revealed that SyTech has been working on a multitude of projects with the FSB and with Quantum since 2009, including:
- Nautilus - targeting social media posts
- Nautilus-S - targets Tor users through rogue Tor servers
- Reward - targets P2P networks, such as bittorrent networks
- Mentor - allows the FSB to monitor and search for Russian companies’ emails
- Hope - looks into how the Russian internet connects to other countries’ networks
- Tax-3 - involves the creation of a closed network, where highly sensitive information on judges and government officials would be stored
BBC Russia, one of the recipients of the stolen SyTech data, said that the FSB was also spying on other applications and networks, including Jabber, ED2K (eDonkey) and OpenFT (enterprise file transfer), as well as on students and pensioners.
Tor Deanonymization Attacks Are Not New
Spy agencies attempting to deanonymize Tor users is nothing new, and it’s likely that most of the largest nations attempt to do it. However, how successful they are is unclear.
In 2013, Edward Snowden revealed that the NSA regularly targeted Tor users primarily through the use of Tor browser exploits. The Tor browser was based on Firefox Extended Support Release (ESR), but the newer Tor browser brings a much improved Firefox sandboxing architecture, which should significantly limited the damage that exploits can cause.
In 2013, a group of researchers showed that a malicious attacker could potentially deanonymize a regular Tor user 50% of the time after three months of constant monitoring of the network and 80% of the time after six months. The Tor Project has received some significant improvements since then, so it’s not clear if these attacks work just as well today. At the time, the researchers suggested using "dummy traffic" to fool hackers, but it doesn't look like the Tor Project has implemented this technique yet, presumably because it would add a significant amount of latency to the network.
Correlation attacks remain a large problem for the Tor network, as long as too few volunteers keep Tor exit nodes alive. The lower the number of “clean” Tor exit nodes, the higher the chance a spy agency could deanonymize Tor users.