Malware aimed at uncovering the anonymous identities of Tor users reportedly sent information to an IP address that belongs to the National Security Agency (NSA), routed through Science Applications International Corporation (SAIC).
Tor, an anonymity network originally short for The Onion Router, was developed with contributions from individuals who worked for the Navy and the NSA. This latest revelation comes as the NSA is under increasingly intense scrutiny around the world for their data harvesting activities.
It also comes on the heels of a report stating that the FBI regularly employs hackers to develop malware and an earlier report which stated that the US government is the world’s largest buyer of malware.
The vulnerability exploited was patched by Mozilla in June of this year and the patched version is part of the new Browser Bundle.
However, Ars points out that,
“the TBB configuration of Firefox doesn’t include automatic security updates, so users of the bundle would not have been protected if they had not recently upgraded.”
Early investigations traced the IP address back to SAIC, which incidentally provides support to the Department of Defense in the areas of information technology and Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance (C4ISR).
The IP address was specifically tracked to the SAIC facility in Arlington, Virginia, though further analysis turned up that it went beyond the defense contractor.
Ars Technica points out that this discovery is one of two things: a laughable mistake by someone working for either the NSA or SAIC, or,
“an intentional calling card as some analyzing the attack have suggested.”
An individual posting on Cryptocloud’s discussion forum speculated,
“It’s psyops – a fear campaign… They want to scare folks off Tor, scare folks off all privacy services.”
Kevil Poulsen, writing for Wired’s Threat Level, on the other hand, believes that “the FBI is the prime suspect.”
“It just sends identifying information to some IP in Reston, Virginia,” Vlad Tsrklevich, a reverse-engineer, said to Wired. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.”
They note that if Vlad Tsrklevich and others are correct, it could be the FBI’s computer and internet protocol address verifier (CIPAV).
SAIC has not responded to attempts by Wired to get a comment on the story, and Poulsen notes that SAIC is a contractor for the FBI.
It also came after individuals involved with the Tor Project reported the disappearance of numerous so-called “hidden service addresses” that were used by Freedom Hosting.
“The confluence of the three events has prompted speculation that the de-anonymizing exploit is the work of the FBI or another organized group targeting child pornographers,” Ars Technica reports.
“Because this payload does not download or execute any secondary backdoor or commands it’s very likely that this is being operated by an LEA [law-enforcement agent] and not by blackhats,” Tsrklevich wrote, according to Ars.
It seems that the evidence indicating that the IP address is linked to the NSA is quite strong, though if that is the case, they almost certainly provided information to the FBI in relation to the Marques case mentioned above.