Welcome Your IET account
Tor browser

Hackers expose Russian-backed Tor demasking project

Image credit: Dreamstime

Hackers targeting a Russian intelligence agency contractor, SyTech, have revealed a number of secretive projects, including one aiming to de-anonymise some users of the Tor browser.

The hackers, belonging to a group known as 0v1ru$, stole 7.5TB of data from SyTech, a contractor for the Russian Federal Security Service (FSB).

The stolen information was shared with another hacking group and journalists. The group replaced the SyTech homepage with a large picture of ‘Comfy Guy’, also known as YOBA, a trolling icon popular among Russian internet users. For the time being, SyTech has hidden its website.

Approximately 20 secret projects were revealed by the hackers, mostly commissioned by a military service connected to the FSB. These included projects to collect information about social media users (Nautilus), to search email servers belonging to large companies (Mentor), to find vulnerabilities in the peer-to-peer BitTorrent system used to share media, and to disconnect from the wider internet if threatened, such that all traffic is contained within Russia’s borders (Hope).

BBC Russia commented that this could be “the largest data leak in the history of the work of Russian special services on the Internet.”

Tor is a web browser that allows people to communicate anonymously by routing traffic with multiple layers of encryption through a randomly generated series of relays to conceal user location. It is popular for a range of purposes, from buying products and services on the black market to organising protests in authoritarian regimes and accessing websites blocked in certain countries. According to BBC Russia, a daily average of 400,000 Russians have been using Tor over the past three months.

The ‘Nautilus-S’ de-anonymising method proposed by SyTech involves setting up an additional node to the volunteer-run Tor network which traffic would pass through right before reaching its intended destination. If a user exits the network via this node, SyTech would be able to detect which website is being visited. Combining this with data collected from an internet service provider about which users are on the network at the time could make it possible to identify a user.

It is not known how successful this attempt to de-anonymise the browser has proved so far, particularly given that it relies heavily on luck to find matches.

A spokesperson for Tor told the BBC that: “Although malicious exit nodes could see a fraction of the traffic exiting the network, by design, this would not be enough to de-anonymise Tor users. Large-scale effective traffic correlation would take a much larger view of the network, and we don’t see that happening here.”

The Tor Project welcomes security research, and several attempts to de-anonymise the browser have been openly reported on. A 2014 paper written by Swedish academics described a method similar to that developed by SyTech, and the US National Security Agency developed a technique which exploits the ‘EgotisticalGiraffe’ vulnerability (which is associated with an outdated version of the Firefox browser).

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles

Info Message

We use cookies to give you the best online experience. Please let us know if you agree to all of these cookies.


Learn more about IET cookies and how to control them