You may have heard of the recent malware that targeted Freedom Hosting, a hosting provider for Tor, and Tor users . News is now emerging it may be the United States National Security Agency (NSA) that did the attacking.
Was it really the NSA the one that attacked Freedom Hosting. According to a researcher, yes it is: malware that brought down Freedom Hosting was hardcoded to send data back IP addresses belonging to the NSA.
Initial analysis by Baneki Privacy Labs and Cryptocloud showed that the malware was collecting information and was sending it to a single IP address 126.96.36.199 which belong to SAIC, a US defense company and C4IR (Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance). “The geolocation of the IP address” was later identified to be Arlington, Virginia.
Using Rotex’s DNS record tool, researchers were able to find that the IP address was actually “part of several blocks of IP addresses allocated by SAIC to the NSA.” Later on, a spokesman from Baneski Privacy Lab said:
“The malware specialists we know have shared their interpretations with us, which is what we’ve disclosed, along with the tools used to come to those conclusions; we’re entirely open to firsthand experts correcting if, indeed, a correction would be required; again, at that level it seems a question of fact rather than interpretation. We’re not the final arbiter of that fact. There’s enough top-level DNS/IP subject matter experts that we expect a form of peer review kicks in now.”
He went on and added:
“We’ve seen many cases of geo info in ARIN inaccurate, but NEVER a case where IP ownership info is ‘outdated,’ ever. Again, however, we defer to credentialed subject matter experts as the final arbiters on what the IP data signify We’ll be surprised if in the end, it’s somehow an ‘error’ and NSA/SAIC has no connection whatsoever; however, facts are stubborn things & we go with the facts.”
Nobody knows how many users have been affected or if it really is the NSA behind these attacks or someone trying to frame the NSA, but it sure makes some Tor users nervous about being identified.
[via Ars Technica ]