The Tor Project on Thursday urged common sense after learning that hundreds of its gateways had been labeled by the U.S. government as “suspicious” in a recent report concerning malicious cyber activity attributed to the Russian government.
As part of a report on election security compromises, the U.S. Department of Homeland Security (DHS) published a list of computer IP addresses supposedly used by the Russian-affiliated hackers implicated by the U.S. intelligence community in the cyberattacks last summer on the Democratic National Committee (DNC) and John Podesta, Hillary Clinton’s campaign chairman.
The list accompanied a joint statement—released by DHS in conjunction with the Office of the Director of National Intelligence (ODNI)—which called the release of allegedly hacked Democratic emails, “consistent with the methods and motivations of Russian-directed efforts.” The disclosures, said the statement, were “intended to interfere with the U.S. election process.”
First reported by the Intercept on Wednesday, nearly half of the 876 “suspicious” IP addresses identified by DHS (roughly 42 percent) are currently Tor exit nodes or have been Tor exit nodes in the past few years. Up to 367 IP addresses listed alongside the government report on Russian malicious cyber activity may have been used, or may be presently in use, by thousands of internet users who have no ties to Moscow, the DNC hack, or any kind of malicious cyber activity.
Tor is a powerful anonymity tool used around the world by a wide range of people, including human rights activists, journalists, and everyday users—including some criminals—in order to conceal their identities and physical locations. The software, partially funded by the U.S. government, is also used by dissidents in countries, such as China and Turkey, that impose online censorship and crack down on internet activity.
“Clearly the evidence they have that these are Russian hackers isn’t what they released.”
To achieve anonymity, traffic over the Tor network is first encrypted before being bounced through a network of servers (“nodes”) in various countries in a process known as “onion routing.” Exit nodes are the final gateways where encrypted Tor traffic meets the internet.
The Tor network is maintained by a U.S.-based non-profit called the Tor Project.
The Tor nodes on the U.S. government’s list were first revealed by Micah Lee, an Intercept reporter and Tor network volunteer, who maintains a few of the more than 7,000 exit nodes in countries around the world. The discovery came after Lee checked the internet traffic of his own blog against the list provided by the government and found “over 80,000 web requests” from so-called “suspicious” IPs.
“I have a lot of regular readers who are Tor users,” wrote Lee, “and I’m pretty sure they’re not all Russian hackers.”
While asserting that it was plausible (and perhaps even likely) that the Russian government was behind the DNC and Podesta hacks, Lee was critical of the government’s report for failing to adequately prove the claim.
“If Vladimir Putin, the Russian leader, is truly responsible for manipulating the U.S. election, and if the Obama administration wishes to prove its case,” Lee wrote, “it needs to publish actual smoking-gun proof, such as intercepted emails or phone calls from within the Kremlin, or more complete technical details that connect dots directly to the Russian government, rather than to a Tor node that thousands of people use.”
In an interview with the Daily Dot on Thursday, Shari Steele, the executive director of the Tor Project, echoed Lee’s remarks, calling the listing of Tor exit nodes “not the most responsible way” to aid system administrators wary of Russian hackers.
“Obviously the government is trying to be somewhat helpful and act like they’re being somewhat helpful,” Steele said. “But clearly the evidence they have that these are Russian hackers isn’t what they released.” Steele said she presumes the government has other evidence implicating Russian hackers, but what the FBI and DHS released on Dec. 29 falls short of describing what malicious activity actually looks like.
In its report entitled “Grizzly Steppe”—the government’s designation for the Russian malicious cyber activity—DHS recommends to system administrators adding the IPs to a watchlist “to determine whether malicious activity has been observed within their organizations.” It also notes that while some traffic may correspond to malicious activity, other traffic “may correspond to legitimate activity.”
“Basically, what they’re saying is, ‘Here’s the list of Tor exit nodes, check and see whether or not there’s malicious activity,’” Steele said. “It’s the ‘malicious activity’ part that is the important part of it, and on that, they are very vague.”
“They don’t describe who would be doing it, what Russian hackers look like, how they identified that these are Russian hackers versus some other users of the exit nodes,” added Steele, who said she is hopeful that administrators will not jump to conclusions and move to block traffic arriving from Tor.
That would be an overreaction, concluded Steele, noting that “even the government report doesn’t suggest that you’re supposed to blacklist the exit nodes.”
The Office of the Director of National Intelligence declined to comment for this story. The Department of Homeland Security did not respond to multiple inquiries.