cozy bear & fancy bear would probably make me less lonely if they came to mine

The Pindosi government thinks thousands of Russian hackers may be reading my blog. They aren’t.
Micah Lee, The Intercept, Jan 4 2017

After the Pindo government published a report on Russia’s cyber-attacks against the Pindo election system, and included a list of computers that were allegedly used by Russian hackers, I became curious if any of these hackers had visited my personal blog. The report, which boasted of including “technical details regarding the tools and infrastructure used by Russian civilian and military intelligence services,” came with a list of 876 suspicious IP addresses used by the hackers, and these addresses were the clues I needed to, in the end, understand a gaping weakness in the report. An IP address is a set of numbers that identifies a computer or a network of computers on the internet. Each time someone loads my website, it logs their IP address. So I searched my web server logs for the suspicious IP addresses, and I was shocked to discover over 80,000 web requests from IPs used by the Russian hackers in the last 14 months! Digging further, I found that some of these Russian hackers had even posted comments (mostly innocuous technical questions)! Even today, several days after publication of the report (which used a codename for the Russian attack, Grizzly Steppe), I’m still finding these suspicious IP addresses in my logs, although I would expect the Russians to stop using them after the government exposed them. What is happening? Are elite Russian hackers regular readers of my blog? Am I under cyber-attack?

I found out, after some digging, that of the 876 suspicious IP addresses that the DHS and the ODNI put on the Russian cyber-attacker list, at least 367 of them (roughly 42%) are either Tor exit nodes right now, or were Tor exit nodes in the last few years. I have a lot of regular readers who are Tor users, and I’m pretty sure they’re not all Russian hackers. So the quick answer to the mystery of my website apparently being attacked by nefarious IP addresses listed in the report is that the Russians, along with many thousands of others, just happened to use the Tor IP addresses that my regular readers used, and still use. Tor is a decentralized network of servers, called nodes, that help people bypass internet censorship, evade internet surveillance, and access websites anonymously. Today, there are over 7000 nodes in the Tor network (about 1000 of those are “exit nodes”), distributed geographically around the world, and run by volunteers (I run a few myself). Tor Browser is a web browser like Chrome or Firefox, but all of its internet traffic goes over the Tor network. If you type in the URL https://www.fbi.gov in your normal web browser, the IP address of your current internet connection will end up in the FBI’s web server logs. But if you type that URL into Tor Browser, an encrypted copy of your web request will bounce around the world through multiple Tor nodes before finally exiting the Tor network, and the IP address of a Tor exit node will end up in the FBI’s logs, rather than the network you’re currently connected to.

Since nearly half of the IP addresses in the Grizzly Steppe report are actually just Tor exit nodes, this means that anyone in the world, not just Russian hackers, can use the internet from those IP addresses. In fact, if you open Tor Browser and visit a website right now, there’s a pretty decent chance that you’llbe using the internet from one of those suspicious IP addresses. It’s plausible that Russian hackers use Tor to hide their real IP addresses when they do attacks, and this is likely why these IP addresses ended up in the Grizzly Steppe report. But finding these IPs in your web server logs (like I did for my website) does not mean that the Russians are attacking you. Tor has over 1.5 million daily users around the world, and about a third of a million of them are in Pindostan. If you see a Tor IP address in your logs, you know that a Tor user visited your website, and that’s it. In other words, if you’re a network administrator and you discover one of the suspicious IP addresses used by Russian hackers on your network, it likely doesn’t mean anything at all. It certainly isn’t proof that the same elite Russian hackers who compromised the DNC + Podesta emails are also targeting your company. For example, Russian hackers did not penetrate the Pindostani electricity grid through a utility company in Vermont, even though a company laptop made a connection to an IP address in the Grizzly Steppe report. But before I figured all of this out, I really wanted to know what the Russians were (apparently) doing on my blog. After digging, I discovered this in my logs:

93.115.95.202 - - [09/Mar/2016:16:19:07 -0500] "GET /files/tmp/fingerprints.txt.asc HTTP/1.1" 200 13141 "-" "PycURL/7.21.5 libcurl/7.47.0 GnuTLS/3.4.9 zlib/1.2.8 libidn/1.32 libssh2/1.5.0 nghttp2/1.8.0 librtmp/2.3"

The first part of this log is an IP address, “93.115.95.202,” followed by the date that the request was made, Mar 9 2016, followed by the URL that was being requested, in this case https://micahflee.com/files/tmp/fingerprints.txt.asc, and finally followed by a complicated user agent string that isn’t important right now. I knew exactly what that web request was because I’m the one who made it, using Tor. I put that file, “fingerprints.txt.asc,” on my web server, to help me test out a piece of software I was developing. No one else could have made that web request, because no one else knew that temporary URL. It turns out, when I downloaded that file from my own website while using Tor, I came from the IP address “93.115.95.202.” But, according to the Grizzly Steppe report, if I find this IP address in my logs, that’s evidence that I’m a target for Russian cyber-attacks. Does this mean that I’m an elite Russian hacker and I just didn’t realize it? I set out to figure out exactly how many of the suspicious IP addresses listed in the Grizzly Steppe report actually just belong to Tor exit nodes.

All Tor nodes that make up the Tor network are completely public. You can visit this page to see a list of the current Tor exit node IP addresses. But since the Tor network is run by volunteers, the list of nodes constantly changes. People running old nodes decide to shut them down, and other people start up new nodes. So I used the Internet Archive’s Wayback Machine to download each historical list of Tor exit nodes available, beginning in Sep 2014. I found a total of 7,854 IPs that were, in recent years, Tor exit nodes, and I compared it to the list of 876 IPs that were published with the Grizzly Steppe report. I found 367 IP addresses in common. In other words, at least 367 of the suspicious IP addresses are or were Tor exit nodes. It’s plausible, and in my opinion likely, that hackers under orders from the Russian government were responsible for the DNC and Podesta hacks in order to influence the election in favor of Donald Trump. But the Grizzly Steppe report fails to adequately back up this claim. For example, my research shows that much of the evidence presented is evidence of nothing at all. If Vladimir Putin is truly responsible for manipulating the election, and if the Obama administration wishes to prove its case, it needs to publish actual smoking-gun proof, such as intercepted emails or phone calls from within the Kremlin, or more complete technical details that connect dots directly to the Russian government, rather than to a Tor node that thousands of people use. Of course it’s unlikely the Obama administration will do this. But if you have access to any of this evidence, please share it with us using SecureDrop.

One Comment

  1. lobro
    Posted January 5, 2017 at 7:30 am | Permalink

    senator ted Stevens’ method is still the best way to discover russian hackers:

    grab a bunch of internet tubes and put your nose to them, if they smell like vodka, take a good snort and say: ваше здоровье, товарищи!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s