Last week left cybersecurity nerds scratching their heads after traffic to Tor, the free software suite that enables anonymity online, quintupled in less that a week. It was obviously too good to be true, and now we know why. A Russian botnet is threatening to bring the whole network down.
This is bad news for the anonymous internet. Researchers at Fox IT identified the particular botnet being used by the intruders as either "Mevade.A" or the older "Sefnit". Whatever it's called, the botnet had been communicating in HTTP but recently switched to Tor, where it's "massive in size as well as very widespread," according to the researchers. They're not exactly sure why the botnet is going after Tor but say it's "likely motivated by direct or indirect financial related crime." Regardless of the reasoning behind the attack, it certainly puts users in the Tor network at risk.
A botnet like this can be pretty vicious, and unfortunately for those users, it's not the only attack Tor's faced lately. A little over a month ago, an unknown hacker — read: probably the FBI — hit Tor with malware that threatened to reveal the anonymous users' identities by exploiting a security flaw in the Firefox browser. The incident was linked to the arrest of kiddie porn kingpin Eric Eoin Marques who had recently been arrested in Ireland, and many believed that the Tor intruder was just trying to identify other sickos in the child pornography business. Regardless of the reasoning though, this kind of exploit is bad news for the anonymous internet.
These recent events highlight a frustrating dichotomy in the Tor community. On one hand, the software attracts criminals like Marques who retreat to the Darknet to do dark things. However, it's also an integral tool for activists and journalists who must remain anonymous for their own safety. Once their identities are leaked, many Tor users have no place to hide. And these particular attacks don't differentiate the good guys from the bad guys. The Firefox exploit affected half of the sites accessible exclusively through the Tor network, while more traffic is coming from the botnet than all the users put together. Unlike the current botnet attack which probably just slows down the network for users, the Firefox exploit actually threatened to expose users' identities. That's pretty much the worst case scenario for Tor users.
Meanwhile, the attacks on the anonymous internet go further than Tor. In the past few weeks, several secure email providers have shut down either due to threats from the government and/or concerns about cybersecurity. The founder of Lavabit, Edward Snowden's email provider and the first of these services to shut down, opted to shutter the service rather than comply with the government's request for information about the NSA leaks. Silent Circle, a similar service, followed suit a few days later, as did the legal site Groklaw. It seems like the only way to escape the Feds' reach is to store your servers in Switzerland, like secure email provider Kolab.
While it's easy to point to the NSA leaks as the inciting incident in this streak of cyberattacks and shut downs, it's also a sign of things to come. With everyone from outgoing Homeland Security chief Janet Napolitano to President Obama warning of imminent cyberattacks on the United States, everybody's nervous about where the hackers (or the government) will strike first. And if the events of the past month are any indication of things, the anonymous internet appears to be the likely target. In other words, nowhere is safe now. [Fox IT]