This time Tor – an internet browser which allows people to maintain their anonymity online by protecting their location – is warning its users of a cyber attack that quietly seized some of its network specialized servers called Directory Authorities (DA), the servers that help Tor clients to find Tor relays in the anonymous network service.
Tor network architecture relies on ten Directory Authorities whose information is hardcoded into Tor clients. These directory authorities are located in the Europe and United States, and maintain the signed list of all the verified exit relays of the Tor network, and according to experts, attack on these backbone servers can "incapacitate" the overall architecture of Tor.
"The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities," Tor officials wrote on the project’s blog post on Friday. "We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked."
To keep the network updated and stable, at least 5-6 Directory Authorities (DA) must be operational, but if such seizure attempts take down 5 or more Directory Authorities server, the Tor network will become unstable, and the integrity of any updates to the consensus cannot be guaranteed.
Thomas White (@CthulhuSec), an operator of a large cluster of servers providing an exit point for Tor traffic in the Netherlands, warned of a suspicious activity overnight on the servers. The targeted servers, according to DNS data, were hosted in a data center in Rotterdam.
"I have now lost control of all servers under the ISP and my account has been suspended," White wrote on Sunday in an update on the Tor mailing list. "Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken. From experience I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers."
White strongly recommended users that they should treat the servers as hostile until the control was regained signified by a PGP signed message from himself and that his mirrors are not used under any circumstances.
"If they come back online without a PGP signed message from myself to further explain the situation, exercise extreme caution and treat even any items delivered over TLS to be potentially hostile," White wrote. "If any of the mirrors or IPs do come back online, I would welcome anyone who is capable of doing so checking for any malicious code to ensure they are not used to deploy any kind of state malware or attacks against users should my theory prove to be the case."
Tor users should note and temporarily avoid the affected mirrors below:
https://globe.thecthulhu.comTor has gained notoriety for its association with drugs mafias and hackers. The law enforcement, especially FBI, always shows of much interest in the Tor network.
Last month, the FBI also conducted an operation to takedown Silk Road 2.0 server on the network, meanwhile, the law enforcement officials in Europe also seized hundreds of sites operating on the Tor network. However, so far it’s not clear who took the servers down or if law enforcement was involved.
In June this year it was revealed from Snowden secret documents that NSA's top-secret X-Keyscore surveillance program targeted at least two German Tor Directory Authority servers, one based in Berlin and the other in Nuremberg.
In an update report, we were informed that seized servers have been returned online and but still unclear whether Law enforcement agency was involved in the attack or any warrants were served as part of the takedown.
Tor itself is not compromised and but such possible and quite successful attempts to take down or hijack the Tor network is a matter of worry.