NSA Linked to Spyware Hack on Privacy-Protecting Network

People sit around laptop computers at a cafe in Beijing

Photo by Ed Jones/AFP/Getty Images

Was the U.S. government behind a new hacking spree aimed at unmasking people hiding their identity on the Web? Security experts think so.

Users of the Tor browser reported Sunday that various websites hosted by the company Freedom Hosting had gone suddenly offline and had in some cases been infected with malware. Freedom Hosting provides so-called Tor “hidden service” servers that allow users to access websites available only through the Tor network. These sites are commonly referred to as being part of the “dark Web” and are used by activists and journalists who are attempting to evade surveillance. But hidden services also attract criminal elements—and are known to be used to share images of child abuse or to arrange drug deals.

Intriguingly, the malware that had apparently been placed on some of the Freedom Hosting websites Sunday may have turned up evidence showing how the feds are attempting to infiltrate Tor networks in order to track down suspects. According to an analysis by security researcher Vlad Tsrklevic, the malware in question collects identifying information about the person visiting the page and sends it back to an IP address near Reston, Va. Because the malware does not infiltrate the computer like criminal malware and instead merely collects identifying information, according to Tsrklevich, “it’s very likely that this is being operated by a law enforcement agency.”

So who exactly is responsible for the hack? The finger is being pointed squarely at U.S. authorities—but not just because the feds have been previously known to operate a spyware tool named CIPAV that performs a similar function. U.S. agencies are the prime suspects because the IP address that the malware was “phoning home” to traces back to Science Applications International Corp., a Virginia-based defense firm that “develops products and applied technologies which aid in anti-terrorism and Homeland Security efforts,” according to its website, which says that it helps “the U.S. Department of Defense, the FBI, and other agencies combat terrorism, cybercrime, and the proliferation of weapons of mass destruction.” Even more significant, as Ars Technica has noted, researchers say that the IP address appears to have been part of a block allocated by SAIC to the NSA.

The NSA and its contractors are known to conduct surveillance operations in cooperation with the FBI, as may have been the case here. As Wired’s Kevin Poulsen has noted, the deployment of the malware coincides with the arrest of Eric Eoin Marques in Ireland on Thursday on a U.S. extradition request, which may be a factor. Marques is alleged to be the man behind Freedom Hosting, and he has been accused of distributing child pornography in a federal case filed in Maryland. An FBI agent reportedly accused Marques of being “the largest facilitator of child porn on the planet.”

The FBI told me it would not comment about the Freedom Hosting malware, and SAIC had not responded to a request for comment at time of publication.

The discovery of the malware will prove to be a headache for the feds, if it is indeed one of the technologies it uses to collect information about Tor users. Security experts will now be able to reverse-engineer the tool, which was apparently exploiting a vulnerability in the security of Mozilla Firefox to load a malicious Javascript code designed to execute the surveillance. The Tor project has released a security advisory informing users about the issue, and Mozilla has published a blog post explaining that it supposedly only affects people running an outdated version of the browser. It is also likely that the spyware will be added to anti-virus databases, which will hinder the feds’ ability to deploy it in future.

In recent years, the FBI and other law enforcement agencies have increasingly turned to hacking tools for surveillance purposes. In April, I reported that a Texas judge had denied the feds authorization to use a spy Trojan that could covertly infiltrate a targeted computer and take photographs of its user through his or her webcam, collecting logs of emails and other data from the hard drive and sending it back to the FBI for inspection. According to a recent report by the Wall Street Journal, a group in the FBI called the Remote Operations Unit is tasked with taking a leading role in the hacking efforts. The Trojan-style technology, which can be used to counter encryption and anonymity tools like Tor, is said to be used primarily in cases involving organized crime, child pornography, or counterterrorism.

However, the powerful spy tools attract concern from civil liberties groups because laws governing their use are outdated, and the technology is also open to abuse. Outside the United States, governments are increasingly turning to spyware to target activists, for instance, and it is unclear what safeguards are in place to prevent corrupt law enforcement agents misusing Trojans to infiltrate computers and plant evidence on targets’ hard drives.