About a week ago, the administrator of an email provider that caters to dark web denizens—be they security-conscious journalists, dissidents living in repressive regimes, or even criminals—noticed that someone was trying to hack their service.
“So apparently we have drawn attention to our humble little email service that mostly lives inside of the Tor network,” the anonymous admin wrote on Thursday in a mailing list post. “The attacker had been trying various exploits against our infrastructure overthe past few months.”
The attack allowed whoever was behind it to “read [the target’s] email as they typed it and harvest any new emails that came in,” the admin told Motherboard.
The humble little email service is called SIGAINT, a small but growing email provider for the privacy-minded folks that’s entirely hosted on the dark web and boasts 43,000 users. The service has an obvious paranoid, anti-surveillance ethos, which becomes clear when you visit their site’s contact page.
“If you are law enforcement, or some other government agency clown you are basically fucked,” reads the page. “We can't help you. Oh, and welcome to Tor!”
The attack allowed whoever was behind it to “read [the target’s] email as they typed it and harvest any new emails.“
The admin, who wishes to remain anonymous, told Motherboard that the attempts to break into SIGAINT’s servers were unsuccessful. But the attackers apparently didn’t give up and resorted to another, clever way of attacking the service: they set up 70 malicious Tor exit nodes ostensibly to “spy in real-time” on SIGAINT’s users, according to the admin.
“We know what they were after,” the admin told Motherboard. “There is no way to spy on email that doesn't leave the darknet without spying on the mail service itself.”
Exit nodes are the last “hop” in the Tor network, where someone using the anonymizing software Tor reaches back to the clearnet. They are also the most vulnerable part of the Tor network. As it’s very well known, if you control a Tor exit node, you can—if you want—see what the Tor users going through your node are up to and potentially also tamper with what they see.
In this case, whoever the attackers were, they were trying to direct visitors of SIGAINT.org, the clearnet site that practically only serves to advertise the harder to remember .onion link (http://sigaintevyh2rzvw.onion/) to a different, yet similar, .onion site, according to SIGAINT’s admin.
In essence, they were acting as a “man in the middle” when users of SIGAINT connected to the clearnet site through one of the 70 malicious nodes, which allowed them to spy on users.
Although the admin said that “there is no way for us to the sure,” the culprits, given the amount of malicious nodes the attackers were using, and other “strange circumstances,” were likely a government agency “that one or more of our users have angered in the past.”
The strange circumstances, the admins said, were that for roughly a month prior to the attack, the administrators did not receive any law enforcement requests, when they normally receive around one a week.
But to experts, that is an unlikely scenario.
Yes, the attackers used a relatively high number of exit nodes, around 6 percent of the total. But in reality, according to Nicholas Weaver, a researcher at the International Computer Science Institute and UC Berkeley, there was only about a 2.7 percent probability that a random Tor user would connect to these malicious nodes and get spied on—pretty bad odds if you’re an intelligence agency trying to spy on some high-value SIGAINT user.
“Claiming it was a state actor feels like a major reach to me,” Weaver told Motherbaord.
Weaver estimated the cost of mounting such an attack would be less than $400 dollars a day, if the attacked used their own servers. If they hacked other people’s servers, then the cost would drop to zero. Considering that, Weaver concluded that the attackers “could be anybody.”
People that work for the Tor Project, the nonprofit that runs Tor, seem to agree.
Philipp Winter, a researcher at Karlstad University in Sweden and the member of the Tor Project that handles malicious exit nodes, said that 70 is an unusually high number, but also “not a tragedy,” and that there are no signs that they were set up by a spy agency.
“The simplest explanation is usually the best one, and a state actor does not seem like a simple solution to me,” he told Motherboard. “Practically all attacks by exit relays that we discover seem to be done by random jerks, and I haven't seen any evidence that points in a different direction here.”
So, the attackers could be a spy agency, yes, or perhaps an angry drug dealer trying to spy on a competitor, or perhaps a very jealous boyfriend or girlfriend. In other words, we don’t know.
Using an email provider on the dark web is not a guarantee of security or privacy.
Yet, this attack should serve as a warning to both SIGAINT admins, as well as their users. Using an email provider on the dark web is not a guarantee of security or privacy; there are still ways for bad guys to spy on you. And in this case, it appears that SIGAINT could have done more to protect its users.
SIGAINT’s clearnet site is not encrypted with HTTPS, which made it possible for the attackers to impersonate it and replace the .onion URL and mount the man in the middle attack. Switching encryption on for the site, according to both Weaver and Winter, would completely thwart this type of attacks.
The SIGAINT admin told Motherboard that they used to have encryption on the site, but then users started complaining that they would have to go through “captchas” to visit the site with Tor, a common issue with sites using CloudFlare, a DDoS protection provider and content delivery network.
On the initial mailing list post, SIGAINT’s admin said the don’t use HTTPS on the site because spy agencies could still get around that using fake digital certificates—an attack that’s technically possible but rarely seen in the wild.
This argument is like “not putting a lock on your door because thieves can just bust it open anyway.”
A commenter on Hacker News wrote that this argument is like “not putting a lock on your door because thieves can just bust it open anyway.”
Weaver had a more colorful reaction to that argument.
“That is 100 percent pure bovine excrement,” he told Motherboard.
Asked what they’re going to do now, SIGAINT’s admin said that they are considering turning encryption on again, or removing the .onion URL from the clearnet page. “We will probably do the latter,” he said.
In that case, users would have to bookmark the URL, or write it down somewhere, but at least an attacker impersonating the clearnet site wouldn’t be able to replace it with a malicious one.
It’s unclear how many users were targeted in the attack. The admin said that everyone who visited the clearnet site to find the dark web link “was advised to change their password.”
Who really was behind the attack, however, remains a mystery.