Some denizens of the "darknet" — which provides online anonymity for both criminals and whistleblowers — recently found their access blocked after a mysterious cyberattack that has left experts guessing.
The attack occurred from October 29 to November 7. It targeted Tor, a type of software that hides the identity of users and allows them to visit sites not available through popular web browsers.Â
Using Tor, people are able to access the so-called “darknet,” an online space where criminals flog drugs, weapons and other illicit items and services. Darknet users are also able to discuss sensitive topics with little fear of surveillance, and whistleblowers can post documents without revealing their identities.
The attackers boasted about bringing Tor to a partial halt on a blog, writing that they intended to punish purveyors of child pornography.Â
“So this is what Tør defend,” the blog said, referring to news articles about law enforcement busting darknet sites selling child pornography.
Experts told OCCRP they were skeptical of the hackers’ statements about attacking Tor for ethical reasons.
“Hackers don't care about pedophiles,” said Andrew Morris, founder of the cybersecurity firm GreyNoise Intelligence, who investigated the attack.
Morris noted that the attack occurred around the U.S. election on November 5.
“My guess — if I were a betting man — is that they didn't want Tor to be usable in the days leading up to the U.S. election and during the US election,” he said.Â
Steven Murdoch, who created a browser that allows people to access the Tor network, disagreed.
"Tor plays an important role in elections when there is internet censorship, but the U.S. doesn't have this problem,” said Murdoch, a professor of security engineering at University College London.
“I don't see a significant motive for anyone trying to manipulate the U.S. election to target Tor," he added.Â
The perpetrators of the attack are as mysterious as the motive.
Morris said whoever was behind it needed the technical skills to configure their server a certain way, and lots of bandwidth that could handle heavy traffic. They also needed a good knowledge of how Tor works, including a list of “nodes” that allow it to function.Â
To provide anonymity, the Tor network relies on thousands of nodes — computers and servers that act as intermediaries. A Tor user bounces between these nodes when connecting to a website, making it difficult to know who that user is.
The hackers “spoofed” the IP addresses of Tor nodes, creating the impression that these servers and computers were flooding the internet with malicious traffic. Internet providers then shut down those IP addresses, taking them offline.
“We know that it was done by somebody who had in-depth knowledge of how Tor operates,” said Morris.
The attack temporarily shut down between 50 and 150 nodes, according to Gustavo Gus of the Tor Project, a Massachusetts-based non-profit group that maintains the anonymous software.
He declined to speculate on the identities or motives of the hackers, but said: “It doesn't seem to be a nation-state attack.”
In a blog post following the attack, Tor Project said it was “concerning that someone would choose to deliberately disrupt a service that is essential for people experiencing digital surveillance and internet censorship.”
Morris said Tor is an important tool for political dissidents and journalists, as it allows them to exchange information without the fear of being surveilled — although that is not the most common use.
“People mostly use Tor to do sketchy shit,” said Morris.
