Who hacked a cluster of Tor servers in the Netherlands?

Pierluigi Paganini December 24, 2014

A cluster of Tor servers suffered an unexplained outage just after the warning of the Tor project. Only certainty is someone physically accessed servers.

Recently the experts at the Tor project issued a warning of a possible cyber attack against the Tor network through the seizure of the Directory authorities that can “incapacitate” the overall architecture.

The experts explained that the Tor network relies on nine directory authorities, whose information is hard coded into Tor clients, located across the Europe and the United States. The directory authorities servers provide a signed list of all the relays of the Tor network.

“The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities.” Tor Project leader Roger Dingledine explained in a blog post.

“We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use,” “We hope that this attack doesn’t occur; Tor is used by many good people.”

The stability of the overall Tor network depends in the Directory Authorities (DA), at least 5-6 Directory Authorities (DA) must be operational to keep the network updated and operating. Taking down 5 or more Directory Authorities servers the Tor network will become unstable, and the integrity of any updates to the consensus cannot be guaranteed.

An attack against the Directory Authorities (DA) could be conducted by law enforcement or Intelligence agencies to sabotage the Tor network, but anyway it is not effective to de-anonymize Tor users.

Thomas White (@CthulhuSec) is an operator of a large cluster of servers in the Netherlands, he warned of a suspicious activity overnight on the servers. According the operator, he has lost the control of the servers that are hosted in a data center in Rotterdam.

tor relays

White confirmed that someone physically accessed the servers, the man is convinced that law enforcement was operating to block the machine after a search. According to White, it’s possible that a keyboard-video-mouse (KVM) switch was connected to the servers as confirmed by the logs.

I have now lost control of all servers under the ISP and my account has been suspended,” White wrote on Sunday in an update on the Tor mailing list. “Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken. From experience I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers.

White warned Tor users using the mirrors which were hosting copies of the Tor Project’s Globe and Atlas sites and that provide information on Tor network relays and bridges.

“Until I have had the time and information available to review the situation, I am strongly recommending my mirrors are not used under any circumstances,” White explained. “If they come back online without a PGP signed message from myself to further explain the situation, exercise extreme caution and treat even any items delivered over TLS to be potentially hostile.”

White invited to temporarily avoid the following mirrors:


But something has changed December 22 when White was doubtful on the involvement of law enforcement assumed previously: was involved in the takedown and sought to reassure Tor users about the safety of the network.

“The likelihood of this being the work of law enforcement seems to be lower than originally anticipated,” he wrote. “This is good in many ways but asks more questions than it solves right now. I am not going to completely exclude the possibility of law enforcement involvement though as there simply isn’t enough information. The servers have been blacklisted and pose no danger to the Tor network or the users of it. I will refrain from putting these servers back online until a proper vetting and analysis of events has happened.”

A support representative of the ISP confirmed that there has been unauthorized access to White’s account. White received conflicting information from ISP despite the servers have now been restored and have not been seized.

“there has been unauthorized access to my account,” he said. “This could be due to the fact I access the control panel often via Tor (yes, using TLS before anybody asks), however it does raise the prospect of a non-LE person(s) being behind this but does not explain why a chassis intrusion was detected for example or anything else to do with on-board sensors.”

A plausible hypothesis is that law enforcement is trying to collect information on the infrastructure of the Tor network. White said he has moved hidden services he hosted for others on another server in the data center to a new location. In an e-mail exchange with Ars, he said, “Right now the whole issue has been blown out of proportion by people

In the time I’m writing, White confirmed he has moved hidden services he hosted for others on another server in the data center to a new location.

Pierluigi Paganini

(Security Affairs –  Tor network, hacking)

you might also like

leave a comment