After the U.S. government published a report on Russia’s cyber attacks against the U.S. election system, and included a list of computers that were allegedly used by Russian hackers, I became curious if any of these hackers had visited my personal blog. The U.S. report, which boasted of including “technical details regarding the tools and infrastructure used by Russian civilian and military intelligence services,” came with a list of 876 suspicious IP addresses used by the hackers, and these addresses were the clues I needed to, in the end, understand a gaping weakness in the report.
An IP address is a set of numbers that identifies a computer, or a network of computers, on the internet. Each time someone loads my website, it logs their IP address. So I searched my web server logs for the suspicious IP addresses, and I was shocked to discover over 80,000 web requests from IPs used by the Russian hackers in the last 14 months! Digging further, I found that some of these Russian hackers had even posted comments (mostly innocuous technical questions)! Even today, several days after publication of the report (which used a codename for the Russian attack, Grizzly Steppe), I’m still finding these suspicious IP addresses in my logs — although I would expect the Russians to stop using them after the U.S. government exposed them.
What is happening? Are elite Russian hackers regular readers of my blog? Am I under cyber attack?
I found out, after some digging, that of the 876 suspicious IP addresses that the Department of Homeland Security and the Department of National Intelligence put on the Russian cyber attacker list, at least 367 of them (roughly 42%) are either Tor exit nodes right now, or were Tor exit nodes in the last few years. I have a lot of regular readers who are Tor users, and I’m pretty sure they’re not all Russian hackers. So the quick answer to the mystery of my website apparently being attacked by nefarious IP addresses listed in the U.S. report is that the Russians, along with many thousands of others, just happened to use the Tor IP addresses that my regular readers used (and still use).
Tor is a decentralized network of servers, called nodes, that help people bypass internet censorship, evade internet surveillance, and access websites anonymously. Today, there are over 7000 nodes in the Tor network (about 1000 of those are “exit nodes”), distributed geographically around the world, and run by volunteers (I run a few myself). Tor Browser is a web browser, like Chrome or Firefox, but all of its internet traffic goes over the Tor network. If you type in the URL https://www.fbi.gov in your normal web browser, the IP address of your current internet connection will end up in the FBI’s web server logs. But if you type that URL into Tor Browser, an encrypted copy of your web request will bounce around the world through multiple Tor nodes before finally exiting the Tor network, and the IP address of a Tor exit node will end up in the FBI’s logs, rather than the network you’re currently connected to.
Since nearly half of the IP addresses in the Grizzly Steppe report are actually just Tor exit nodes, this means that anyone in the world — not just Russian hackers — can use the internet from those IP addresses. In fact, if you open Tor Browser and visit a website right now, there’s a pretty decent chance that you’ll be using the internet from one of those suspicious IP addresses.
It’s plausible that Russian hackers use Tor to hide their real IP addresses when they do attacks, and this is likely why these IP addresses ended up in the Grizzly Steppe report. But finding these IPs in your web server logs (like I did for my website) does not mean that the Russians are attacking you. Tor has over 1.5 million daily users around the world — about a third of a million of them are in the United States. If you see a Tor IP address in your logs, you know that a Tor user visited your website, and that’s it.
In other words, if you’re a network administrator and you discover one of the suspicious IP addresses used by Russian hackers on your network, it likely doesn’t mean anything at all. It certainly isn’t proof that the same elite Russian hackers who compromised the Democratic National Committee and John Podesta’s email are also targeting your company. (For example, Russian hackers did not penetrate the U.S. electricity grid through a utility company in Vermont, even though a company laptop made a connection to an IP address in the Grizzly Steppe report.)
But before I figured all of this out, I really wanted to know what the Russians were (apparently) doing on my blog. After digging, I discovered this in my logs:
184.108.40.206 - - [09/Mar/2016:16:19:07 -0500] "GET /files/tmp/fingerprints.txt.asc HTTP/1.1" 200 13141 "-" "PycURL/7.21.5 libcurl/7.47.0 GnuTLS/3.4.9 zlib/1.2.8 libidn/1.32 libssh2/1.5.0 nghttp2/1.8.0 librtmp/2.3"
The first part of this log is an IP address, “220.127.116.11,” followed by the date that the request was made, March 9, 2016, followed by the URL that was being requested, in this case https://micahflee.com/files/tmp/fingerprints.txt.asc, and finally followed by a complicated user agent string that isn’t important right now. I knew exactly what that web request was because I’m the one who made it, using Tor. I put that file, “fingerprints.txt.asc,” on my web server, to help me test out a piece of software I was developing. No one else could have made that web request, because no one else knew that temporary URL.
It turns out, when I downloaded that file from my own website while using Tor, I came from the IP address “18.104.22.168.” But, according to the Grizzly Steppe report, if I find this IP address in my logs, that’s evidence that I’m a target for Russian cyber attacks. Does this mean that I’m an elite Russian hacker and I just didn’t realize it?
I set out to figure out exactly how many of the suspicious IP addresses listed in the Grizzly Steppe report actually just belong to Tor exit nodes. All Tor nodes that make up the Tor network are completely public. You can visit this page to see a list of the current Tor exit node IP addresses. But since the Tor network is run by volunteers, the list of nodes constantly changes — people running old nodes decide to shut them down, and other people start up new nodes. So I used the Internet Archive’s Wayback Machine to download each historical list of Tor exit nodes available, beginning in September 2014.
I found a total of 7,854 IPs that were, in recent years, Tor exit nodes, and I compared it to the list of 876 IPs that were published with the Grizzly Steppe report. I found 367 IP addresses in common — in other words, at least 367 of the suspicious IP addresses are, or were, Tor exit nodes. And after this story was posted, I was alerted to an even better data set, assembled by the Tor Project’s CollecTor, that showed more Tor nodes: it turns out that 426 of the IP addresses in the Grizzly Steppe report are historical Tor nodes, so it’s actually 49% rather than 42%.
It’s plausible, and in my opinion likely, that hackers under orders from the Russian government were responsible for the DNC and Podesta hacks in order to influence the U.S. election in favor of Donald Trump. But the Grizzly Steppe report fails to adequately back up this claim. My research, for example, shows that much of the evidence presented is evidence of nothing at all.
If Vladimir Putin, the Russian leader, is truly responsible for manipulating the U.S. election, and if the Obama administration wishes to prove its case, it needs to publish actual smoking-gun proof, such as intercepted emails or phone calls from within the Kremlin, or more complete technical details that connect dots directly to the Russian government, rather than to a Tor node that thousands of people use.
Of course it’s unlikely the Obama administration will do this. But if you have access to any of this evidence, please share it with us using SecureDrop.
Update: January 5, 2017
This piece was updated with new information from CollecTor on the number of Tor nodes in the Grizzly Steppe report.