A Primer on Wikileaks Espionage on Tor Exit Nodes

Note* Anon walks us through the bluster, and demonstrates just how Assange and Wikileaks compromised the TOR network. (AT)

In 2007, Dan Egerstad, Swedish security researcher, exposed how the
Tor network could easily be used for intelligence gathering: [1]

“Dan Egerstad is a Swedish security researcher; he ran five Tor
nodes. Last month, he posted a list of 100 e-mail credentials —
server IP addresses, e-mail accounts and the corresponding
passwords — for embassies and government ministries around the
globe, all obtained by sniffing exit traffic for usernames and
passwords of e-mail servers.”

Note that this was not a case of embassy staff using Tor to access
their own email accounts, which is absurd. This was a case of
blackhat hackers (or intelligence) using Tor to anonymously access
the compromised accounts. In fact, Egerstad states that the Iranian
government contacted him to thank him for having uncovered the
otherwise unknown compromise.

Also in 2007, a group of Canadian security researchers uncovered
`GhostNet,’ a vast spy network targetting Taiwanese, Vietnamese, and
American political figures, among others — including most notably
the Dalai Lama: [2][3]

“A vast electronic spying operation has infiltrated computers and
has stolen documents from hundreds of government and private
offices around the world, including those of the Dalai Lama,
Canadian researchers have concluded.”

China is strongly suspected of being behind GhostNet. [4] It’s
important to note the method by which the researchers were able to
uncover GhostNet: by monitoring the traffic of networks where data
was being exfiltrated — an unprecedented “electronic spy game.”
The researchers have not publicly stated which networks were being
monitored, but Egerstad and Kim Zetter of Wired magazine both
conclude that it was most likely Tor. [5]

In both these cases — that of lone researcher Egerstad, and that of
the University of Toronto research group — information was being
exfiltrated from compromised networks by hackers. The exfiltration
was then uncovered via network monitoring, aka `sniffing.’ In other
words, whitehat spies spied on blackhat spies.

In fact, Tor was admitedly designed for intelligence gathering
purposes by the Information Technology Division of the Naval
Research Laboratory of the United States Navy: [6]

“The purpose was for DoD / Intelligence usage (open source
intelligence gathering, covering of forward deployed assets,

But what does all this have to do with Wikileaks?

In January 2007, in a message sent to the then-secret Wikileaks
internal mailing list, Assange stated: [7]

“Hackers monitor chinese and other intel as they burrow into their
targets, when they pull, so do we. […] We have all of pre 2005
afghanistan. Almost all of india fed. Half a dozen foreign
ministries. […] We’re drowing. We don’t even know a tenth of
what we have or who it belongs to. We stopped storing it at 1Tb.”

What does “pull” mean, exactly? Who are these Chinese intelligence
sources, and how are “hackers” monitoring them? And what does
Assange mean by “when they pull, so do we?”

Given the trend documented above — i.e. whitehat spies spying on
blackhat spies — it is clear that “pull” refers to (Chinese)
blackhat exfiltration of data from compromised networks; and the
“so do we” refers to Wikileaks monitoring those exfiltration paths
(likely the Tor network) for any passing documents. In other words,
it could be construed that Wikileaks’ initial trove of documents were
not obtained from whistleblowers, but from spying on spies who were
using the Tor network to stay anonymous. This accusation has, indeed,
been leveled against the organization. [8] But is this really the
correct conclusion? Could it be a misunderstanding?

Consider the June 2010 profile on Assange and Wikileaks in The New
Yorker by Raffi Khatchadourian: [9]

“Before launching the site, Assange needed to show potential
contributors that it was viable. One of the WikiLeaks activists
owned a server that was being used as a node for the Tor network.
Millions of secret transmissions passed through it. The activist
noticed that hackers from China were using the network to gather
foreign governments’ information, and began to record this
traffic. Only a small fraction has ever been posted on WikiLeaks,
but the initial tranche served as the site’s foundation, and
Assange was able to say, `We have received over one million
documents from thirteen countries.’ ”

This seems to corroborate the statement by Assange on the Wikileaks
mailing list in 2007. However, could it have been a misquote? In June
2010, John Leyden of The Register begged Assange to clarify. [10]
Assange did not deny the statement he made to the Wikileaks mailing
list in 2007, nor the facts in The New Yorker article, only calling
the latter “misleading:”

“The imputation is incorrect. The facts concern a 2006
investigation into Chinese espionage one of our contacts were
involved in. Somewhere between none and handful of those
documents were ever released on WikiLeaks.”

That is, Assange dadmits a “handful” of documents obtained by
sniffing the Tor network were published by Wikileaks. What Assange
labels misleading is not the fact that Wikileaks published material
sniffed from the Tor network, but that Wikileaks was directly
involved in the espionage.

In sum, we have three distinct instances where Assange himself admits
that material obtained via espionage (sniffing the Tor network) was
published to Wikileaks. When pressed further, Assange replies —
“Get a life.” [11] — brushing aside the fact that the vast
majority of people, including his supporters, see serious ethical
issues in this type of behaviour. [12] In January 2011, an American
private security firm, Tiversa, stated that it had evidence that
Wikileaks had published sensitive documents obtained via espionage
on peer-to-peer networks. [13] The accusation is not new, nor unique.

Unfortunately, from all evidence, it seems espionage is the modus
operandi for Wikileaks.

[1] http://www.schneier.com/blog/archives/2 … d_t_1.html
[2] http://www.nytimes.com/2009/03/29/technology/29spy.html
[3] http://www.f-secure.com/weblog/archives/00001637.html
[4] http://news.bbc.co.uk/2/hi/7970471.stm
[5] http://www.wired.com/threatlevel/2009/0 … stem-focu/
[6] http://cryptome.org/0003/tor-spy.htm
[7] http://cryptome.org/wikileaks/wikileaks-leak2.htm
[8] http://www.wired.com/threatlevel/2010/0 … documents/
[9] http://www.newyorker.com/reporting/2010 … ntPage=all
[10] http://www.theregister.co.uk/2010/06/02 … ng_denial/
[11] http://motherjones.com/mojo/2010/06/wik … new-yorker
[12] http://ryansholin.com/2010/05/31/wikile … al-system/
[13] http://www.bloomberg.com/news/2011-01-2 … -data.html