U.S. Government Misrepresents IP Addresses Used by Thousands as Belonging to Russian Hackers

Investigative journalist for the Intercept Micah Lee found that nearly half of the IP addresses cited in the FBI and Department of Homeland Security’s public report arguing that Russians hacked the 2016 election were “Tor exit nodes”—servers that let anyone “bypass internet censorship, evade internet surveillance, and access websites anonymously.”

“… this means that anyone in the world — not just Russian hackers — can use the internet from those IP addresses,” Lee explained.

Lee conducted his investigation after discovering that IP addresses named in the government report showed up as attributed to visitors to his blog.

I found out, after some digging, that of the 876 suspicious IP addresses that the Department of Homeland Security and the Department of National Intelligence put on the Russian cyber attacker list, at least 367 of them (roughly 42%) are either Tor exit nodes right now, or were Tor exit nodes in the last few years. I have a lot of regular readers who are Tor users, and I’m pretty sure they’re not all Russian hackers. So the quick answer to the mystery of my website apparently being attacked by nefarious IP addresses listed in the U.S. report is that the Russians, along with many thousands of others, just happened to use the Tor IP addresses that my regular readers used (and still use). …

Tor is a decentralized network of servers, called nodes, that help people bypass internet censorship, evade internet surveillance, and access websites anonymously. Today, there are over 7000 nodes in the Tor network (about 1000 of those are “exit nodes”), distributed geographically around the world, and run by volunteers (I run a few myself). Tor Browser is a web browser, like Chrome or Firefox, but all of its internet traffic goes over the Tor network. If you type in the URL https://www.fbi.gov in your normal web browser, the IP address of your current internet connection will end up in the FBI’s web server logs. But if you type that URL into Tor Browser, an encrypted copy of your web request will bounce around the world through multiple Tor nodes before finally exiting the Tor network, and the IP address of a Tor exit node will end up in the FBI’s logs, rather than the network you’re currently connected to.

Since nearly half of the IP addresses in the Grizzly Steppe report are actually just Tor exit nodes, this means that anyone in the world — not just Russian hackers — can use the internet from those IP addresses. In fact, if you open Tor Browser and visit a website right now, there’s a pretty decent chance that you’ll be using the internet from one of those suspicious IP addresses.

It’s plausible that Russian hackers use Tor to hide their real IP addresses when they do attacks, and this is likely why these IP addresses ended up in the Grizzly Steppe report. But finding these IPs in your web server logs (like I did for my website) does not mean that the Russians are attacking you. Tor has over 1.5 million daily users around the world — about a third of a million of them are in the United States. If you see a Tor IP address in your logs, you know that a Tor user visited your website, and that’s it.

“If Vladimir Putin, the Russian leader, is truly responsible for manipulating the U.S. election, and if the Obama administration wishes to prove its case,” Lee adds, “it needs to publish actual smoking-gun proof, such as intercepted emails or phone calls from within the Kremlin, or more complete technical details that connect dots directly to the Russian government, rather than to a Tor node that thousands of people use.”

Read more here.

—Posted by Alexander Reed Kelly

Related Entries

• January 5, 2017 How George W. Bush Dissed the U.S. Intelligence Community
• December 30, 2016 Experts Aren’t Convinced by FBI and Homeland Security Report on Alleged Russian Hacking