Tor abused to mount APT attacks on European governments

News by Tim Ring

Tor provides anonymity, not security, given that exit nodes appear to have been used for Russia- based APT attacks.

A rogue node in the supposedly secure Tor network is being used to launch cyber-espionage attacks on European Governments using the notorious Russian ‘Duke' malware, according to security firm F-Secure.

The ‘bad' node, which is based in Russia, was first exposed two weeks ago by security researcher Josh Pitts from Leviathan Security Group, who found it injecting malware into any uncompressed Windows executable files passing through it.

Now, in a 14 November blog post, F-Secure has revealed that the node is specifically being used to plant a new variant of the MiniDuke advanced (APT) malware which F-Secure has dubbed ‘OnionDuke'.

And OnionDuke has been used to mount targeted attacks on central European government agencies “within the sphere of Russian concerns”, said F-Secure security adviser Sean Sullivan in an email correspondence with

Previously, MiniDuke has been used in targeted attacks in NATO and European Government agencies. And in September, F-Secure reported that the CosmicDuke variant of the “Russian espionage malware” had been used in social engineering attacks on European oil companies, using the ‘lure' of news about the Scottish independence vote.

But Sullivan said this week that while the linked ‘Duke' attacks emanate from Russia, they are not definitely the work of the Russian Government.

He told “MiniDuke is thought to be linked to Russia's government, but there is no definitive proof.”

He added: “Earlier this year we were able to link CosmicDuke to MiniDuke - and now we have announced we are able to link OnionDuke to MiniDuke. They clearly share infrastructure and have technical features linking them to each other.”

In its blog, F-Secure said Pitts' original report “piqued our interest, so we decided to peer down the rabbit hole. Suffice to say, the hole was a lot deeper than we expected!”

The company found that OnionDuke's operators had been planting the malware since at least October 2013.

F-Secure said OnionDuke can download multiple malware components, including to steal login credentials and check for any antivirus software or a firewall. And one backdoor, OnionDuke.A, which contains a different hardcoded C&C domain, may abuse Twitter as an additional C&C channel.

Crucially, this backdoor allowed F-Secure to link the latest attack with MiniDuke, because both OnionDuke.A and some MiniDuke C&C were registered by the same person, ‘John Kasai'.

The company said OnionDuke uses both to modify downloaded executables and launch specific advanced attacks “suggest two very different targeting strategies - a mass-infection strategy through modified binaries and the more surgical targeting traditionally associated with APT operations”.

F-Secure's discovery has heaped further doubt on the safety of using the Tor network.

In its blog, the company said: “While using Tor may help you stay anonymous, but at the same time it paints a huge target on your back. The problem with Tor is that you have no idea who is maintaining the exit node you are using and what their motives are.”

UK cyber-security expert Alan Woodward, an adviser to Europol and visiting professor at Surrey University's Computing Department, agreed.

He told “The problem with Tor is there are 5,000 or 6,000 nodes all staffed by volunteers. It's the problem of having a network run by people you don't know and who are anonymous by their very nature, and you don't know what their agenda might be.

“This attack might well be government sponsored but the point is it could be anybody. The big question someone should ask themselves is ‘Can I trust the Tor network?' and the bottom line is ultimately 'No' because you don't know anything about it.

“The bottom line is if you don't know who's running your network then you can't trust them – but people do trust Tor.”

Woodward pointed out that some tech companies like Facebook are setting up services using Tor to reassure users of privacy but “what this shows is, are you any better off?”.

F-Secure's Sean Sullivan told SC: “Tor provides anonymity – not security. Plain text into Tor is plain text. Downloading executables anonymously doesn't make it secure. I still trust Tor to provide what it's supposed to provide: anonymity. Additional tools are required for enhanced security.”

* Security firm Kaspersky has suggested that the recent law enforcement shutdown of Silk Road 2.0 and other Tor-based sites allegedly used to peddle drugs may have been achieved by exploiting flaws in the individual sites themselves, rather than a more critical single flaw in Tor itself.

In a 13 November blog, Kaspersky says: “Anyone familiar with Dark Net websites knows how poorly coded many of these websites can be. There is absolutely no need to try to and look for vulnerabilities in Tor itself, it's much easier to find a misconfiguration of services or flaws in the web application.”

But Kaspersky cautions: “The possibility of having a serious security vulnerability in Tor itself should not be completely excluded.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews