Malware planted on the servers of Freedom Hosting—the “hidden service” hosting provider on the Tor anonymized network brought down late last week—may have de-anonymized visitors to the sites running on that service. This issue could send identifying information about site visitors to an Internet Protocol address that was hard-coded into the script the malware injected into browsers. And it appears the IP address in question belongs to the National Security Agency (NSA).
The exploit attacked a vulnerability in the Windows version of the Firefox Extended Support Release 17 browser—the one used previously in the Tor Project’s Tor Browser Bundle (TBB). That vulnerability had been patched by Mozilla in June, and the updated browser is now part of TBB. But the TBB configuration of Firefox doesn’t include automatic security updates, so users of the bundle would not have been protected if they had not recently upgraded.
Initial investigations traced the address to defense contractor SAIC, which provides a wide range of information technology and C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance) support to the Department of Defense. The geolocation of the IP address corresponds to an SAIC facility in Arlington, Virginia.
Further analysis using a DNS record tool from Robotex found that the address was actually part of several blocks of IP addresses allocated by SAIC to the NSA. This immediately spooked the researchers.
“One researcher contacted us and said, ‘Here’s the Robotex info. Forget that you heard it from me,'” said a member of Baneki who requested he not be identified.