[tor-relays] Grizzly Steppe

Jim jimmymac at copper.net
Mon Jan 2 09:51:42 UTC 2017 

Dr Gerard Bulger wrote:
> 
> I ran an exit node, but gave up after too many abuse reports that 
> annoyed my ISP.  So I turned al exit ports off, and reports stopped as a 
> rely.    After months and many terabytes of data I get an abuse 
> complaint that my tor IP has been used for espionage.
> 
> “NCSC have been made aware of a report and associated malicious 
> indicators released by the United States Government relating to 
> malicious cyber activity. A copy if the report and indicators can be 
> found at the following link:-
> https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity 
> 
> Details within this report indicate network assets which may have been 
> compromised or associated with malicious activity. We have identified 
> the following IP address from this report as x.x.x.x   As a minimum, it 
> is recommended that you check systems and any available logs concerned 
> with the above addresses for indications of malicious activity”
> 
> There are no other details as to HOW my tor relay is being used.  The 
> espionage seems to relay on the stupidity of recipients on receiving 
> emails asking for passwords.  I am not sure HOW ISP or relay service can 
> stop that.  Or is it that my relay was being used to transfer the data?

Like Rana, I also wondered if perhaps this traces back to when you ran 
an exit node.  I haven't taken the time (and probably don't have the 
skill) to analyze what is in that report, but others have.  You might 
find Security Week's write-up helpful:

http://www.securityweek.com/us-attributes-election-hacks-russian-threat-groups

In particular:

    While some industry experts applauded the GRIZZLY STEPPE
    indicators provided by the U.S. Government, some experts urged
    caution for those quickly integrating them into their cyber
    defense measures.

    "Be careful using the DHS/FBI GRIZZLY STEPPE indicators. Many
    are VPS, TOR relays, proxies, etc. which will generate lots
    of false positives," Robert M. Lee, founder and CEO of Dragos
    Security and a former member of the intelligence community,
    Tweeted.

I suspect you are among the "lots of false positives".

> I assume my IP was found by way of a DNS leak which I need to look 
> into.   There is nothing else I can do as a relay to stop this or is there?

If this happened when you ran an exit node then you don't need to look 
for a DNS leak (I don't see how that would pertain to a relay, anyway) 
and you wouldn't need to worry about stopping it (you already have by 
not being an exit).

Of course, it is possible you node was actually compromised but I think 
Occam's razor argues against that.

Jim

More information about the tor-relays mailing list