14 DAY TRIAL // We’ve recently learned that the takedown of the hidden service hosting provider Freedom Hosting – known for offering its services to several criminal websites such as Silk Road – coincided with a Tor malware attack designed to harvest the IP addresses of individuals that visited certain sites via the Tor Network.
Some believe the FBI is behind the operation, but researchers claim the malware actually communicates with some IP addresses of the National Security Agency (NSA).
According to security researchers from Baneki Privacy Labs and Cryptocloud, an IP address found in the JavaScript exploit used in the Firefox 17 attack has been traced back to SAIC, a US defense contractor.
The experts believe that the IP address in question is part of an IP address block allocated by SAIC to the NSA.
The conclusion relies on data from domain name research service DomainTools and Robtex, the Swiss army knife Internet tool.
However, others question the accuracy of these reports. Conrad Longmore of Dynamoo’s Blog says DomainTools is misinterpreting the data. Longmore also believes the Robtex data is inconclusive.
“It may surprise you to learn that law enforcement officers and intelligence agencies are not normally complete idiots when it comes to guarding their IP addresses. They do not (for example) sign up toSilk Road with their @fbi.gov email addresses or poke around the underweb from an NSA IP address range,” Longmore noted.
Baneki representatives have told Ars Technica that they’re “open to firsthand experts correcting if, indeed, a correction would be required.”
“We've seen many cases of geo info in ARIN inaccurate, but NEVER a case where IP ownership info is 'outdated,' ever. Again, however, we defer to credentialed subject matter experts as the final arbiters on what the IP data signify,” Baneki stated.
“We'll be surprised if in the end, it's somehow an 'error' and NSA/SAIC has no connection whatsoever; however, facts are stubborn things & we go with the facts.”