Hackers who breached a Russian intelligence contractor found that it had been trying to crack the Tor browser and been working on other secret projects, the BBC has learned.
Tor is an anonymous web browser, used by those wishing to access the dark web and avoid government surveillance.
It is very popular in Russia.
The hackers stole some 7.5 terabytes of data from SyTech, a contractor for Russia’s Federal Security Service FSB, and included details of its projects.
It is not clear how successful the attempt to crack the anonymous browser was, as the method relied heavily on luck to match Tor users to their activity.
Hackers from a group known as 0v1ru$ gained access to the company on 13 July, and replaced its internet homepage with a smug smiley face often used by internet trolls.
The information was shared with other hackers and journalists.
How did they plan to crack Tor?
To crack Tor, SyTech came up with Nautilus-S, which involved actively taking part in Tor and being part of the network.
When a user connects to Tor, internet service providers are able to see that Tor is being used. This data can be demanded by the FSB, and other state authorities in other countries.
However, the ISPs do not know what sites are being visited through the system – just that it is being used.
But the Tor network is run by volunteers and enthusiasts – and SyTech set up a “contribution” to the network known as an exit node – the last computer the signal passes through before reaching the website.
If a user, by chance, happens to exit the network through SyTech’s node, the contractor will know which website is being visited, but not who the visitor is.
There are two potential risks: combining the ISP data of who is using the network with which sites are visited at what times could, theoretically, help to identify someone – if they are lucky and the person randomly exits the network through their node.
But SyTech could also carry out a so-called “man in the middle” attack, and replace the webpage the user thought they were visiting with something else.
The system of attack is not unheard of – a 2014 research paper from Karlstad University academics highlighted the use of “malicious exit relays”.
But a spokesperson for the Tor project disputed how viable SyTech’s attempt to crack Tor would be.
“Although malicious exit nodes could see a fraction of the traffic exiting the network, by design, this would not be enough to deanonymise Tor users,” they said.
“Large-scale effective traffic correlation would take a much larger view of the network, and we don’t see that happening here.”
What were the other projects?
The attempt to crack the most widely-used anonymous browser was just one of the projects unveiled by the hack. Others included:
Nautilus: Another version of Nautilus, without the “-S”, was designed to collect information about social media users
Reward: An attempt to find a flaw in the BitTorrent person-to-person system used by millions to download and share illegal copies of movies, TV shows and games
Mentor: Designed to search email servers of major companies
Hope / Tax-3: Projects which deal with how Russia’s internet connects to and interacts with the outside network – and how to keep sensitive information safe
There were at least 20 “non-public” projects contained in the data from the hack, most of which were apparently commissioned by a military unit linked to the FSB.
Russia recently broke its record for connections to the Tor browser network, topping 600,000 users on 11 July.
BBC Russian reports (in Russian) that there had been just 300,000 users at the start of the year – but the record number has been broken five times since then.
The average number of daily users from Russia in the last three months has been more than 400,000.
Russian intelligence ‘targets Tor anonymous browser’