• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Hacking
  • Who hacked a cluster of Tor servers in the Netherlands?

Who hacked a cluster of Tor servers in the Netherlands?

Pierluigi Paganini December 24, 2014

A cluster of Tor servers suffered an unexplained outage just after the warning of the Tor project. Only certainty is someone physically accessed servers.

Recently the experts at the Tor project issued a warning of a possible cyber attack against the Tor network through the seizure of the Directory authorities that can “incapacitate” the overall architecture.

The experts explained that the Tor network relies on nine directory authorities, whose information is hard coded into Tor clients, located across the Europe and the United States. The directory authorities servers provide a signed list of all the relays of the Tor network.

“The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities.” Tor Project leader Roger Dingledine explained in a blog post.

“We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use,” “We hope that this attack doesn’t occur; Tor is used by many good people.”

The stability of the overall Tor network depends in the Directory Authorities (DA), at least 5-6 Directory Authorities (DA) must be operational to keep the network updated and operating. Taking down 5 or more Directory Authorities servers the Tor network will become unstable, and the integrity of any updates to the consensus cannot be guaranteed.

An attack against the Directory Authorities (DA) could be conducted by law enforcement or Intelligence agencies to sabotage the Tor network, but anyway it is not effective to de-anonymize Tor users.

Thomas White (@CthulhuSec) is an operator of a large cluster of servers in the Netherlands, he warned of a suspicious activity overnight on the servers. According the operator, he has lost the control of the servers that are hosted in a data center in Rotterdam.

tor relays

White confirmed that someone physically accessed the servers, the man is convinced that law enforcement was operating to block the machine after a search. According to White, it’s possible that a keyboard-video-mouse (KVM) switch was connected to the servers as confirmed by the logs.

“I have now lost control of all servers under the ISP and my account has been suspended,” White wrote on Sunday in an update on the Tor mailing list. “Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken. From experience I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers.“

White warned Tor users using the mirrors which were hosting copies of the Tor Project’s Globe and Atlas sites and that provide information on Tor network relays and bridges.

“Until I have had the time and information available to review the situation, I am strongly recommending my mirrors are not used under any circumstances,” White explained. “If they come back online without a PGP signed message from myself to further explain the situation, exercise extreme caution and treat even any items delivered over TLS to be potentially hostile.”

White invited to temporarily avoid the following mirrors:

https://globe.thecthulhu.com
https://atlas.thecthulhu.com
https://compass.thecthulhu.com
https://onionoo.thecthulhu.com
http://globe223ezvh6bps.onion
http://atlas777hhh7mcs7.onion
http://compass6vpxj32p3.onion
77.95.229.11
77.95.229.12
77.95.229.14
77.95.229.16
77.95.229.17
77.95.229.18
77.95.229.19
77.95.229.20
77.95.229.21
77.95.229.22
77.95.229.23
77.95.224.187
89.207.128.241
5.104.224.15
128.204.207.215

But something has changed December 22 when White was doubtful on the involvement of law enforcement assumed previously: was involved in the takedown and sought to reassure Tor users about the safety of the network.

“The likelihood of this being the work of law enforcement seems to be lower than originally anticipated,” he wrote. “This is good in many ways but asks more questions than it solves right now. I am not going to completely exclude the possibility of law enforcement involvement though as there simply isn’t enough information. The servers have been blacklisted and pose no danger to the Tor network or the users of it. I will refrain from putting these servers back online until a proper vetting and analysis of events has happened.”

A support representative of the ISP confirmed that there has been unauthorized access to White’s account. White received conflicting information from ISP despite the servers have now been restored and have not been seized.

“there has been unauthorized access to my account,” he said. “This could be due to the fact I access the control panel often via Tor (yes, using TLS before anybody asks), however it does raise the prospect of a non-LE person(s) being behind this but does not explain why a chassis intrusion was detected for example or anything else to do with on-board sensors.”

A plausible hypothesis is that law enforcement is trying to collect information on the infrastructure of the Tor network. White said he has moved hidden services he hosted for others on another server in the data center to a new location. In an e-mail exchange with Ars, he said, “Right now the whole issue has been blown out of proportion by people

In the time I’m writing, White confirmed he has moved hidden services he hosted for others on another server in the data center to a new location.

Pierluigi Paganini

(Security Affairs –  Tor network, hacking)


facebook linkedin twitter

you might also like

Pierluigi Paganini July 24, 2025
U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 23, 2025
U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

    Intelligence / July 25, 2025

    Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

    Security / July 25, 2025

    Koske, a new AI-Generated Linux malware appears in the threat landscape

    Malware / July 25, 2025

    Mitel patches critical MiVoice MX-ONE Auth bypass flaw

    Security / July 25, 2025

    Coyote malware is first-ever malware abusing Windows UI Automation

    Malware / July 24, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT