Re: [tor-relays] Grizzly Steppe

[Jim <jimmymac@xxxxxxxxxx>]

Dr Gerard Bulger wrote:
> I ran an exit node, but gave up after too many abuse reports that 
> annoyed my ISP.  So I turned al exit ports off, and reports stopped as a 
> rely.    After months and many terabytes of data I get an abuse 
> complaint that my tor IP has been used for espionage.
>
> “NCSC have been made aware of a report and associated malicious 
> indicators released by the United States Government relating to 
> malicious cyber activity. A copy if the report and indicators can be 
> found at the following link:-
> https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity 
>
> Details within this report indicate network assets which may have been 
> compromised or associated with malicious activity. We have identified 
> the following IP address from this report as x.x.x.x   As a minimum, it 
> is recommended that you check systems and any available logs concerned 
> with the above addresses for indications of malicious activity”
>
> There are no other details as to HOW my tor relay is being used.  The 
> espionage seems to relay on the stupidity of recipients on receiving 
> emails asking for passwords.  I am not sure HOW ISP or relay service can 
> stop that.  Or is it that my relay was being used to transfer the data?

Like Rana, I also wondered if perhaps this traces back to when you ran 
an exit node.  I haven't taken the time (and probably don't have the 
skill) to analyze what is in that report, but others have.  You might 
find Security Week's write-up helpful:

http://www.securityweek.com/us-attributes-election-hacks-russian-threat-groups

In particular:

   While some industry experts applauded the GRIZZLY STEPPE
   indicators provided by the U.S. Government, some experts urged
   caution for those quickly integrating them into their cyber
   defense measures.

   "Be careful using the DHS/FBI GRIZZLY STEPPE indicators. Many
   are VPS, TOR relays, proxies, etc. which will generate lots
   of false positives," Robert M. Lee, founder and CEO of Dragos
   Security and a former member of the intelligence community,
   Tweeted.

I suspect you are among the "lots of false positives".

> I assume my IP was found by way of a DNS leak which I need to look 
> into.   There is nothing else I can do as a relay to stop this or is there?

If this happened when you ran an exit node then you don't need to look 
for a DNS leak (I don't see how that would pertain to a relay, anyway) 
and you wouldn't need to worry about stopping it (you already have by 
not being an exit).

Of course, it is possible you node was actually compromised but I think 
Occam's razor argues against that.

Jim


_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays