French Police Seized Tor Relays in WannaCry Investigation

On March 17, news outlets reported the sudden absence of several French Tor relays. Further data revealed that law enforcement agencies in France seized the the relays in connection with the investigation into WannaCrypt. WannaCrypt, the ransomware that struck “more than 200,000 devices worldwide,” used Tor to connect to a C2 server.

The Central Office for Combating Crime Related to Information and Communication Technologies (OCLCTIC) took down at least three servers, one French news report explained. According to another source, the nodes taken down were Tor entry guard nodes. Tor guard nodes, or entry nodes with the guard flag, are basically a relay that the Tor network trusts more so than other nodes.

As listed on the Tor blog, the requirements for a guard node are not particularly overwhelming:

1. The relay needs to have first appeared longer ago than 12.5% of the relays, or 8 days ago, whichever is shorter.
2. The relay needs to advertise at least the median bandwidth in the network, or 250KB/s, whichever is smaller.
3. The relay needs to have at least the median weighted-fractional-uptime of relays in the network, or 98% WFU, whichever is smaller. (For WFU, the clock starts ticking when we first hear about the relay; we track the percentage of that time the relay has been up, discounting values by 95% every 12 hours.)

But the relays are essential for Tor operation and usability. And, one can assume that while accessing the C2 server, WannaCrypt passed through more than three guard nodes.

One user wrote the following on the Tor relays mailing list:

“Dear Tor Project,

Currently, my server hosting kitten1 and kitten2 (tor guard and fallback
directory) is under seizure since 14/05 11h.
Private key are under encrypted volume and may be protected, but please revoke
immediatly kitten1 kitten2 tor node.
Those nodes are also fallback directory.

Regards,
—
Aeris”

The user explained what he knew and what he could speak about. Aeris said that WannaCrypt infected a French company on May 12. The infected systems reached out to the C2 via .onion addresses, inevitably passing through Tor nodes. And “possibly bridges, directory authorities and fallback directories can be affected too, or any Tor nodes which can be joined directly by standard Tor client,” Aeris explained.

Then, come May 13 and 14, police seized Aeris’s servers. The system admin of the infected company reported all of traffic as malicious and reported the destination IPs to the authorities. And the rest of that situation is self explanatory. In many countries and states, the police understand the basics of Tor nodes, even Tor exit nodes. Meaning: normally they know that the network activity may have no relation to the actual nice operator. Apparently not in this case.

And similarly, they usually know that the logs kept by these relays reveal nothing more than uptime and downtime resisted information. Any evidence regarding WannaCrypt, unless Aeris hid something on those encrypted discs, is not likely to show up on the seized servers. However, as the Tor blog reveals, some officers know how to identify a node operator but still at as if the operator is at fault.

“One regional Dutch police woman told us that they know how to check if it’s a Tor exit IP, but sometimes they do the raid anyway ‘to discourage people from helping Tor,’” Roger Dingledine wrote following a trip to educate Dutch police.

The Paris Public Prosecutor’s Office did not respond to golem.de’s request for comment.