Re: [tor-relays] Grizzly Steppe - tor-relays

2 Jan 2017

      By the way Jerry Gamblin checked the list against the tor exit nodes and found 191 that have been used in this hacking...
There you can find his thread with the whole listing..
https://twitter.com/JGamblin/status/814627227656683521
Regards 
0x23
Am 2. Januar 2017 09:39:50 MEZ schrieb tor-relays-request@lists.torproject.org:
...
Send tor-relays mailing list submissions to
   tor-relays@lists.torproject.org
To subscribe or unsubscribe via the World Wide Web, visit
   https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
or, via email, send a message with subject or body 'help' to
   tor-relays-request@lists.torproject.org
You can reach the person managing the list at
   tor-relays-owner@lists.torproject.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of tor-relays digest..."
Today's Topics:

Re: Grizzly Steppe (Rana)

Message: 1
Date: Mon, 2 Jan 2017 10:39:40 +0200
From: "Rana" ranaventures@gmail.com
To: tor-relays@lists.torproject.org
Subject: Re: [tor-relays] Grizzly Steppe
Message-ID: 03ed01d264d3$c4700b40$4d5021c0$@gmail.com
Content-Type: text/plain; charset="utf-8"
My bet is that the recorded IP address dates back to the days when your
node
was an exit. Naturally the Russian hackers have used Tor, probably in
tandem
with a VPN - it would have been stupid of them not to, and stupid they
are
not.
And you are right - now the US government will blame Tor exit operators
for
the sheer stupidity of email operators in political shops such as DNC
that
do not force their users to encrypt email end to end. PGP is too much
trouble for them.
If I am right there is nothing you can do now, you have already closed
the
exit. If they pressure you, migrate your relay to another IP.
Rana
From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On
Behalf
Of Dr Gerard Bulger
Sent: Monday, January 02, 2017 10:15 AM
To: tor-relays@lists.torproject.org
Subject: [tor-relays] Grizzly Steppe
I ran an exit node, but gave up after too many abuse reports that
annoyed my
ISP.  So I turned al exit ports off, and reports stopped as a rely.   
After
months and many terabytes of data I get an abuse complaint that my tor
IP
has been used for espionage.
"NCSC have been made aware of a report and associated malicious
indicators
released by the United States Government relating to malicious cyber
activity. A copy if the report and indicators can be found at the
following
link:-
https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicio
us-Cyber-Activity
Details within this report indicate network assets which may have been
compromised or associated with malicious activity. We have identified
the
following IP address from this report as x.x.x.x   As a minimum, it is
recommended that you check systems and any available logs concerned
with the
above addresses for indications of malicious activity"
There are no other details as to HOW my tor relay is being used.  The
espionage seems to relay on the stupidity of recipients on receiving
emails
asking for passwords.  I am not sure HOW ISP or relay service can stop
that.
Or is it that my relay was being used to transfer the data?
I assume my IP was found by way of a DNS leak which I need to look
into.
There is nothing else I can do as a relay to stop this or is there?
Gerry