FBI used Hacking Team services to unmask Tor user

The FBI only had an exit node IP address to work with, but could the Galileo tool be used to track down a Tor user?

screen-shot-2015-07-15-at-13-00-03.png
Hacking Team

The FBI communicated with Hacking Team over the possible use of surveillance tools to track down a Tor-using target, emails reveal.

As discovered by Hacker News, the cache of emails belonging to Hacker Team but now hosted on Wikileaks reveals a number of interesting conversations allegedly between the FBI and surveillance company.

Hacking Team is a company which specializes in providing surveillance tools to law enforcement, government agencies and intelligence services across the globe. The firm's dealings were blown apart this month when a as-of-yet unknown hacker -- or team -- broke into Hacking Team's servers and made off with 400GB in corporate data. Spanning from customer lists to exploits and emails, much of the firm's data is now firmly entrenched within the public domain.

While software providers work overtime to fix zero-day vulnerabilities exposed by the hack, leaked documents reveal that in September last year, an FBI agent asked the Milan-based firm if the latest version of its scout Remote Control System (RCS) -- otherwise known as Galileo -- could help the law enforcement agency track down a Tor user. The email reads:

"In version 8, one of your engineers told us that the scout can reveal the true IP address of target using Tor. Is that still true with the latest version? If not, can you please provide us a way to defeat Tor on the box? Thank you!"

The FBI agent went on to say they did not know "anything about the target" beyond his IP address, which came back as a Tor exit node. As he may be "using TBB or some other variant," -- the Tor Browser Bundle, a way to use Tor without installing the software -- the FBI agent mused over the need for a phishing email to be sent "with a document or pdf attachment to hopefully install the scout."

In response, a member of Hacking Team said once the scout was installed on the victim machine, if using TBB the FBI would be able to snag the target's true IP address. If not, "once the scout is installed [..] you can inspect from the device evidence the list of installed programs."

It is not known how that particular story ended, and whether the Tor user was eventually tracked down. However, according to another email, one Hacking Team member said the Galileo tool is seen as "nice to have" by the FBI. The email states:

"They confessed they were using it for low level types of investigations. For critical operations, they were using another platform. We need to come up with key features (TOR ? new TNI ? VPN ? less-click infection ?) in order to increase their « appetite » for Galileo."

The RCS system is currently being examined by Trend Micro researchers. The team revealed on Tuesday the use of a ‬Unified Extensible Firmware Interface (UEFI) BIOS rootkit to keep the scout from being detected and destroyed during hard drive wipes or full removal.

Read on: Top picks

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All