Two Tor Relays were seized by the French Police under WannaCry Investigation

The incident was reported by Aeris on the Tor Project mailing list last month, on May 15, where he asked fellow operators to whitelist two of his relays, who were also Tor entry guard nodes, special servers trusted by Tor clients as the first connection when connecting to the Tor network.

Big French company got infected, filed complaint

The activist said police seized his servers because a big French company was infected with WannaCry two days earlier, on May 12. The company logged all outgoing traffic during the attacks and provided the data to Law Enforcement Agencies.

WannaCry communicates with a command and control servers hosted on the Dark Web, on a .onion address. Aeris suspects his servers were used as first hops in this connection, hence the reason police seized his properties, hosted via French hosting provider Online SAS.

Most Tor servers are configured to log very few details in their databases, such as uptime and status metrics, so to safeguard the privacy of its users. Unless Aeris made customizations to default configs, French police have no chance of finding any useful information on the seized servers and the data acquired from it.

Tens of Tor servers disappeared on the same weekend

In the media storm caused by the wave of WannaCry attacks, these small incidents went unreported outside of French media. Aeris also posted the seizing of his servers on Twitter.

The investigation is led by France’s cyber-crime investigation units OCLCTIC (L’Office Central de Lutte Contre la Criminalité liée aux Technologies de l’Information et de la Communication).

The activists pointed out that tens of other Tor nodes in France disappeared over the same weekend. In a private conversation with Bleeping Computer, the activists shared a list of 30 servers they are currently investigating regarding these mysterious disappearances.

It is unclear how many of these are related to the WannaCry attacks. Overall, there is very little information about these incidents at the current moment, as investigators have suppressed the parties involved from sharing any information.

” There is currently a GAG order around this,” said Aeris. ” My provider refuses to communicate data about the seizure.”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s