The administrator of the popular Darknet email service, SIGAINT, is warning its users that the email service has become a target of a suspected law enforcement agency who tried to compromise it.
About a week ago, SIGAINT has been targeted by an attacker who tried to hack the service by using nearly 70 bad Tor exit nodes, one of the service's administrator informed its users via the tor-talk mailing list on Thursday.
Before jumping on the news, Let’s first understand what are Exit Nodes?
As I said, SIGAINT uses TOR anonymization network which means when an email sent from one user to any destination, the email routed through multiple relays/nodes that actually aren't aware of the sender's identity.
The last machine that processes the email known as a Tor exit relay or Tor exit node.
The end user who receives that email can see the IP of the exit node instead of the IP address of the original sender.
And this is how, SIGAINT allows you to send and receive emails without revealing your actual identity or location.
Though exit relays are the last "hops" in the Tor network and are the only IP addresses appear as the origin of the connection, they pull the attention of the government and the law enforcement agencies.
Is Law Enforcement interested in Spying SIGAINT Services?
SIGAINT is an email service that resides mostly in TOR anonymization network. The service aims at providing email privacy to dark web users including security-conscious journalists, rebels living in repressive regimes and even criminals.
SIGAINT email service may be one of those Tor anonymizing services to become a recent target of a suspected intelligence service attack.
70 Malicious Tor Exit Nodes Found
One of the administrators of the services announced Thursday that SIGAINT became the target of a cyber attack. Initially, it was believed that someone tried to hack the service using 58 malicious Tor exit nodes. However…
...Philipp Winter, who is the member of the Tor Project, discovered 12 more bad exit nodes, resulting in a total of 70 malicious exit relays.
"So apparently we have drawn attention to our humble little email service that mostly lives inside of the Tor network," the admin wrote in a mailing list post. "The attacker had been trying various exploits against our infrastructure over the past few months."
All bad relays have been blacklisted by the admins and at the moment they no longer represent a risk.
Although the SIGAINT admin believes that there may be even more bad exit nodes targeting Tor services.
MITM attacks on SIGAINT users:
Basically, the attackers were acting as a "man in the middle" (MITM) when SIGAINT users connected to the sigaint.org site through one of the 70 bad exit nodes, allowing them to spy on SIGAINT users.
SIGAINT admin also believes that the infrastructure of the service has not been affected. However, some users’ passwords may have been compromised.
"We are confident that they didn't get in," the advisory states. "It looks like they resorted to rewriting the .onion URL located on sigaint.org to one of theirs so they could MITM [man-in-the-middle] logins and spy in real-time."
It isn’t clear how many SIGAINT users targeted in the attack, but the admin said the attacker seems to collect users' passwords, as they get complaints about hijacked accounts which is less than one for 42,000 users every 3 months.
Now What SIGAINT is going to do?
According to the admin, SIGAINT is considering to turn encryption on or removing the .onion URLfrom the sigaint.org page.
Although adding SSL support to the regular website would not help too much, it would make it difficult for attackers to run an attack.
What could you do to protect against the attack?
There is no way for users to be complete safer. However, all the users who visited the Sigaint.org website to search the dark web links are advice to change their passwords as soon as possible.
Who is behind the attack?
The SIGAINT admin thinks that "some agency" was likely behind the recent attack, given the number of malicious nodes the attackers were using and other strange circumstances.
Taking to Motherboard, the SIGAINT administrator said the strange circumstances were that for almost a month prior to the attack, they did not receive any law enforcement requests though they normally receive around one a week.
However, Who was behind this attack remains a mystery yet.