Nearly half of the IP addresses that the U.S. government has said are associated with Russian hacking efforts are accessible by any individual.
The Department of Homeland Security and the Federal Bureau of Investigation released a report last week for network and website administrators to identify and prevent possible intrusions led by the Russian government. This report, “Grizzly Steppe,” included 876 IPs that the government has associated with Russian hackers. IP addresses are a set of digits that identify an internet user or network.
The Intercept’s Micah Lee reports that 367 IPs of the 876 IPs, 42 percent, are Tor exit nodes. Tor Browser is a software accessible to any individual for download that in part hides your identity by connecting the user through different Tor nodes. So while alleged Russian hackers might have been using Tor for their efforts, almost half of the identified IPs associated with Russian hacking could be just a normal internet user.
This Intercept report does conflict with a recent analysis from the CEO of WordFence, who wrote, “Out of the 876 IP addresses that DHS provided, 134 or about 15% are Tor exit nodes, based on a reverse DNS lookup that we did on each IP address.” This is likely because Lee “used the Internet Archive’s Way Back Machine to download each historical list of Tor exit nodes available, beginning in September 2014.”
Lee wrote that he found on his own website an IP address that was associated with Russian hacking, that was a Tor exit node. It included a data request, which Lee said he recognized because he was the “one who made it, using Tor.”
“But, according to the Grizzly Steppe report, if I find this IP address in my logs, that’s evidence that I’m a target for Russian cyber attacks. Does this mean that I’m an elite Russian hacker and I just didn’t realize it?” Lee wrote.