Researchers who claimed they found a link between the Internet addresses used as part of malware that attacked Freedom Hosting’s “hidden service” websites last week and the National Security Agency (NSA) have backed off substantially from their original assertions.

After the findings were criticized by others who analyzed Domain Name System (DNS) and American Registry for Internet Numbers (ARIN) data associated with the addresses in question, Baneki Privacy Labs and Cryptocloud admitted that analysis of the ownership of the IP addresses was flawed. However, they believe the data that they used to make the connection between the address and the NSA may have changed between their first observation. “We know that those ARIN records that appeared to show the torsploit IP addresses (65.222.202.53 and 65.222.202.54) as being directly allocated to [defense contractor] SAIC are inaccurate,” the researchers said in a joint post to Cryptocloud’s discussion forum. “Or, rather, the popular analytics resource domaintools.com uses an old (ca. 1993) method for interpolating individual IP ownership (‘assignment’ is a better term, really, but it’s a bit clunky). That old method, all evidence suggests, doesn’t give accurate information about the two torsploit IPs in question.” They added the qualification that “perhaps the SAIC connection was genuine and it’s been cleverly ‘scrubbed’ on the fly.

If so, we lack the analytic capabilities to ferret it out and it’ll have to be someone other than us to catch the snowflakes and, from them, reconstruct the storm.” As for the attribution of the IP address to the NSA, the researchers reviewing data from Robtex early August 5 on the address block had the same conclusions. “All of us agreed…

The block of IPs covering 65.192.0.0/11 to 65.222.202.53 ‘rolled up’ directly to nsa.gov…

At least according to robtex.” That assessment isn’t supported by current data in Robtex.     

Leave a Reply