| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| cluster_17 [15/12/2025 16:24] – [Hop-By-Hop Analysis] daniel | cluster_17 [15/12/2025 17:26] (current) – [Background] daniel |
|---|
| ====== Supertraceroute Analysis of Proton VPN Traffic Demonstrating Redirection to a SIGINT Facility in the United Kingdom ====== | ====== VPN Exploited ====== |
| |
| Lyrebird is a pluggable transport developed for the Tor network that helps users evade censorship and traffic fingerprinting by disguising Tor traffic as ordinary, benign network activity. Pluggable transports act as modular adapters that transform Tor’s distinctive encrypted traffic patterns into forms that blend in with regular Internet protocols, making it harder for surveillance or censorship systems to detect or block Tor usage. Lyrebird, in particular, employs lightweight, adaptive obfuscation techniques designed to mimic common application-layer behaviours—such as those of HTTPS or other encrypted client–server exchanges—while maintaining low latency and compatibility with Tor bridges. Its purpose is not to provide additional encryption but to mask the presence of Tor traffic itself, thereby helping users in restrictive environments connect to the Tor network securely and anonymously without triggering network-level filtering or surveillance systems. | Lyrebird is a pluggable transport developed for the Tor network that helps users evade censorship and traffic fingerprinting by disguising Tor traffic as ordinary, benign network activity. Pluggable transports act as modular adapters that transform Tor’s distinctive encrypted traffic patterns into forms that blend in with regular Internet protocols, making it harder for surveillance or censorship systems to detect or block Tor usage. Lyrebird, in particular, employs lightweight, adaptive obfuscation techniques designed to mimic common application-layer behaviours—such as those of HTTPS or other encrypted client–server exchanges—while maintaining low latency and compatibility with Tor bridges. Its purpose is not to provide additional encryption but to mask the presence of Tor traffic itself, thereby helping users in restrictive environments connect to the Tor network securely and anonymously without triggering network-level filtering or surveillance systems. |
| {{ :wiki:lyrebird.jpg?nolink |}} | {{ :wiki:lyrebird.jpg?nolink |}} |
| Screenshot of lyrebird phoning home to a UK SIGINT-facility. | Screenshot of lyrebird phoning home to a UK SIGINT-facility. |
| | |
| | At first I thought 'lyrebird' itself was malware, but after thorough research I found out it's link to Tor and that gave me a lightbulb moment, so I present this new analysis of what was actually going on. |
| |
| ====== Background ====== | ====== Background ====== |
| |
| This enables man-in-the-middle capabilities: a malicious or coerced VPN/proxy operator can (a) present alternate TLS certificates to the client (certificate substitution), (b) downgrade or rewrap encrypted channels and forward them after decryption, or (c) inject code or responses into HTTP/Tor handshakes — all without visible end-user errors if the proxy also manipulates trust anchors or the client’s certificate-validation path. Because the interception happens at a central transit point, it can quietly capture credentials, session tokens, keychain sync data, or unencrypted application payloads — and correlate those with device identifiers and timing information to link activities across services. | Exploiting a VPN enables sophisticated man-in-the-middle capabilities: a malicious or coerced VPN/proxy operator can (a) present alternate TLS certificates to the client (certificate substitution), (b) downgrade or rewrap encrypted channels and forward them after decryption, or (c) inject code or responses into HTTP/Tor handshakes — all without visible end-user errors if the proxy also manipulates trust anchors or the client’s certificate-validation path. Because the interception happens at a central transit point, it can quietly capture credentials, session tokens, keychain sync data, or unencrypted application payloads — and correlate those with device identifiers and timing information to link activities across services. |
| |
| Practical signs that point to this kind of compromise include repeated unexpected VPN exit IPs located at a single opaque AS, TLS certificate chains that differ from known fingerprints for services, unexplained persistent low-latency routes through a single geographic/ASN cluster, DNS answers coming from unexpected servers, and client behaviour that suddenly succeeds only when routed via a specific server. | Practical signs that point to this kind of compromise include repeated unexpected VPN exit IPs located at a single opaque AS, TLS certificate chains that differ from known fingerprints for services, unexplained persistent low-latency routes through a single geographic/ASN cluster, DNS answers coming from unexpected servers, and client behaviour that suddenly succeeds only when routed via a specific server. |
| When an adversary controls a VPN exit, proxy, or intermediate transit node they can silently terminate and recreate encrypted sessions so that a user’s browser or client is presented with a perfectly cloned (but fake) webpage for services like WikiLeaks or Tor hidden-service portals. By substituting certificates, injecting a lookalike HTML payload, and replaying or swallowing form submissions, the proxy can make the user believe they successfully uploaded documents to a legitimate whistleblowing platform while actually capturing the files, metadata, and submission context into a closed repository (a “black hole”) under the adversary’s control. Because the page is rendered locally in the user’s browser and the visible UI appears authentic, victims are unlikely to notice anything wrong; meanwhile the operator logs identifiers, timestamps, and any decryption material needed to correlate that traffic with device-level identifiers. This technique thus converts trust in a target service into a trap: users willingly surrender sensitive material into an environment that offers no onward publication or protections, while attackers gain both the content and a clean audit trail for follow-up actions. Detecting this class of attack depends on verifying end-to-end cryptographic fingerprints (certificate pinning or known service fingerprints), checking TLS chains and domain names carefully, and preserving raw network traces and certificate chains for forensic review. | When an adversary controls a VPN exit, proxy, or intermediate transit node they can silently terminate and recreate encrypted sessions so that a user’s browser or client is presented with a perfectly cloned (but fake) webpage for services like WikiLeaks or Tor hidden-service portals. By substituting certificates, injecting a lookalike HTML payload, and replaying or swallowing form submissions, the proxy can make the user believe they successfully uploaded documents to a legitimate whistleblowing platform while actually capturing the files, metadata, and submission context into a closed repository (a “black hole”) under the adversary’s control. Because the page is rendered locally in the user’s browser and the visible UI appears authentic, victims are unlikely to notice anything wrong; meanwhile the operator logs identifiers, timestamps, and any decryption material needed to correlate that traffic with device-level identifiers. This technique thus converts trust in a target service into a trap: users willingly surrender sensitive material into an environment that offers no onward publication or protections, while attackers gain both the content and a clean audit trail for follow-up actions. Detecting this class of attack depends on verifying end-to-end cryptographic fingerprints (certificate pinning or known service fingerprints), checking TLS chains and domain names carefully, and preserving raw network traces and certificate chains for forensic review. |
| |
| In short, this situation prevented me from sharing my intelligence with WikiLeaks, the media and a Russian government Tor service. | In short, **this situation prevented me from sharing my intelligence with WikiLeaks, the media and a Russian government Tor service**. |
| |
| ===== Traffic Analysis ===== | ===== Traffic Analysis ===== |
| |
| **AS199058 (Serva One Ltd):** | **AS199058 (Serva One Ltd):** |
| | |
| * Connects to the global internet via three transit upstreams, all under the Green Floid LLC umbrella: AS204957, AS21100, and AS50979 BGP Tools+10IPinfo+10IPinfo+10. | * Connects to the global internet via three transit upstreams, all under the Green Floid LLC umbrella: AS204957, AS21100, and AS50979 BGP Tools+10IPinfo+10IPinfo+10. |
| * It has no downstream customers, indicating its role is purely as a consumer network (not a transit hub) ipregistry.co+1. | * It has no downstream customers, indicating its role is purely as a consumer network (not a transit hub) ipregistry.co+1. |
The Neuro Holocaust
