The Obama Administration alleges that Russian state hackers attempted to influence the 2016 election by illegally accessing stored emails belonging to the Democratic Party and the Clinton Campaign. The emails, including material embarrassing to Democrats, were subsequently leaked to the public.
The FBI issued a report, “GRIZZLY STEPPE – Russian Malicious Cyber Activity,” that described the indicators that led them to the Russians. What the FBI did not say, and did not disclose, was that some of the same indicators (IP addresses) are found in traffic attempting to penetrate the secrets of this venerable blog.
Using advanced software engineering (egad, my coding is rusty!) I was able to match the list of IP addresses from the FBI with the December access logs here at Obama Conspiracy Theories. There were matches, lots of them! Of the 876 IP addresses claimed to be related to Russian hackers, 156 of them visited here!
My software scan looked at over 1.7 million HTTP accesses to obamaconspiracy.org from December of 2016 to seek out this nefarious activity.
OK, let’s turn off the Wild and Wacky mode and get more serious.
Security researcher Jerry Gamblin found that 21% of the IP addresses on the FBI’s list were Tor exit nodes. Tor is an anonymizing web browser that uses encryption and relays linked across the world to allow a web user, or hacker, to hide their origin. Exit nodes are the computers where the web request exits to the regular Internet, and the exit node’s IP address is what appears in access logs. Any Tor user could appear to come from any of these exit nodes.
The IP address 220.127.116.11 appears 147 times in my access logs (a log entry appears for any access to a page, a script, an image or anything else on a web page, and so any page access can appear multiple times on the log). Here’s the report for that IP address from the Tor node checker tool:
% TOR Node Checker Tool
% Checking IP: 18.104.22.168
% TOR-Name: Unnamed
% TOR-Onion-Port: 9001
% TOR-Flags: Exit Fast Guard HSDir Running Stable V2Dir Valid
% TOR-Exit-Node: ACK
% TOR-Version: Tor 0.2.8.8
% TOR-Full-Version: Tor 0.2.8.8 on Linux
% TOR-Uptime: 3319133
% TOR-Bandwidth-Average-Bytes: 40960000
% TOR-Bandwidth-Burst-Bytes: 51200000
% TOR-Bandwidth-Estimated-Bytes: 14598492
So yes, that was a Tor exit node, ironically, from Moldova–birthplace of Orly Taitz. I checked a few others and most were Tor exit nodes too. Two not listed as Tor exit nodes were in the Netherlands and another two in New York. For a complete list of the IP address and number of accesses, check here.
So what were these folks up to? Were they just browsing my site while seeking privacy, paranoid birthers? Most of the traffic resulted in a 403 (Forbidden) response from the web server. That’s not normal web browsing. At least some of the traffic was directed at a site API that is used for uploading articles and other automated functions. There were porn URLs in there (that returned errors), and I’m still trying to understand some of it.