Darknet - what it is, how criminals use it, what to watch out for

Ruslan Rakhmetov, Security Vision

Modern cyberspace is increasingly moving away from the original concept of the Internet as a global, international network of free exchange of information: the so-called ‘Balkanisation’ of the Internet leads to the breakdown of a single cyberspace into separate national segments, which are more like WANs (Wide Area Networks) operating within a single state. The most typical examples are the networks in China and the DPRK, which have rather limited capabilities to exchange information with the nodes of the global Internet space. In such networks, at the legislative level, states restrict the use of certain applications and services, including international ones, as well as control the exchange and distribution of certain types of content (e.g., infringing local laws or copyrights). Within an individual state, a kind of large-scale corporate network is created, with strict rules for information processing and restrictions on interaction with the external Internet space.

A characteristic feature of such cyberbalkanisation is the presence of strict restrictions and prohibitions on the receipt and distribution of certain information, while initially legal regulation was used to protect the interests of copyright holders and copyright owners from the unlawful distribution of media content (films, music, books) on the Internet, for example, through peer-to-peer networks. For example, the file-sharing network Napster, which provided mp3 file-sharing services to Internet users from 1999 to 2001, faced lawsuits from copyright holders of audio content and went bankrupt. The main activity in the field of prohibition and control measures in the Internet space was initially shown by the USA: the Digital Millennium Copyright Act (DMCA), the Digital Millennium Copyright Act (DMCA), the Digital Millennium Copyright Act (DMCA), the Digital Millennium Copyright Act (DMCA) and the Digital Millennium Copyright Act (DMCA). The Digital Millennium Copyright Act (DMCA), adopted back in 1998, increased fines for copyright infringement via the Internet and introduced liability for the creation and distribution of technologies, devices and services designed to circumvent technical means of copyright protection (Digital Rights Management, DRM); in 2001, a similar law was adopted in the EU (‘Directive 2001/29/EC’).

With the development of technologies for accessing and storing information, the emergence of high-speed communication channels and convenient consumer devices (smartphones, tablets), the volume of information on the Internet, its accessibility and impact on public sentiment has been growing, and large companies and Internet giants have begun to store and process huge amounts of information, including sensitive personal data, the leakage of which can lead to significant damage to users. As a result, governments around the world faced the need for state regulation of the Internet environment: requirements for personal data protection were introduced (152-FZ in Russia, PIPL in China, GDPR in the EU, US HIPAA, CCPA, EU-US Data Privacy Framework, etc.), localisation requirements were introduced, and localisation requirements were introduced (e.g. 152-FZ in Russia, PIPL in China, GDPR in the EU, US HIPAA, CCPA, EU-US Data Privacy Framework, etc.). ), requirements for the localisation of personal data bases (Russian 242-FZ on the localisation of personal data bases in Russia, Article 37 of the ‘Law on Cyber Security’ in China), rules for the operation of national networks (Russian Law on ‘Sovereign Runet’) and requirements for the storage of user data (Russian rules for organisers of information dissemination on the Internet). In general, the desire of various states to establish rules for data processing and control access to various information is quite logical, since, given the depth of penetration of modern technologies, uncontrolled dissemination of information can lead to social upheavals - just think of mass protests coordinated through social networks and messengers, or the publication of fake news and videos that sow panic and provoke clashes between different social groups.

Thus, the connectivity and accessibility of the global Internet is gradually being disrupted: governments, Internet corporations and businesses are establishing their own rules for information processing and Internet access in different countries to protect their interests. For example, a Russian user today may find that a web resource may be inaccessible for one of three reasons (not counting purely technical ones, such as Internet routing protocol malfunctions or DNS errors):

- Blocking by RosComNadzor (the resource is blocked at the request of the Prosecutor General's Office of the Russian Federation or by court order, the resource has published inaccurate information or posted information distributed in violation of legal requirements, the owners have failed to comply with legal requirements - for example, the requirements for ‘landing’ under 236-FZ of 01.07.2021);

- Blocking on the part of the owner of the web resource (foreign companies since 2022 started actively blocking access of users from the Russian Federation to their sites on the basis of geographical location due to sanctions requirements);

- Blocking by Internet service providers or through a security solution (for example, some foreign DDoS protection services consider traffic from the Russian Federation untrusted by default).

In the pursuit of control over the Internet space and citizens with the help of modern technologies, some states are crossing certain moral and ethical boundaries: the content of documents published by Edward Snowden and Julian Assange leaves no doubt about the widespread use of methods of unauthorised mass surveillance of citizens from various countries who are not even suspects.

The desire to avoid such surveillance, bypass censorship, and freely exchange information and opinions in the modern world has become a luxury that few people can afford, but communities of developers and computer enthusiasts are still making some efforts to democratise the Internet space and provide users with methods and tools to bypass restrictions and total digital control. Such tools are aimed at ensuring the anonymity of Internet users, making it more difficult for ISPs and regulators to analyse Internet traffic, encrypting transmitted and stored data, and they are used to circumvent restrictions and access blocked web resources. These methods, however, have also been actively used by various network intruders and fraudsters - as is often the case with many modern technologies. More and more often you hear the term Darknet in the news: leaked personal databases, stolen credentials, exploits for zero-day vulnerabilities, hacking services, even forged documents, weapons and drugs are all allegedly found on the Darknet. In this article, let's understand what Darknet and Darkweb are, how they are used by hackers and how they differ from Clearnet and Deepweb, as well as try to assess the risks of visiting Darknet resources.

So, Darknet is a hidden network of interconnected components (network nodes) communicating within regular Internet connections using special network protocols and encryption technologies to protect transmitted data and ensure the anonymity of network participants. There are several types of Darknet networks, the best known of which are Tor, I2P, GNUnet, and Hyphanet (formerly Freenet). To operate and access the Darknet network, special software (usually Open Source) is used, which allows you to connect to the hidden network as a user or provide your PC to make the network work (for example, to route traffic and store information of other network users). Different types of resources can operate on the Darknet - file-sharing networks (e.g., those based on distributed file systems), e-mail, messengers, VoIP, social networks, as well as websites and forums. The term Darknet itself appeared in the United States in the 1970s to denote separate LANs, for reasons of secrecy and security isolated from the network ARPANET - the progenitor of the modern Internet.

The aggregate of sites on the Darknet is called the Darkweb - essentially, these are web resources accessible only from the Darknet using browsers configured in a certain way. Normal search engines (Google, Yandex, etc.) do not work in the Darkweb, so special search engines (e.g. DuckDuckGo, Torch, Ahmia) or special directories of Darkweb sites (e.g. Hidden Wiki) are used.

Clearnet is the Internet as we are accustomed to it: sites in it are indexed by search engines and are available for visiting without using special programmes, special browsers and logins/passwords. According to some calculations, the part of the Internet visible by search engines is only 10% of all resources, and 90% of content remains invisible to most users.

Deepweb is part of Clearnet, but access to Deepweb sites is restricted to search engines and is only available to users after authentication (e.g. login and password) or by subscription (paywall). Examples of Deepweb include email, Internet-accessible corporate resources (requiring user authentication), banking client portals, social networking content with hidden profiles, streaming services, and forums and chat rooms requiring registration. It should be noted that access to some forums cannot be obtained through the standard procedure of new user registration - a so-called ‘invite’ (i.e. invitation) is required, which is a unique URL link or a long string of random characters that can be generated by forum administrators or already registered users with a certain intra-forum reputation. The system of invites allows you to limit the number of users, which is especially important for some hacker forums, which imply communication in a close circle on specific topics (vulnerabilities, viruses, leaks, hacks, financial issues, etc.).

Next, let's look at the example of the most popular Darknet network Tor to have a basic idea of its functioning principles. The project to develop an anonymous data exchange network was launched in the mid-1990s in the research laboratory of the U.S. Navy: the emphasis was on anonymity of network users, bypassing network blocking, speed and convenience of use, confidentiality of transmitted information, protection from interception and analysis of traffic in the network; at the same time, the threat model considered attacks from the nodes of the global Internet and internal nodes of the network being created. The functioning of the developed network was based on the Onion Routing technology, according to which the information encrypted by the sender is transmitted to the receiver through a chain of connections (circuit) of three intermediate nodes of the network (relay). relay), each of which decrypts only its part of the data (‘removes the onion layer’) to get the address of the next node, and only the final node (exit node) sees the sender's original message, which is delivered to the final recipient.

In 1998, the US Navy patented the development, and in the same year the developers published an article about Onion Routing technology in the IEEE journal ‘Selected Areas of Communications’. In 2002, The Onion Routing project (Tor for short) was founded, which gave a start to the formation and gradual growth of the Tor network, facilitated by the publication of the Tor source code by the US Navy under an open and free licence. Already in 2004 Tor development was sponsored by the international non-profit Electronic Frontier Foundation (EFF), and in 2006 the non-profit organisation The Tor Project was established, which still develops software for the Tor network, supports its operation and still receives grant funding, including from various US government agencies (the organisation's financial statements for the last almost two decades are available on its official website). Currently, the Tor network has more than 7 thousand nodes (more than 1 thousand of them are exit nodes) and about 2 thousand bridges (brigde, used when Tor network nodes are inaccessible due to network limitations), which are supported by enthusiastic volunteers and various organisations around the world.

Thus, the Tor network has become a dual-purpose tool: on the one hand, it allows users to bypass certain network and censorship restrictions, exchange information anonymously, and protect their data from interception and analysis, and on the other hand, it continues to contribute to the original goals of infrastructure secrecy and anonymity for Western security agencies. In the mid-1990s, as Internet communications evolved, Western agencies felt the need to provide a secure, confidential and anonymous way for employees to communicate via public networks, and the ideal solution was Onion Routing, a technology released to the masses to create the necessary ‘noise’ in which the network communications of intelligence agents could be lost.

From the user's point of view, access to the Tor network is trivial: the Tor Browser, built on the Mozilla Firefox platform, provides automatic connection to the network, as a result of which it is possible to access both Clearnet pages (in this case, the IP address of the user, as seen by the websites, will be substituted for the IP address of the output node of the Tor network) and Onion resources. Darkweb-sites in the Tor network can be published by any user: the corresponding software is freely distributed, there is no need to register a domain name or specify any personal data of the site owner. Websites in the Tor network are located in the ‘.onion’ top-level domain, and addresses consist of 56-character long numeric-letter sequences.

It is also worth noting that the average Internet user who has enough resources on the expanses of Clearnet, as a rule, there is no need to visit the Tor network, but out of curiosity some may want to explore the Darknet-path. In this case, it should be remembered that in Russia the Tor project site has been blocked since 2021; in addition, there are proposals to make the use of Darknet illegal.

If a user comes across a link leading to a domain in the ‘.onion’ zone, he or she should be cautious, as the information on such a page may be unreliable (no state currently has the ability to control content placement in the Tor network in any way) or contain links to viruses that will be delivered to the user's device bypassing perimeter protection solutions that are unable to analyse encrypted Tor traffic. Active users of Darknet are hackers and fraudsters who use the Tor network to post stolen information (‘leaks’), sell credentials (‘access’), rent viruses and botnets for DDoS attacks, buy and sell fake documents, and recruit insiders, so registration on such resources, even for purely research purposes, may raise questions from the competent authorities. In addition, Tor hosts the sites of extortionist cybercrime groups, which publish news about the next hacks, place their ransom demands and give instructions to victims on how to transfer money - the anonymity and uncontrollability of the Tor network are successfully used by attackers. In case a user, despite these dangers, still needs to connect to the Tor network and get to an onion site, he should follow some basic rules of cyber hygiene:

1. Regularly update Tor Browser: auto-update is enabled by default, but updates are often downloaded too slowly, which leaves a window of opportunity for attackers to exploit vulnerabilities regularly discovered in Mozilla Firefox.

2. Tor Browser is optimally configured by default, but you can optionally change the settings of the built-in NoScript plugin to disable JavaScript by default on all sites, and set the Security Levels setting to Safest.

3. When connecting to Clearnet sites via the Tor network, you should use HTTPS protocol only: you should not forget that the output node of the Tor network can be monitored by attackers disguised as enthusiastic volunteers, and unencrypted HTTP traffic passing through it can be eavesdropped. You can set the Tor Browser settings to HTTPS-Only mode.

4. Do not post your personal data or sensitive information on Darkweb: onion-sites are not controlled by anyone except their owners, so it will be impossible to get your information removed legally.

5. To ensure corporate network security, you should control or completely block any connections to the Tor network - both outgoing and incoming (from IP addresses of Tor network exit nodes, their list is available and regularly updated). Outbound connections to the Tor network may indicate that there is an active VPO in the company infrastructure that is communicating with the attackers' C&C server on the Tor network, while inbound connections from Tor may indicate either attempts to covertly analyse your infrastructure and potential attack surface, or (especially in the case of inbound VPN/RDP connections) the use of compromised user credentials for unauthorised access to the corporate network.