1. Home
  2. Software
  3. Tor

Tor

Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. [1]

ID: S0183
Type: TOOL
Platforms: Linux, Windows, macOS
Version: 1.3
Created: 16 January 2018
Last Modified: 25 March 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Tor encapsulates traffic in multiple layers of encryption, using TLS by default.[1]
Enterprise T1090 .003 Proxy: Multi-hop Proxy

Traffic traversing the Tor network will be forwarded to multiple nodes before exiting the Tor network and continuing on to its intended destination.[1]

Groups That Use This Software

ID Name References
G1032 INC Ransom

[2][3][4]
G0007 APT28

[5]
G0016 APT29

[6]
G0065 Leviathan

[7]

Campaigns

ID Name Description
C0004 CostaRicto

During CostaRicto, threat actors used C2 servers managed through Tor.[8]
C0053 FLORAHOX Activity

FLORAHOX Activity has routed traffic through a customized Tor relay network layer.[9]
C0014 Operation Wocao

During Operation Wocao, threat actors used Tor exit nodes to execute commands.[10]

References

  1. Roger Dingledine, Nick Mathewson and Paul Syverson. (2004). Tor: The Second-Generation Onion Router. Retrieved December 21, 2017.
  2. Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024.
  3. SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024.
  4. SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024.
  5. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  1. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
  2. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  3. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  4. Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.
  5. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.