Introduction

The World Wide Web has also a dark layer that is called Dark Web, which can be accessed through overlay networks that use the Internet but involve using special protocols such as TOR or I2p that provide pretty good anonymity for the users on the network. Because of the anonymity in strictly censored countries, it is the only place where opposition parties, human right activists can exchange information, share their opinion and communicate with each other in a clandestine way. This study aims at demonstrating the installation and the use of three different software products designed to access a special segment of the Dark Web. It is presented their strong and weak points and compares their main features. In the second part of the study, the reader is given an insight into the activity of nation-state actors on the Dark Web.

1.Research Methodology

This research provides a perspective where it has been studied the related professional literature and researches as well as the documentations of the above mentioned software packages. In addition to TOR, I2P and Freenet, there are some other software products in the wild designed to access the Dark Web. The author's choice is not arbitrary; it is instead based on the popularity of these applications. In order to get real experiences, the author installed and used these software products in MS Windows 10 pro 64 bit, and Kubuntu 20.04. featured Plasma 5.18. environments. The resource consumptions of these software products (processor time, hard disk activity, network bandwidth) were measured.

The current research is based on Dark Owl sources (a Denver-based company that provides the world's largest index of Dark Web content and the tools to efficiently find leaked or otherwise compromised sensitive data) in making the second part of this study because this company is one of the leading DARKINT data providers, but the author corroborated its data by other information sources as well.

2.Partition of the World Wide Web

Clear Net

The Clear Net is a term that refers to the part of the World Wide Web that is accessible for everyone without any special means or applications. This part consists of webpages, databases, web services that can be indexed by search engines such as Google, Bing and many others. The content of the clear net can be reached either by typing an URL in the address bar of the web browser or giving some keyword or search expression in the search box of one of the search engines and by following the links in the result pages. The indexed pages are only the small portion of the Internet, although according to Google the number of the Google indexed pages was accessed more than 130 trillion in 2016.1

Deep Net

The term Deep Net refers to another part of the World Wide Web that is only accessible after some authentication (e.g. username and password); that is why they are hidden from the index robots of search engines. These pages may include healthcare system-related sites, internet banking, educational and social media pages but the list is virtually endless. Surfing on the Deep Net does not require any special knowledge or software compared to Clearnet. Practically, everyone who has basic knowledge on Internet browsing can access it. Due to the fact that there are some overlapping communication protocols between the two kinds of nets, it can be hard to navigate from one to another. It is easy to see that the size of the deep web is much bigger than the Clearnet and its size is inestimable.

Dark Net

The rest of the World Wide Web is called Dark Net or Dark Web. What is the Dark Web itself? It is an overlay network within the internet and can only be accessed with specific applications (such as TOR or I2p and Freenet), configuration, authentication and uses customized communication protocol. There are two Dark Web types such as social networks (micro world networks) and anonymity proxy networks. The social network (e.g. the Freenet) used for file hosting with peer to peer connection while Tor and I2P are the series of anonymized connections.

Originally, the Dark Net was a hidden layer on ARPANET established in the '70s with the aim of providing hidden and secure communication between workstations for security purposes. The Dark Web was able to receive data from ARPANET but was invisible for the ARPANET networks. Since then, the ARPANET has evolved to World Wide Web and the Dark Web has gained much more popularity due to its anonymity. Today the size of the Dark Web is inestimable. According to the experts, the World Wide Web is like a floating iceberg on the surface of the ocean. The visible part is the Clearnet while the Deep Web and the Dark Web are under water.

In contrast with the picture above and the widespread belief, the Dark Web is not a unified entity. It consists of several different parts and each belongs to a method on how they are accessible. These parts are not fully compatible with each other and there is no penetrability between them. In the current study, TOR, I2p and, last but not least, the FREENET are presented in details.

3.TOR

TOR is a free and open source software that protects user privacy, keeps anonymity against network traffic analysis. Its name derives from the acronym The Onion Router. The word onion refers to the way it works, discussed below. TOR directs the network traffic through a free, worldwide volunteer overlay network which consists of thousands of relays to hide the users' location and traffic from network surveillance and network analysis. TOR protects user privacy and freedom but does not hide the usage of TOR network, so an ISP or a connected online service, for example, can see that the user is on the TOR network. Some online services do not let the users join via TOR for different reasons.3

TOR installation

The installation of TOR is a very simple step which implies that, after downloading the setup file from the https://www.torproject.org/download/ link and running the setup.exe and answering some simple questions, it creates a map (default path is the current user's desktop) with all of its dependencies in it. It does not copy any files into the system maps or somewhere else. The application runs after double clicking on the "Start TOR Browser" shortcut in the "TOR Browser" map. Firstly, TOR configures itself and runs the special Mozilla Firefox browser which is tailored to TOR.4

How does TOR work?

As an example, the user joined the TOR network and wants to visit a website. The TOR client obtains a list of nodes from the directory server and picks a random path (called circuit) through the relays on the network. It encrypts the data into multiple encrypted layers and sends to the next relay. It decrypts the outer layer but can only see the packet header which shows the sender and the next IP address but cannot see the data payload. Then it sends the packet to the next relay and so on until the last relay (special one called exit node) sends the payload to the website. The website is not aware of the original IP address as it communicates only with the exit node. The answer travels back the same way but backwards. The package is like an onion; it has multiple peel able layers. During the whole communication no individual relay knows the payload and the original IP address together. The TOR software uses the same circuit for efficiency if the next request happens within 10 minutes.5

TOR does not solve anonymity problems. It only focuses on the transport of data. It keeps websites from tracing one's activity. In order to improve anonymity (according to some experts), it is recommended to use any reliable VPN network, but anonymity in the TOR network or on the Dark Web is a very complicated matter and it is out of the scope of this study.7

The onion services

TOR is not only for anonymously browsing on the Clear Net. It allows users to hide their location and identity when publishing on the web various web services or instant message servers by its hidden services or as it is called - onion services. Any TOR user can create onion services. The simplest onion service is a basic HTML page. The TOR documentation provides detailed step by step instructions on how to set up hidden web services. One of the interesting features is that the service is available until the user is on the TOR network, because the service is stored on the user's computer.

After completing the onion web service its existence needs to be advertised on the TOR network before clients are able to access it. The service randomly picks some relays and builds circuits to them and asks those relays to act as introduction points and tells them its public key. On the TOR network it is almost impossible to associate an introduction point with the IP address of the onion server. The service assembles the onion service descriptor containing its public key and the summary of each introduction point and signs it with its private key and uploads it to the distributed hash table. The descriptor will be found by clients requesting the xyz.onion service, where the xyz is a 16-character-name that is derived from the service's public key. With this step the onion service is set up.

When the client wants to visit the onion service, they have to download the descriptor table at first so they will know the introduction points of the service and its public key. Then they have to create a circuit to a randomly picked relay that asks to act as a rendezvous point. The next step is sending a cookie through its circuit to one of the introduction points. The cookie contains the parameters of the rendezvous point and is encrypted with the service's public key. The hidden service receives this message from the introduction point and gets the address of the rendezvous point from the message. After that it builds a circuit to the rendezvous point and sends a rendezvous message to it. The rendezvous point notifies the client of the connection with the hidden service. After receiving the message, both the client and the hidden service are able to communicate with each-other through their own circuits via the rendezvous point. The onion service's address could be for instance "stormwayszuh4juycoy-4kwoww5gvcu2c4-tdtpkup667pdwe4qenzwayd. onion" where the first part in front of the dot is the public key of the hidden service. The hidden services can only be visited in the TOR system.8

E-mail service

Of course there is the possibility to connect to clear net email providers on the TOR network, although some providers do not support the TOR network. Apart from this, there are email service providers that are only related to TOR like Torbox (https://torbox3uiot6wchz.onion.sh/) or Mail2Tor. Both are for sending and receiving emails within the TOR network.9

The main features of the TOR application Pros:

* cross-platform availability (Linux, MS Windows, Android and so on);

* easy to use;

* portable - no need for installation, it can even run from a well configured USB key;

* complex data encryption;

* open source software;

* provides anonymity;

* variety of onion services.

Cons:

* very slow;

* hidden services are less spectacular with less functionality because of the lack of java script, and other services like Google.

4.I2P Network

I2P means invisible to the Internet and this network is another part of the Dark Web. I2P is an anonymous project which is similar to the TOR network, but there are some vital differences between them, which are discussed in details below. The software is free and its open source is written by some volunteers from almost every continent. The network consists of thousands of routers and the communications are end to end encrypted among them.10 The installation and the setup process are a little more complicated than the TOR setup. At first, make sure that Java Runtime Environment version 7 or higher is installed on the computer because the I2P software is written in Java language. After downloading the operation system dependent setup file from the official site of I2P (https://geti2p.net/en/download)11 run the setup file and the wizard takes the user through the installation steps of the software. The setup process did not come to an end. The last step is the manual proxy configuration in the default browser. Of course, there are detailed step by step instructions for the different browsers, such as Chrome, MS Edge and so on. (see Figure no. 3).

Upon the completion of the last step the I2P configuration is ready and with a double click on the shortcut on the desktop the software starts running and a few seconds later the user is in the network.12[14] The dashboard is similar to the one in Figure no. 4. There are different icons for the services and configurations on the dashboard but the detailed presentation of the whole system is out of the scope of this study.

How does I2P work?

There is no central point in the network on which pressure can be exerted to compromise the integrity, security or anonymity of the system. The network supports dynamic reconfiguration in response to various attacks, and has been designed to make use of additional resources as they become available. Unlike many other anonymizing networks, I2P does not try to provide anonymity by hiding the originator of some communications and is not the recipient, or the other way around. I2P is designed to allow peers using I2P to communicate with each other anonymously - both the sender and the recipient are unidentifiable to each other as well as to third parties.15

I2P provides a wide range of typical Internet activities such as anonymous web browsing, chat, web hosting, file sharing, email, blogging.

The main parts of the I2P network are:

* endpoints;

* participants;

* gateways;

* tunnels;

* database.

The inbound tunnel is a path to receive messages while the outbound tunnel is a path to send messages. Every router has many inbound and outbound tunnels at the same time but the router does not know the content of the traffic if it is not the addressee.

Alice wants to send a message to Bob on the I2P network. The main steps of the communication are outlined below.

1. Alice's computer joints the network and downloads a part of the network database from a designated router. In the network database there are router info and Lease Sets. The former is about the routers in the networks and latter is the way they are accessible.

2. Alice creates her own inbound and outbound tunnels, which consist of at least two hops (routers) and uploads her inbound channel address (Lease Set) to the network database.

3. Bob does the same.

4. Alice requests Bob's inbound tunnel address from the database then sends him the message through her outbound tunnel.

5. There are two possible ways to answer Alice's request. In the first case, Alice sent her inbound tunnel address to Tom in the message or Tom gets it from the database (it depends on technical reasons), but in both cases Tom answers to Alice's inbound tunnel through his outbound tunnel.

Of course it is a very simplified outline of communication but it shows the basics of I2P. It is easy to see that unlike TOR, communication between the peers goes in different routes back and forth, therefore four channels are required for a single round-trip message and reply.

One of the most important differences between TOR and I2P is the type of message they use. As it has already been mentioned, TOR uses the so called onion type messaging while I2P uses the garlic type messaging. The latter is similar to onion messages but in the garlic message the sender bundles more than one message in one packet. Of course, each is encrypted and a package is multi-layered like a TOR message. The package is similar to garlic gloves. All messages are bundled with their delivery instructions and are exposed at the endpoint. Using the garlic messaging increases data transfer and makes traffic analyses more difficult for an attacker.18

Anonymous Webserver

The anonymous Webserver (its popular name is eepsite) is the backbone of the I2P realm. The visited websites in the I2P network are actually anonymous webservers. There are detailed "How to" instructions in the user manual. Follow the instructions only a few steps to public one's own Webserver. The address of the eepsite is "something.i2p". After completing the basic steps, the user can create their own website. The eepsite is similar to the Tor onion site in that regard that both are accessible while the user is on the network. The two networks are not compatible with each other. There is one more thing that makes the use of the I2P network a bit cumbersome. Sometimes after trying to navigate to a website, the user gets a message saying the address is not in the address book. In this case the user is supposed to download the address of the destination site from one of the public address books. The address book is a vital part of the I2P installation. It regularly updates the users' host.txt file from subscripted sources. The address book related detailed help is also available in the documentation.19

File sharing (I2Psnark torrent service)

The other very useful function on the I2P network is file sharing. I2P has an anonymous BitTorrent client called I2PSnark. This application only works with torrents created within the network, so, for example, PirateBay will not work. It has own trackers and it is just as easy to browse, download and upload the users' own content as it is with conventional BitTorrent trackers. For downloading a file, navigate to one of the trackers, i.e. http://tracker2.postman.i2p, and then click right on the link of the chosen file and copy the torrent link into the address bar of the I2Snark. Click on the play button and the file is downloading.21

The email service

I2P also provides the user with a built-in anonymity email service. This service, besides the anonymity, is capable of working together with open internet mail providers. The service is maintained by a private person in their free time. That is why there are some courtesy rules that should be taken into consideration, for example, delete the account if it is not used anymore. Unfortunately, for this reason it can happen that the service is unavailable for a certain period of time.

The other dark email system is Bote on I2P. This is a messaging platform, which is similar to email, however, it has some special features. These are security, anonymity and resilience.

Security: unlike email services Bote does not have email addresses. Instead, the address is a long string with random characters in it. This cryptographic key is actually the receiver's public key. Thus, the email is automatically encrypted with this key and only the receiver can decrypt with their private key and that is why no clear-text are ever sent or stored. Besides, unlike standard email, it has no traditional email header which gives away information about the sender.

Anonymity: Bote is protected in a number of ways. The first is that it operates over the I2P network. The second is that the user can select the number of nodes through which the messages will be bounced around before going to the Distributed Hash Table (DHT) to be stored for 100 days. The system includes some random amount of time delays between each node as the message is bouncing around. This makes it possible to send a message without any correlation between the time when it was sent and received. Moreover, there is a possibility to send a message to the recipient without any return address, so the addressee cannot answer in this case. The user can create as many identities as they want.

Resilience: It is another special feature of Bote. The system is not centralized; the message is stored in a DHT which is spread across the i2pBote users so there is no clear target for an attack.22

The main features of the I2P application:

Pros:

* cross-platform availability (Linux, MS Windows, Android and so on);

* it has its own services;

* faster than TOR;

* open source project maintained by volunteers;

* no restriction on websites features, more spectacular webpages.

Cons:

* complicated settings, less user-friendly;

* navigation to eepsites is complicated;

* limited access to clear net.

5.The Freenet

The Freenet is software which allows the user to share files anonymously, browse and publish the so called "freesites". These sites are accessible only through Freenet. This application also lets the user chat on forums and email without the fear of censorship. Freenet has a multilevel security mode. The decentralization makes it less vulnerable to attacks and in "Dark Net" mode, where the users only connect to their friends, it is very difficult to detect. Communication between Freenet nodes is encrypted and is routed through other nodes to make it extremely difficult to determine who is requesting what. By using Freenet, the users contribute to the network by giving bandwidth and a portion of their hard drive (data store) for storing files. In the user's storage the files are kept or deleted depending on how popular they are in order to make room for more popular or newer content. The files are stored in chunks and they are even encrypted so the user cannot discover what is in the datastore, and, generally speaking, they are not accountable for it. What is more, the software has a unique feature as it was mentioned above, which is the "Dark Net" mode. In this function the users only connect to people who they trust and in such way they greatly reduce their vulnerability and yet, they still connect to the global network through their friends' friends' friends' and so on. By using the "Dark Net" mode, Freenet can be even used in countries where it is illegal and prohibited.23

The Freenet software is also written in Java language so Java Runtime Environment version 7.0 or higher should be installed on the computer. There are different installers for different platforms such as MS Windows, MAC OSX or GNU/Linux & POSIX. Freenet is free and open source software available under GPLv2+. The source code is on the GitHub. After downloading the platform dependent setup file from the https://freenetproject.org/pages/download.html page and double clicking on the installer file the wizard helps in the installation process. During this process the user is supposed to give, for example, the size of the data store, the maximum bandwidth and last but not least they have to choose one of the security options. The last one is a very important step. Taking into account the user's threat-model there are four options.24

* Low: maximum performance, the identity is discoverable.

* Normal: modest privacy at some performance cost. Ideal for relatively free countries.

Dark Web mode (connected to at least 3 friends, but 10+ for good performance)

* High: It is difficult to monitor the users' communications for ISPs and governments.

* Maximum: Life threatening situations and very sensitive content although this option does not guarantee full security and anonymity.

The Dark Web mode is a so called "small world network". By connecting to the nodes of people you already know and the people you know in turn connect to people they know, all nodes should be able to be reached in a Freenet network.

An interesting feature of the application is that if the user has no friends and connects to strangers and the user's data store is empty, it takes hours or days for the system to get up to speed. During this period some requests time out before retrieving anything. The user can browse on Freenet during the setup process, but the performance is very poor, not to mention that if the system is turned off, the peer to peer setup process starts from the beginning. The user should have at least three or more nodes connected, but the ideal number is five to seven. Since some of the nodes may be unreachable at times it needs more nodes to be connected to get the expected number.

Among the dozens of options, there are four more to protect the uploaded and downloaded files and the file cache depending on whether the disk is fully encrypted or not. Without going into details it is easy to see that system installation is a complicated process.

All in all, setting up a secure and anonymous Freenet application takes a well prepared user and a lot of time. However, even an IT expert, who has no trusted friends, cannot enjoy the full advantages of the Freenet system.

How does Freenet work?

The Freenet system is an adaptive peer-to-peer network of nodes that query one another to store and retrieve data files, which are named by location independent keys. The system can be regarded as a cooperative distributed file system incorporating location independence and transparent lazy replication. The system enables ordinary users to share unused CPU cycles on their machines. Freenet enables users to share unused disk space.26

The basic model requests keys to be passed along from node to node through a chain of proxy requests in which each node makes a local decision about where to send the request next, in the style of IP (Internet Protocol) routing. Depending on the key requested, routes will vary. The nodes only have knowledge of their immediate upstream and downstream neighbours in the proxy chain, to maintain privacy. No node is privileged over any other node, so no hierarchy or central point of failure exists. Joining the network is simply a matter of first discovering the address of one or more existing nodes through out-of-band means, then starting to send messages.

Freenet keys

Each file on Freenet has a key associated with it. There are various types of keys that are used for everything on the network. A key looks like KSK@sample. txt. To access a particular file you need to know the key to the data, and enter it as follows: http://localhost:8888/[Freenet Key] (or click on a link containing the key).

There are four types of keys

* CHK - Content Hash Keys.

* SSK - Signed Subspace Keys.

* USK - Updateable Subspace Keys.

* KSK - Keyword Signed Keys.

CHKs are the most fundamental. All files over 1kB are ultimately divided into one or more 32kB CHKs. CHKs' filenames are determined only by their contents. SSKs are the other basic type. These combine a public key with a human-readable filename and therefore allow for freesites. KSKs are a variant of SSKs, where everything is determined by a simple human readable filename (e.g. =KSK@ sample.txt). These are spammable, but convenient in some cases. USKs are a form of updatable keys especially useful for freesites and Address Resolution Keys.

An Address Resolution Key (ARK) is an Updatable Subspace Key (USK) inserted by the node whenever its IP address changes. It contains the reference for the node - its cryptographic details, and in particular its IP address(es).28

Those who are interested in keys please refer to the detailed documentation by following this link https://freenetproject.org/pages/documentation.html29.

Freenet Social

The default settings for Freenet installation are not optimal for this usage, so in order to take advantage of the system there are some plugins to be installed. These provide email, blog, chat, forum functions in the network.

Web of Trust plugin

The first and most important plugin is WebofTrust. The plugin and some others can be downloaded from FProxy (http://localhost:8888) "configuration^ plugins" page. This plugin is created with the aim of excluding spammers from the system. Most of the plugins can only be used with WebofTrust identity, which guarantees that the user is not a spammer. In the WebofTrust identity each user has a trust index that is maintained by other users. If this index is low the user cannot use the service (i.e. forums, chats and others). Those who have this user in their trust network will no longer be able to download messages from that identity. It is very important in a censor free system. Of course, not everybody will agree what does or does not constitute spam. That is why every identity has its own trust list to mark other identities as they see fit.30

Freemail plugin

The installed WebofTrust and a created identity are the prerequisites of the freemail plugin installation. After downloading the plugin an account should be created, where the account name is the identity created in the WebofTrust plugin. An email address looks like this: brucv_flood@ bscjxorbs4raxr7ysm7qjawqgvdjtp4ossiwtww55zfqsqixh37a.freemail". The freemail system is not compatible with traditional clearnet email providers, so there is no possibility to send or receive email messages from outside Freenet.31

Microblogging

The SONE plugin is very popular among Freenet users, because the developer keeps this forum clean of paedophiles and child pornography providers. Everything else is open for discussion here. Users can share their thoughts and can follow other users or can be followed by others. The installation method is similar to the Freemail plugin installation, and without the WebofTrust identity, the SONE will not work.32

Forums

Unlike the above mentioned, FMS (Free Message Service) is not a plugin, it is an application that can be downloaded by following this link: https://d6.gnutella2. info/freenet//USK@0npnMrqZNKRCRoGojZV93UNHCMN6UU3rRSAmP6j NLE,~BGedFtdCC1cSH4O3BWdeIYa8Sw5DfyrSVTKdO5ecAQACAAE/ fms/150/download.htm

The setup process is more complicated because the FMS identity needs to be linked to the WebofTrust identity. However, they are not fully compatible with each other. After completing the installation process the user still has to announce their identity on the network like they did in the case of WebofTrust and then they can post anything and/or subscribe to any news channel. The content on the FMS portal is not filtered, so it is like a real Dark Net web space.33

Chat

The official website of FLIP contains a Freenet plugin that allows users to send instant (nearly instant) messages to one another. After the installation of the plugin, the user cannot see any changes, because it has no visual interface. Before joining the chat, an IRC client should be installed (e.g. KVirc). Upon the first use of KVirc, in the options menu, the server settings should be set on local host and the network to FLIP, while the port should be set on 6667. After connecting to the server, the user can choose different channels to join the network. The system has a thirtysecond-latency and that is why it is called a "nearly" instant messaging service.34

Freesites

Freesites are actually simple HTML pages with some restrictions. The pages should be small in their size without the possibility of video or music streaming. A further restriction is that the HTML pages cannot contain any Java Script, CSS styles and so on. Also, the built-in content filter filtrates them out before they get into the browser for privacy reasons. If the user wishes, they can create a HTML page using any HTML authoring tool. Nevertheless, there are some guidelines and conventions that should be followed by the user and this is where the Jsite application comes in sight. The Jsite wizard with its step by step instructions helps the user upload a file to meet the requirements of the Freenet network. The last step for the user is to advertise the site because there is no search engine for Freenet, so users find sites in indexed link collections and in forums such as SONE, FMS or IRC channels.35

The main features of the Freenet application:

Pros:

* multiplatform application;

* decentralized, resilient;

* not vulnerable to manipulation or shutdown;

* censorship-resistant communication;

* protects the publisher and the reader;

* friend to friend mode.

Cons:

* complicated system settings;

* no search engine;

* no streaming possibility;

* high resource consumption;

* does not hide users' identity on Clearnet.

6.Nation-State Actors on the Dark Web

It is widely known from the news and criminal reports that the Dark Web is paradise for drug dealers and scammers, arm and human traffickers, not to mention terrorists, but it is a shelter for the politically motivated and those who try to avoid state censorship. There are states that recognize the advantages of the Dark Web where they can carry out their activity under the cloak of anonymity. The Dark Web is the ideal environment for conducting intelligence collection, espionage, procuring exploits, for exploit development, exploit testing, and geopolitical influence, not to mention critical infrastructure disruption and financial gain.36

The primary nation state actors are the United States, Russia, China, United Kingdom, Israel, and North Korea.37 They lead in the cyber-focused financial resources and manpower, although there are less well-known nation state actors that have been rising lately.

There are special requirements for successful cyber warfare; first of all skilled personnel, software solutions, financial resources and test environment for the development process and, last but not least, a great amount of time. It takes years even for a well-trained computer scientist to master hacker skills.

Since the summer of 2016 the security landscape has totally changed, because the "Shadow Brokers" hacking group released a set of toolkits used to collect intelligence on adversaries by the US National Security Agency (NSA). The tools included "UNITEDRAKE" a "fully extensible remote collection system" that was mentioned by Edward Snowden, the infamous whistle-blower. The software toolkit is modular, extensible, it has the ability to access of microphones, web cameras, IP cameras, external drives, keyboard inputs, and it also has the capability to disguise the origin of attack.38

The next important event took place almost a year later when WikiLeaks released the documentation of the CIA's Vault 7 and Vault 8 top secret projects. The most notable release was HIVE as a part of Vault 8, a multiplatform malware suite with the associated control software. Apart from the above mentioned software solutions, their documentation and even their source codes are available on the Dark Web.39

These "leaks" made it possible for smaller nation state actors with less resource capacity to build up their own cyber capability. They saved a big amount of money and time and they could shorten the developing process by reverse engineering and studying the technics and tactics.

Detection of nation state actors' presence on the Dark Web

It is obvious that nation state actors are not apparent on the Dark Web. They launch campaigns against their enemies, or collect confidential or critical information and when they achieve their goals they will not upload it to either the open net or the Dark Web unless it is in their interest. Nevertheless, Dark Owl analysts have successfully identified some nation state actors' fingerprints according to their indications and motivations on the Dark Web.40

a. Nation state actors use the Dark Web to purchase or steal cyber exploits

Nation state actors often purchase exploits to reverse engineering for developing software applications to protect their own critical or confidential infrastructures or to carry out actions against their enemy by the use of the modified exploits. Their most characteristic feature is outstanding budget. They buy exploits in bulk for significant amounts of money.41

b. Nation state actors obtain credentials on hostile governments or other geopolitical or military interest

The Dark Web is filled with US and other ·.gov email addresses that could be exploited or brute force attacked or targeted for spear-phishing. Obtaining and comparing the different kinds of credentials could be a significant information resource, and a lot of information can be harvested from these sources.42

c. Elaborate spear-phishing campaigns

Not only do criminals bring into force this kind of attack, targeting corporate or governmental networks but nation state actors use it as well for achieving their political and military goals. A team of Iranian hackers stole more than 2000 credentials - including U.S. government officials - by operating a fake news website, in 2014. It was the infamous "NEWSCASTER" campaign which went on undetected for 3 years.43

d. Critical infrastructure disruption

Nation-states fuelled cyber campaigns have become more widely spread in the last few years. The targets are sensitive government, corporate networks or data storages, and critical infrastructure systems, such as power grids, telecommunication networks and so on. During the conflicts over the Crimea allegedly Russian state, supported hackers shut down one part of the Ukrainian power grid44. The US Department of Homeland Security also reported numerous cyber based attacks against US critical infrastructures.

e. Nation state actors use the Dark Web to gain political influence

A Russian hacker who called himself "Guccifer 2.0" successfully breached the Democratic National Committee during the 2016 campaign and released the stolen information to influence the US elections. This hacker later was identified as a GRU (Russian Military Intelligence Service) officer.45

f. Dark Web propaganda

The propaganda is one of the prerequisite of the successful information operations. Malicious information about political or military enemies released on time can be the key to success. Many of the Dark Web services contain malicious information on nations leaked by governments on hidden forums.46 According to The New York Times, at least 70 countries hired paid or volunteered supporters who support their government interest according to the instructions.47

g. Intelligence and espionage by the nation state actors on the Dark Web

It is a well-known fact that originally TOR was created by U.S. Naval Research Lab (NRL) for clandestine communication. Later the NSA used it for covert intelligence collection from foreign adversaries. Strictly controlled countries, such as China, use it for collecting information on their own opposition citizens who try to avoid censorship.48

Basically there are three main areas of intelligent collection by nation state actors on the Dark Web:

* Information collection on terrorism, organized crime, child pornography, drug and arm or human trafficking and so on.

* OSINT information collection in terms of countries of interest from forums, chat rooms, social media services.

* Information collection on homeland enemies, opponent parties, or political dissents.

h. Exploit acquisition and development

Nation state actors and their supported nation state proxy actors obtain exploits from the Dark Web. The "black hat" forums and sites provide source codes and complete software packages either for money or for free and detailed manuals for the use of these software solutions. The hackers can share their experiences with others or one can hire hackers for special purposes.49

i. Profitability

Some countries utilize the Dark Web to circumvent US or UN sanctions. Last year, the American Virgil Griffith was arrested because he helped North Korea circumvent US posed sanctions and money laundering.50

Nation-state proxies and cyber terrorism

Depending on the security landscape, nation state actors often turn to proxies to remain incognito. It is widely known from different open source reports that the US, China, and Russia have private cyber contractors who act on behalf of their governments. Edward Snowden and Realty Winner were both employees of a private contractor of the NSA. Of course, the exact number of intelligence and cyber security specialist who work for their governments or their contractors is inestimable, but we can be sure that countries will continue to increase the number of contractors.

Conclusions

This study is written with the aim of demonstrating the use of three Dark Web related software products, and how nation state actors are present on the Dark Web. The author gave an outline of how these applications work and what their main characteristics are. The topic is so complicated that many interesting issues remained untouched, such as their vulnerability against different kind of attacks, de-anonymizing pursuits, forensic artefacts and so on.

The other part of the study is dealing with the presence of nation state actors on the Dark Web, because from the news and criminal reports one can think that this realm is only for criminals and terrorists.

Nation-state actors realized the new horizons of the Dark Web and they enjoy the advantages of this new realm where they can carry out their clandestine activities under the cloak of anonymity. They often turn to private contractors to avoid attributing to "hot" operations. The leak of the top secret projects, applications and solutions of the NSA and CIA made it possible for countries with limited resources to improve their cyber capabilities. It has changed the security landscape dramatically and this process is far from its end.

Nation state actors leave so called fingerprints on the Dark Web by which, in some cases, they can be identified. It is not a secret that different kinds of nation state agencies establish honeypots, and sign up on forums or chat rooms. On the forums of the Dark Web, experienced users tell stories about when they found some nation state actors.

There is a significant duality in the activity of nation state actors. On one hand, they enjoy the advantages of the Dark Web, which is mainly the relative anonymity but on the other hand, they try to disclose the identity of its users. In 2019, hackers behind the name of "ov1RU$" breached the SyTech Russian intelligence contractor and revealed a number of secretive programs targeting TOR anonymity. The contractor is working closely with Russian Air Force and FSB.51 This case together with the above mentioned activities of nation state actors and the state sponsored proxies is a good example of the duality that is the main feature of cyber war waged on the Dark Web.