(See our Tor tab for more information.) We also advise you to read our tips for sources before submitting. The wireless device itself is compromized by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection. Once the new firmware on the device is flashed, the router or access point will become a so-called FlyTrap. A FlyTrap will beacon over the Internet to a Command & Control server referred to as the CherryTree. The beaconed information contains device status and security information that the CherryTree logs to a database.
Vault 7: Dumbo
WikiLeaks publishes documents of political or historical importance that are censored or otherwise suppressed. If you are at high risk and you have the capacity to do so, you can also access the submission system through a secure operating system called Tails. Tails is an operating system launched from a USB stick or a DVD that aim to leaves no traces when the computer is shut down after use and automatically routes your internet traffic through Tor. Tails will require you to have either a USB stick or a DVD at least 4GB big and a laptop or desktop computer. Source code published in this series contains software designed to run on servers controlled by the CIA. Like WikiLeaks’ earlier Vault7 series, the material published by WikiLeaks does not contain 0-days or similar security vulnerabilities which could be repurposed by others.
OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels. The OTS (Office of Technical Services), a branch within the CIA, has a biometric collection system that is provided to liaison services around the world — with the expectation for sharing of the biometric takes collected on the systems. But this ‘voluntary sharing’ obviously does not work or is considered insufficient by the CIA, because ExpressLane is a covert information collection tool that is used by the CIA to secretly exfiltrate data collections from such systems provided to liaison services. BadMFS is a library that implements a covert file system that is created at the end of the active partition (or in a file on disk in later versions). Some versions of BadMFS can be detected because the reference to the covert file system is stored in a file named “zf”.
- The malware itself does not beacon this data to a CIA back-end; instead the operator must actively retrieve the log file from the device – again using separate CIA exploits and backdoors.
- The documents describe how a CIA operation can infiltrate a closed network (or a single air-gapped computer) within an organization or enterprise without direct access.
- The primary execution vector used by infected thumbdrives is a vulnerability in the Microsoft Windows operating system that can be exploited by hand-crafted link files that load and execute programs (DLLs) without user interaction.
- “AfterMidnight” allows operators to dynamically load and execute malware payloads on a target machine.
- Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives.
Today, June 15th 2017, WikiLeaks publishes documents from the CherryBlossom project of the CIA that was developed and implemented with the help of the US nonprofit Stanford Research Institute (SRI International). Dumbo is run by the field agent directly from an USB stick; it requires administrator privileges to perform its task. It supports 32bit Windows XP, Windows Vista, Trading Stock Indexes for beginners and newer versions of Windows operating system. If you cannot use Tor, or your submission is very large, or you have specific requirements, WikiLeaks provides several alternative methods. If you do this and are a high-risk source you should make sure there are no traces of the clean-up, since such traces themselves may draw suspicion.
Media Partners
Today, April 7th 2017, WikiLeaks releases Vault 7 “Grasshopper” documents from the CIA’s Grasshopper framework, a platform used to build customized malware payloads for Microsoft Windows operating systems. Today, August 10th 2017, WikiLeaks publishes the the User Guide for the CoachPotato project of the CIA. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame. It utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity. The core components of the OTS system are based on products from Cross Match, a US company specializing in biometric software for law enforcement and the Intelligence Community. The company hit the headlines in 2011 when it was reported that the US military used a Cross Match product to identify Osama bin Laden during the assassination operation in Pakistan.
Vault 7: Elsa
It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention. Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet. Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA. Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities.
- Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones.
- Today, August 10th 2017, WikiLeaks publishes the the User Guide for the CoachPotato project of the CIA.
- HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3.
- Protego is not the “usual” malware development project like all previous publications by WikiLeaks in the Vault7 series.
The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated. BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used.
These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware. Additionally, Grasshopper provides a very flexible language to define rules that are used to “perform a pre-installation survey of the target device, assuring that the payload will only be installed if the target has the right configuration”. Through this grammar CIA operators are able to build from very simple to very complex logic used to determine, for example, if the target device is running a specific version of Microsoft Windows, or if a particular Antivirus product is running or not. The documents from this publication might further enable anti-malware researchers and forensic experts to analyse this kind of communication between malware implants and back-end servers used in previous illegal activities.
Vault 7: UCL / Raytheon
This is a list of the malware, CIA hacking projects, and other vulnerabilities documented in Vault 7. Vault 7 is a series of WikiLeaks releases on the CIA and the methods and means they use to hack, monitor, control and even disable systems ranging from smartphones, to TVs, to even dental implants. The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. Grasshopper allows tools to be installed using a variety of persistence mechanisms and modified using a variety of extensions (like encryption). The document illustrates a type of attack within a “protected environment” as the the tool is deployed into an existing local network abusing existing machines to bring targeted computers under control and allowing further exploitation and abuse.
Vault 7: CIA Hacking Tools Revealed
According to the documentation (see Athena Technology Overview), the malware was developed by the CIA in cooperation with Siege Technologies, a self-proclaimed cyber security company based in New Hampshire, US. On their website, Siege Technologies states that the company “… focuses on leveraging offensive cyberwar technologies and methodologies to develop predictive cyber security solutions for insurance, government and other targeted markets.”. The primary execution vector used by infected thumbdrives is a vulnerability in the Microsoft Windows operating system that can be exploited by hand-crafted link files that load and execute programs (DLLs) without user interaction. Older versions of the tool suite used a mechanism called EZCheese that was a 0-day exploit until March 2015; newer versions seem use a similar, but yet unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system. Solartime modifies the partition boot sector so that when Windows loads boot time device drivers, it also loads and executes the Wolfcreek implant, that once executed, can load and run other Angelfire implants. According to the documents, the loading of additional implants creates memory leaks that can be possibly detected on infected machines.
Vault 7: Project Dark Matter
It allows the operator to configure settings during runtime (while the implant is on target) to customize it to an operation. HIVE is a back-end infrastructure malware with a public-facing HTTPS interface which is used by CIA implants to transfer exfiltrated information from target machines to the CIA and to receive commands from its operators to execute specific tasks on the targets. The public HTTPS interface utilizes unsuspicious-looking cover domains to hide its presence. “Assassin” is a similar kind of malware; it is an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system. Once the tool is installed on the target, the implant is run within a Windows service process. “Assassin” (just like “AfterMidnight”) will then periodically beacon to its configured listening post(s) to request tasking and deliver results.
Security researches and forensic experts will find more detailed informationon how watermarks are applied to documents in the source code, which isincluded in this publication as a zipped archive. Today, July 6th 2017, WikiLeaks publishes documents from the BothanSpy and Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors. Today, July 19th 2017, WikiLeaks publishes documents from the CIA contractor Raytheon Blackbird Technologies for the “UMBRAGE Component Library” (UCL) project. The documents were submitted to the CIA between November 21st, 2014 (just two weeks after Raytheon acquired Blackbird Technologies to build a Cyber Powerhouse) and September 11th, 2015. They mostly contain Proof-of-Concept ideas and assessments for malware attack vectors – partly based on public documents from security researchers and private enterprises in the computer security field.
In order to use the WikiLeaks public submission system as detailed above you can download the Tor Browser Bundle, which is a Firefox-like browser available for Windows, Mac OS X and GNU/Linux and pre-configured to connect using the anonymising system Tor. John Brennan became the Director of the Central Intelligence Agency in March 2013, replacing General David Petraeus who was forced to step down after becoming embroiled in a classified information mishandling scandal. Brennan was made Assistant to the President for Homeland Security and Counterterrorism on the commencement of the Obama presidency in a position he held until taking up his role as CIA chief.
HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3. It provides a redirector function for SMS messaging that could be used by a number of IOC tools that use SMS messages for communication between implants and listening posts. HighRise acts as a SMS proxy that provides greater separation between devices in the field (“targets”) and the listening post (LP) by proxying “incoming” and “outgoing” SMS messages to an internet LP.
So far the first release in the Vault 7 series has been titled “Year Zero” and includes a number of branches of the CIA’s Center for Cyber Intelligence and their projects. Marble does this by hiding (“obfuscating”) text fragments used in CIA malware from visual inspection. This is the digital equivallent of a specalized CIA tool to place covers over the english language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA. One of the persistence mechanisms used by the CIA here is ‘Stolen Goods’ – whose “components were taken from malware known as Carberp, a suspected Russian organized crime rootkit.” confirming the recycling of malware found on the Internet by the CIA. “The source of Carberp was published online, and has allowed AED/RDB to easily steal components as needed from the malware.”. The released version (v1.0 RC1) isdated March, 1st 2016 and classified SECRET//ORCON/NOFORN until 2066.
In response to this information, the CherryTree sends a Mission with operator-defined tasking. An operator can use CherryWeb, a browser-based user interface to view Flytrap status and security info, plan Mission tasking, view Mission-related data, and perform system administration tasks. Even those who mean well often do not have the experience or expertise to advise properly.
