Today, August 24th 2017, WikiLeaks publishes secret documents from the ExpressLane project of the CIA. These documents show one of the cyber operations the CIA conducts against liaison services — which includes among many others the National Security Agency (NSA), the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Rather than lay independent components on disk, the system allows an operator to create transitory files for specific actions including installation, adding files to AngelFire, removing files from AngelFire, etc.
Spy Files
- Documents on the “Triton” MacOSX malware, its infector “Dark Mallet” and its EFI-persistent version “DerStarke” are also included in this release.
- Tor is an encrypted anonymising network that makes it harder to intercept internet communications, or see where communications are coming from or going to.
- Vault 7 is a series of WikiLeaks releases on the CIA and the methods and means they use to hack, monitor, control and even disable systems ranging from smartphones, to TVs, to even dental implants.
- As the name suggests, a single computer on a local network with shared drives that is infected with the “Pandemic” implant will act like a “Patient Zero” in the spread of a disease.
- If you cannot use Tor, or your submission is very large, or you have specific requirements, WikiLeaks provides several alternative methods.
- The CherryTree logs Alerts to a database, and, potentially distributes Alert information to interested parties (via Catapult).
Today, May 5th 2017, WikiLeaks publishes “Archimedes”, a tool used by the CIA to attack a computer inside a Local Area Network (LAN), usually used in offices. It allows the re-directing of traffic from the target computer inside the LAN through a computer infected with this malware and controlled by the CIA. This technique is used by the CIA to redirect the target’s computers web browser to an exploitation server while appearing as a normal browsing session. The installation and persistence method of the malware is not described in detail in the document; an operator will have to rely on the available CIA exploits and backdoors to inject the kernel module into a target operating system.
Vault 8: Hive
Missions may include tasking on Targets to monitor, actions/exploits to perform on a Target, and instructions on when and how to send the next beacon. FlyTrap can also setup VPN tunnels to a CherryBlossom-owned VPN server to give an operator access to clients on the Flytrap’s WLAN/LAN for further exploitation. When the Flytrap detects a Target, it will send an Alert to the CherryTree and commence any actions/exploits against the Target. The CherryTree logs Alerts to a database, and, potentially distributes Alert information to interested parties (via Catapult). Today, June 22nd 2017, WikiLeaks publishes documents from the Brutal Kangaroo project of the CIA.
CIA espionage orders for the 2012 French presidential election
If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked. The ELSA project allows the customization of the implant to match the target environment and operational objectives like sampling interval, maximum size of the logfile and invocation/persistence method. Additional back-end software (again using public geo-location databases from Google and Microsoft) converts unprocessed access point information from exfiltrated logfiles to geo-location data to create a tracking profile of the target device. Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu). The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic.
According to the documentation (see Athena Technology Overview), the malware was developed by the CIA in cooperation with Siege Technologies, a self-proclaimed cyber security company based in New Hampshire, US. On their website, Siege Technologies states that the company “… focuses on leveraging offensive cyberwar technologies and methodologies to develop predictive cyber security solutions for insurance, government and other targeted markets.”. The primary execution vector used by infected thumbdrives is a vulnerability in the Microsoft Windows operating system that can be exploited by hand-crafted What Is Ethereum link files that load and execute programs (DLLs) without user interaction. Older versions of the tool suite used a mechanism called EZCheese that was a 0-day exploit until March 2015; newer versions seem use a similar, but yet unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system. Solartime modifies the partition boot sector so that when Windows loads boot time device drivers, it also loads and executes the Wolfcreek implant, that once executed, can load and run other Angelfire implants. According to the documents, the loading of additional implants creates memory leaks that can be possibly detected on infected machines.
Tools
Once installed on a target machine AM will call back to a configured LP on a configurable schedule, checking to see if there is a new plan for it to execute. If there is, it downloads and stores all needed components before loading all new gremlins in memory. “Gremlins” are small AM payloads that are meant to run hidden on the target and either subvert the functionality of targeted software, survey the target (including data exfiltration) or provide internal services for other gremlins.
In particular, CherryBlossom is focused on compromising wireless networking devices, such as wireless routers and access points (APs), to achieve these goals. Such Wi-Fi devices are commonly used as part of the Internet infrastructure in private homes, public spaces (bars, hotels or airports), small and medium sized companies as well as enterprise offices. Therefore these devices are the ideal spot for “Man-In-The-Middle” attacks, as they can easily monitor, control and manipulate the Internet traffic of connected users.
Security researches and forensic experts will find more detailed informationon how watermarks are applied to documents in the source code, which isincluded in this publication as a zipped archive. Today, July 6th 2017, WikiLeaks publishes documents from the BothanSpy and Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors. Today, July 19th 2017, WikiLeaks publishes documents from the CIA contractor Raytheon Blackbird Technologies for the “UMBRAGE Component Library” (UCL) project. The documents were submitted to the CIA between November 21st, 2014 (just two weeks after Raytheon acquired Blackbird Technologies to build a Cyber Powerhouse) and September 11th, 2015. They mostly contain Proof-of-Concept ideas and assessments for malware attack vectors – partly based on public documents from security researchers and private enterprises in the computer security field.
- The “Assassin” C2 (Command and Control) and LP (Listening Post) subsystems are referred to collectively as” The Gibson” and allow operators to perform specific tasks on an infected target..
- By altering the data stream between the user and Internet services, the infected device can inject malicious content into the stream to exploit vulnerabilities in applications or the operating system on the computer of the targeted user.
- Our submission system works hard to preserve your anonymity, but we recommend you also take some of your own precautions.
- Achilles is a capability that provides an operator the ability to trojan an OS X disk image (.dmg) installer with one or more desired operator specified executables for a one-time execution.
- The document illustrates a type of attack within a “protected environment” as the the tool is deployed into an existing local network abusing existing machines to bring targeted computers under control and allowing further exploitation and abuse.
CIA Director John Brennan emails
This is a list of the malware, CIA hacking projects, and other vulnerabilities documented in Vault 7. Vault 7 is a series of WikiLeaks releases on the CIA and the methods and means they use to hack, monitor, control and even disable systems ranging from smartphones, to TVs, to even dental implants. The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. Grasshopper allows tools to be installed using a variety of persistence mechanisms and modified using a variety of extensions (like encryption). The document illustrates a type of attack within a “protected environment” as the the tool is deployed into an existing local network abusing existing machines to bring targeted computers under control and allowing further exploitation and abuse.
Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives. Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables. Aeris is an automated implant written in C that supports a number of POSIX-based systems (Debian, RHEL, Solaris, FreeBSD, CentOS). It supports automated file exfiltration, configurable beacon interval and jitter, standalone and Collide-based HTTPS LP support and SMTP protocol support – all with TLS encrypted communications with mutual authentication. It is compatible with the NOD Cryptographic Specification and provides structured command and control that is similar to that used by several Windows implants.
If you are a high-risk source, avoid saying anything or doing anything after submitting which might promote suspicion. If the computer you are uploading from could subsequently be audited in an investigation, consider using a computer that is not easily tied to you. Technical users can also use Tails to help ensure you do not leave any records of your submission on the computer. If you have a very large submission, or a submission with a complex format, or are a high-risk source, please contact us. In our experience it is always possible to find a custom solution for even the most seemingly difficult situations.
The special payload “AlphaGremlin” even has a custom script language which allows operators to schedule custom tasks to be executed on the target machine. Today, June 30th 2017, WikiLeaks publishes documents from the OutlawCountry project of the CIA that targets computers running the Linux operating system. OutlawCountry allows for the redirection of all outbound network traffic on the target computer to CIA controlled machines for ex- and infiltration purposes. The following is the address of our secure site where you can anonymously upload your documents to WikiLeaks editors.
