query Engelsk-svensk ordbok

Security researches and forensic experts will find more detailed informationon how watermarks are applied to documents in the source code, which isincluded in this publication as a zipped archive. Today, May 5th 2017, WikiLeaks publishes “Archimedes”, a tool used by the CIA to attack a computer inside a Local Area Network (LAN), usually used in offices. It allows the re-directing of traffic from the target computer inside the LAN through a computer infected with this malware and controlled by the CIA. This technique is used by the CIA to redirect the target’s computers web browser to an exploitation server while appearing as a normal browsing session.

Vault 7: ExpressLane

Today, July 6th 2017, WikiLeaks publishes documents from the BothanSpy and Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors. Aeris is an automated implant written in C that supports a number of POSIX-based systems (Debian, RHEL, Solaris, FreeBSD, CentOS). It supports automated file exfiltration, configurable beacon interval and jitter, standalone and Collide-based HTTPS LP support and SMTP protocol support – all with TLS encrypted communications with mutual authentication. It is compatible with the NOD Cryptographic Specification and provides structured command and control that is similar to that used by several Windows implants. The OTS (Office of Technical Services), a branch within the CIA, has a biometric collection system that is provided to liaison services around the world — with the expectation for sharing of the biometric takes collected on the systems.

CIA malware targets iPhone, Android, smart TVs

Sarkozy’s earlier self-identification as “Sarkozy the American” did not protect him from US espionage in the 2012 election or during his presidency. Today, April 14th 2017, WikiLeaks publishes six documents from the CIA’s HIVE project created by its “Embedded Development Branch” (EDB). The classification marks of the User Guide document hint that is was originally written by the british MI5/BTSS and later shared with the CIA. Both agencies collaborated on the further development of the malware and coordinated their work in Joint Development Workshops. Achilles is a capability that provides an operator the ability to trojan an OS X disk image (.dmg) installer with one or more desired operator specified executables for a one-time execution. If you cannot use Tor, or your submission is very large, or you have specific requirements, WikiLeaks provides several alternative methods.

Today, June 1st 2017, WikiLeaks publishes documents from the “Pandemic” project of the CIA, a persistent implant for Microsoft Windows machines that share files (programs) with remote users in a local network. “Pandemic” targets remote users by replacing application code on-the-fly with a trojaned version if the program is retrieved from the infected machine. To obfuscate its activity, the original file on the file server remains unchanged; it is only modified/replaced while in transit from the pandemic file server before being executed on the computer of the remote user. The implant allows the replacement of up to 20 programs with a maximum size of 800 MB for a selected list of remote users (targets). CherryBlossom provides a means of monitoring the Internet activity of and performing software exploits on Targets of interest. In particular, CherryBlossom is focused on compromising wireless networking devices, such as wireless routers and access points (APs), to achieve these goals.

Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA. Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated. Today, June 22nd 2017, WikiLeaks publishes documents from the Brutal Kangaroo project of the CIA.

• “Assassin” (just like “AfterMidnight”) will then periodically beacon to its configured listening post(s) to request tasking and deliver results.
• Source code and analysis for CIA software projects including those described in the Vault7 series.
• The CIA espionage orders published today are classified and restricted to U.S. eyes only (“NOFORN”) due to “Friends-on-Friends sensitivities”.

The wireless device itself is compromized by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection. Once the new firmware on the device is flashed, the router or access point will become a so-called FlyTrap. A FlyTrap will beacon over the Internet to a Command & Control server referred to as the CherryTree. The beaconed information contains device status and security information that the CherryTree logs to a database. In response to this information, the CherryTree sends a Mission with operator-defined tasking.

What time period is covered?

FlyTrap can also setup VPN tunnels to a CherryBlossom-owned VPN server to give an operator access to clients on the Flytrap’s WLAN/LAN for further exploitation. When the Flytrap detects a Target, it will send an Alert to the CherryTree and commence any actions/exploits against the Target. The CherryTree logs Alerts to a database, and, potentially distributes Alert information to interested parties (via Catapult). WikiLeaks publishes documents of political or historical importance that are censored or otherwise suppressed.

Vault 7: Protego

OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels. Today, July 19th 2017, WikiLeaks publishes documents from the CIA contractor Raytheon Blackbird Technologies for the “UMBRAGE Component Library” (UCL) project. The documents were submitted to the CIA between November 21st, 2014 (just two weeks after Raytheon acquired Blackbird Technologies to build a Cyber Powerhouse) and September 11th, 2015. They mostly contain Proof-of-Concept ideas and assessments for malware attack vectors – partly based on public documents from security researchers and private enterprises in the computer security field. All major French political parties were targeted for infiltration by the CIA’s human (“HUMINT”) and electronic (“SIGINT”) spies in the seven months leading up to France’s 2012 presidential election.

The revelations are contained within three CIA tasking orders published today by WikiLeaks as context for its forth coming CIA Vault 7 series. Today, 9 November 2017, WikiLeaks publishes the source code and development logs to Hive, a major component of the CIA infrastructure to control its malware. The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. According to the documentation (see Athena Technology Overview), the malware was developed by the CIA in cooperation with Siege Technologies, a self-proclaimed cyber security company based in New Hampshire, US. On their website, Siege Technologies states that the company “… focuses on leveraging offensive cyberwar technologies and methodologies to develop predictive cyber security solutions for insurance, government and other targeted markets.”.

Global Intelligence Files

Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives. Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables. BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted file for later exfiltration by other means.

• Indeed there is no explicit indication why it is part of the project repositories of the CIA/EDG at all.
• Once installed on a target machine AM will call back to a configured LP on a configurable schedule, checking to see if there is a new plan for it to execute.
• “The source of Carberp was published online, and has allowed AED/RDB to easily steal components as needed from the malware.”.
• Today, September 7th 2017, WikiLeaks publishes four secret documents from the Protego project of the CIA, along with 37 related documents (proprietary hardware/software manuals from Microchip Technology Inc.).

Source code and analysis for CIA software projects including those described in the Vault7 series. Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. Marble forms part of the CIA’s anti-forensics approach and the CIA’s Core Library of malware code. It is “Designed to allow for flexible and easy-to-use obfuscation” as “string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop.”

The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine. The ELSA project allows the customization of the implant to match the target environment and operational objectives like sampling interval, maximum size of the logfile and invocation/persistence method. Additional back-end software (again using public geo-location databases from Google and Microsoft) converts unprocessed access point information from exfiltrated logfiles to geo-location data to create a tracking profile of the target device. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention. Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet.

These servers are the public-facing side of the CIA back-end infrastructure and act as a relay for HTTP(S) traffic over a VPN connection to a “hidden” CIA server called ‘Blot’. HIVE is a back-end infrastructure malware with a public-facing HTTPS interface which is used by CIA implants to transfer exfiltrated information from target machines to the CIA and to receive commands from its operators to execute specific tasks on the targets. The public HTTPS interface utilizes unsuspicious-looking cover domains to hide its presence. “Assassin” is a similar kind of malware; it is an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system. Once the tool is installed on the target, the implant is run within a Windows service process. “Assassin” (just like “AfterMidnight”) will then periodically beacon to its configured listening post(s) to request tasking and deliver results.

Grasshopper allows tools to be installed using a variety of persistence mechanisms and modified using a variety of extensions (like encryption). The requirement list of the Automated Implant Branch (AIB) for Grasshopper puts special attention on PSP avoidance, so that any Personal Security Products like ‘MS Security Essentials’, ‘Rising’, ‘Symantec Endpoint’ or ‘Kaspersky IS’ on target machines do not detect Grasshopper elements. The primary execution vector used by infected thumbdrives is a vulnerability in the Microsoft Windows operating system that can be exploited by hand-crafted link files that load and execute programs cash over and short (DLLs) without user interaction.