15 November 2017

WikiLeaks Releases Source Code of CIA Hacking Tools

In a new round of disclosures, WikiLeaks has released what it claims to be the source code of CIA hacking capabilities. Dubbed Vault8, the release includes source code and development logs of “Project Hive” – a backend command and control architecture the CIA allegedly uses to remotely control malware covertly implanted all over the world. Hive is specifically designed to prevent attribution by leveraging fake websites that communicate over multiple stages of virtual private networks, or VPNs. Notably, Hive allegedly evades detection by network administrators by using fake digital certificates – similar to passports – that belong to existing entities. According to the statement released by WikiLeaks, “The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town.”

The Cipher Take:

Publishing source code – rather than documentation of hacking capabilities, as was the case in Vault7 – is a major escalation on the part of WikiLeaks. For example, other entities – including criminal groups – could co-opt these tools for their own purposes, similar to how others have used NSA tools published by the Shadow Brokers to spread the WannaCry and NotPetya ransomware. Even more notable is the timing of WikiLeaks decision to release the source code for Hive: though initially documented in April, the release of the actual source code comes after reports that Kaspersky Lab antivirus allegedly detected and collected NSA hacking tools on an employee’s unsecured personal computer, somehow resulting in Russian intelligence gaining access to the tools. The subtle assertion seemingly made by WikiLeaks is that if CIA can imitate Kaspersky during its espionage, then perhaps others did just that when stealing NSA material. Imitating an antivirus firm is the perfect cover for communicating with other computers. Kaspersky has admitted that it picked up NSA hacking tools through the normal functions of its program, but this new release by WikiLeaks allows others, such as criminals and adversarial nation-states, to mimic other entities when controlling their malware, further undermining clear attribution.

No comments: