Learn client-server C programming – with this free tutorial from the CIA

Available now via everyone's favorite publisher, WikiLeaks – Отличная работа, Джулиан!

WikiLeaks has shoved online more internal classified stuff nicked from the CIA – this time what's said to be the source code for spyware used by Uncle Sam to infect and snoop on targets' computers and devices.

Today's code dump is part of a larger collection called Vault 8, and spills onto the internet what is claimed to be the CIA's Hive tool. This software comes in two parts: one half runs on a snoop-controlled server and issues commands to the client, the other half, which lurks quietly on an infected device or computer.

How exactly the client side of the malware gets into the endpoints to do its spying isn't revealed: there are no exploits for software or hardware vulnerabilities, nor any zero days uncovered, it appears. It's a remote-control tool that sheds light on the CIA's programming abilities – and the C code is pleasantly clean from our glance through it – and handily lays out a way to perform server-client operations. A free US taxpayer-funded programming tutorial, if you will.

The software could be used by miscreants to build functionality into their own software nasties, however, there are tons of other examples out there they could crib from, so today's dump isn't exactly arming crooks with powerful cyber-weapons. It's just embarrassing for the CIA, if the code is indeed the agency's classified blueprints.


WikiLeaks doc dump reveals CIA tools for infecting air-gapped PCs


The spyware is designed to be installed on ARM, MIPS, PowerPC and x86 devices powered by Linux, particularly routers and internet-connected cameras from Mikrokit and AVTech. It communicates via encrypted SSL/TLS connections to a remote server. That server appears to be serving a normal website to passing visitors, but the implanted malware uses a HTTPS feature called optional client authentication to access secret areas where it can receive instructions to execute. The client can be instructed to download or upload files, delete documents, and run commands.

Agents would ensure the malware is not traced back to them: the server should run in a throwaway virtual machine, and be dressed up to look like an innocent dull site. The HTTPS connections are established using security certificates that appear to belong to antivirus maker Kaspersky Lab, allegedly. Spies would be expected to connect to the control servers via a web of VPNs, proxies and other cover servers.

"Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention," the Julian-Assange-led WikiLeaks said of the software.

"Even if [a Hive] implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet."

No actual executables are included, so you would have to build the programs yourself. The software's operation is described here, and the version leaked this week dates between August 2013 and October 2015, apparently.

"The cover domain delivers 'innocent' content if somebody browses it by chance. A visitor will not suspect that it is anything else but a normal website," WikiLeaks claimed.

"The only peculiarity is not visible to non-technical users - a HTTPS server option that is not widely used: Optional Client Authentication. But Hive uses the uncommon Optional Client Authentication so that the user browsing the website is not required to authenticate - it is optional."

The Vault 8 dump is the latest attempt by WikiLeaks to shed light on the CIA's covert online operations. Previous leaks have included details on the American government's use of forensics tools, zero-day exploits, and infection techniques. The spying agency declined to comment. ®

Broader topics

Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading
  • Internet went offline in Pakistan as protestors marched for ousted prime minister
    Two hour outage 'consistent with an intentional disruption to service' said NetBlocks

    Internet interruption-watcher NetBlocks has reported internet outages across Pakistan on Wednesday, perhaps timed to coincide with large public protests over the ousting of Prime Minister Imran Khan.

    The watchdog organisation asserted that outages started after 5:00PM and lasted for about two hours. NetBlocks referred to them as “consistent with an intentional disruption to service.”

    Continue reading
  • Suspected phishing email crime boss cuffed in Nigeria
    Interpol, cops swoop with intel from cybersecurity bods

    Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

    His alleged operation was responsible for so-called business email compromise (BEC), a mix of fraud and social engineering in which staff at targeted companies are hoodwinked into, for example, wiring funds to scammers or sending out sensitive information. This can be done by sending messages that impersonate executives or suppliers, with instructions on where to send payments or data, sometimes by breaking into an employee's work email account to do so.

    The 37-year-old's detention is part of a year-long, counter-BEC initiative code-named Operation Delilah that involved international law enforcement, and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

    Continue reading

Biting the hand that feeds IT © 1998–2022