WikiLeaks has shoved online more internal classified stuff nicked from the CIA – this time what's said to be the source code for spyware used by Uncle Sam to infect and snoop on targets' computers and devices.
Today's code dump is part of a larger collection called Vault 8, and spills onto the internet what is claimed to be the CIA's Hive tool. This software comes in two parts: one half runs on a snoop-controlled server and issues commands to the client, the other half, which lurks quietly on an infected device or computer.
How exactly the client side of the malware gets into the endpoints to do its spying isn't revealed: there are no exploits for software or hardware vulnerabilities, nor any zero days uncovered, it appears. It's a remote-control tool that sheds light on the CIA's programming abilities – and the C code is pleasantly clean from our glance through it – and handily lays out a way to perform server-client operations. A free US taxpayer-funded programming tutorial, if you will.
The software could be used by miscreants to build functionality into their own software nasties, however, there are tons of other examples out there they could crib from, so today's dump isn't exactly arming crooks with powerful cyber-weapons. It's just embarrassing for the CIA, if the code is indeed the agency's classified blueprints.
WikiLeaks doc dump reveals CIA tools for infecting air-gapped PCsREAD MORE
The spyware is designed to be installed on ARM, MIPS, PowerPC and x86 devices powered by Linux, particularly routers and internet-connected cameras from Mikrokit and AVTech. It communicates via encrypted SSL/TLS connections to a remote server. That server appears to be serving a normal website to passing visitors, but the implanted malware uses a HTTPS feature called optional client authentication to access secret areas where it can receive instructions to execute. The client can be instructed to download or upload files, delete documents, and run commands.
Agents would ensure the malware is not traced back to them: the server should run in a throwaway virtual machine, and be dressed up to look like an innocent dull site. The HTTPS connections are established using security certificates that appear to belong to antivirus maker Kaspersky Lab, allegedly. Spies would be expected to connect to the control servers via a web of VPNs, proxies and other cover servers.
"Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention," the Julian-Assange-led WikiLeaks said of the software.
"Even if [a Hive] implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet."
No actual executables are included, so you would have to build the programs yourself. The software's operation is described here, and the version leaked this week dates between August 2013 and October 2015, apparently.
"The cover domain delivers 'innocent' content if somebody browses it by chance. A visitor will not suspect that it is anything else but a normal website," WikiLeaks claimed.
"The only peculiarity is not visible to non-technical users - a HTTPS server option that is not widely used: Optional Client Authentication. But Hive uses the uncommon Optional Client Authentication so that the user browsing the website is not required to authenticate - it is optional."
The Vault 8 dump is the latest attempt by WikiLeaks to shed light on the CIA's covert online operations. Previous leaks have included details on the American government's use of forensics tools, zero-day exploits, and infection techniques. The spying agency declined to comment. ®