In This article we will learn about CIA Vault 7 Data Leak.
Vault 7[CIA Vault 7 Data Leak]:
WikiLeaks has obtained thousands of files allegedly from the US Central Intelligence Agency (CIA) network. In this post, I will try to summarize what has happened in recent weeks and what the organization has revealed
- The Year Zero, which revealed the exploits of CIA hackers for hardware and software.
- Dark Matter listing includes iPhone and Mac hacking exploits.
- The Marble batch focused on a framework used by the CIA to make it difficult to attribute cyberattacks.
- A batch of Grasshopper that reveals a framework for customizing malware to infiltrate Microsoft’s Windows and bypass antivirus protection.
- Project Scribbles for document tracking
- The YearZero dump – The beginning
On March 7, 2017, WikiLeaks published the first batch of files allegedly originating from the highly secure network of the US Central Intelligence Agency (CIA).
The organization announced that it had obtained thousands of files that reveal the hacking capabilities of the CIA and its internal organizations, a huge trove of data called “Vault 7”.
WikiLeaks has dubbed the first part of the rare archive “Year Zero,” a collection of 8,761 classified documents and files stolen from the CIA’s Langley facility.
“The first complete volume in the series, ‘Year Zero’, contains 8,761 documents and files from an isolated high-security network located inside the CIA’s Cyber Intelligence Center in Langley, Virginia. reads the notice issued by WikiLeaks.
The archive contains hacking tools and malicious code used by US intelligence during its operations. Some of the exploits included in the dump were specifically designed to target popular products from various IT companies, including Samsung, Apple, Google and Microsoft.
“Recently, the CIA lost control of most of its hacking arsenal, including malware, viruses, trojans, zero day exploits, remote control malware, and related documentation.”
According to WikiLeaks, the rare archive appears to have been circulated among former US government experts and contractors in an unauthorized manner. One of them probably provided the files to WikiLeaks.
The CIA’s arsenal includes hacking tools developed by CCI’s Engineering Development Group (EDG) to target almost any technology, from mobile devices to desktop computers and, of course, Internet of Things devices such as routers and smart TVs.
The archive confirmed that US intelligence has dozens of zero-day code exploits in its arsenal that can be used to target almost any platform, from Windows and Linux PCs to Android and iOS mobile devices.
The document revealed the existence of an EDG development team tasked with creating and testing any malicious code, including implants, backdoors, exploits, Trojan horses and viruses.
“The CIA’s malware and hacking tools are created by the EDG (Engineering Development Group), a software development group within the CCI (Center for Cyber Intelligence), a division of the CIA’s DDI (Directorate for Digital Innovation). continues WikiLeaks.
In leaking valuable information, WikiLeaks confirmed that it would not release the tools and exploits “until a consensus emerges about the technical and political nature of the CIA’s program and how such ‘weapons’ should be analyzed, disarmed and disclosed.”
Rare documents confirm intensive cooperation with other domestic and foreign intelligence agencies, including the NSA, Britain’s GCHQ and MI5, as well as other contractors.
One of the documents belonging to the first batch details a hacking tool called Weeping Angel used to hack Samsung Smart TVs, developed by the CIA with colleagues from MI5.
“The attack against Samsung smart TVs was developed in collaboration with the British MI5/BTSS. Once infected, Weeping Angel puts the target TV into ‘Fake-Off’ mode, making the owner falsely believe that the TV is off when it is on. In ‘Fake-Off’ mode, the TV acts like a bug, recording conversations in the room and sending them over the Internet to a hidden CIA server.” WikiLeaks continues.
YearZero’s digs also found that CIA hackers were able to bypass the encryption implemented by the most popular secure messaging apps, such as Signal, WhatsApp and Telegram.
The hacking tools and techniques were designed by a CIA unit called the Embedded Development Branch (EDB).
“Today, March 23, 2017, WikiLeaks releases Vault 7 ‘Dark Matter’, which contains documentation for several CIA projects that infect Apple Mac Computer firmware (meaning the infection persists even when the operating system is reinstalled) developed by Embedded CIA.” Development Branch (EDB). These documents explain the techniques used by the CIA to gain “persistence” on Apple Macs, including Macs and iPhones, and demonstrate their use of EFI/UEFI and firmware malware. reads the description of dark matter provided by WikiLeaks.
CIA experts found a way to infect Apple’s firmware to gain persistence, so attackers were able to keep the infection on Mac OS and iOS devices even after the operating system was reinstalled.
According to WikiLeaks, one of the most interesting documents is related to the “Sonic Screwdriver” project, which is a “mechanism for running code on peripheral devices when a laptop or desktop Mac is booted” that allows an attacker to run their attack software, for example. from USB flash drive “even if firmware password is enabled”.
This technique allows a local attacker to install their hacking tool using a peripheral device (i.e. USB stick, screwdriver) “even if the firmware password is enabled on the device”. This meant that Sonic Screwdriver allows attackers to modify the device’s read-only memory, the documents revealed that the malware is stored in Apple’s Thunderbolt-to-Ethernet adapter.
Digging through the Dark Matter dump, we find the NightSkies 1.2 hack tool, which is described as a “beacon/loader/implant tool” for the Apple iPhone.
“Also included in this release is the CIA ‘NightSkies 1.2’ guide and the ‘Beacon/Loader/Implant Tool’ for the Apple iPhone. Notably, NightSkies reached 1.2 by 2008 and is specifically designed to be physically installed on new iPhones from the factory. This means the CIA has been infecting its targets’ iPhone supply chain since at least 2008, WikiLeaks continues.
This tool was developed by a CIA expert to infect “fresh” iPhones; it could be used, for example, to compromise mobile devices at the delivery stage. The existence of this tool suggests that the Central Intelligence Agency has been targeting the iPhone supply chain since at least 2008.
“While CIA assets are sometimes used to physically infect systems in a target’s custody, it is likely that many CIA physical access attacks have infected the target organization’s supply chain, including interdiction of mail orders and other shipments (opening, infecting, and reshipping) in the United States or elsewhere ,” says WikiLeaks.
“DarkSeaSkies” is another implant detailed in the documents contained in the Dark Matter repository, it is “an implant that persists in the EFI firmware of an Apple MacBook Air” and consists of “DarkMatter”, “SeaPea” and “NightSkies”. respectively EFI, kernel-space and user-space implants.
Vault 7 Episode 3 – Marble framework
On April 1, WikiLeaks released the third batch of the CIA Vault7 archive, which shed light on the anti-forensic tools used by the intelligence agency.
This set of documents has been named Mable and includes source code files for an anti-forensics platform codenamed Marble Framework. The dump contains 676 files of the Marble Framework source code, which was developed by the CIA to perform hard forensics on its malicious code.
The code, developed by a CIA expert, was able to evade detection using various techniques, such as being able to detect whether the code was running in a sandboxed virtual machine.
The Marble platform makes attribution of attacks difficult; the documents show how the CIA can carry out a cyber attack in a way that experts attribute to other countries, including Russia, China, North Korea and Iran.
“Today, March 31, 2017, WikiLeaks is releasing Vault 7 ‘Marble’ – 676 source code files for the CIA’s secret anti-forensics Marble Framework. Marble is used to preventing forensic investigators and anti-virus companies from attributing viruses, trojan horses and hacking attacks to the CIA,” reads WikiLeaks.
“Marble does this by hiding (“cloaking”) fragments of text used in CIA malware from visual inspection. It is the digital equivalent of a specialized CIA tool that can overlay English text onto US-made weapons systems before passing them on to covertly supported insurgents C.I.A.
The Marble Framework includes algorithms for injecting multiple strings in different languages into the malware source code. Cyber spies thus make attribution difficult and hinder research conducted by forensic experts.
Using such techniques, malware authors try to trick victims into believing that the malware was developed by US/UK Vxers.
“The source code shows that Marble has test examples not only in English, but also in Chinese, Russian, Korean, Arabic and Persian.” continues WikiLeaks. “This would allow a forensic attribution double game, for example by pretending that the malware author’s spoken language was not US English but Chinese, but then attempts to hide the use of Chinese would be evident, further misleading forensic investigators. conclusion, but there are other options, such as hiding fake error messages.”
Marble dump also includes a deobfuscator to reverse the obfuscation of CIA text, which allows experts to identify patterns of attacks carried out by the CIA and attribute previous hacks and malicious code to the Agency.
Marble Framework does not contain any vulnerabilities or exploits, in 2016 it was used by the CIA, in 2015 cyberspies used version 1.0.
Vault 7 Episode 4 – Grasshopper Framework
On April 7, WikiLeaks released a batch of 27 documents detailing a framework codenamed Grasshopper that was allegedly used by the CIA to create its own Windows malware installers.
The framework allows operators to create their own payload, run it, and analyze the execution results.
The leaked documents form a user manual classified as “secret” that was made available to CIA cyber spies.
“The documents published by WikiLeaks today provide insight into the process of building modern spy tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers, and provide guidance for those seeking to defend their systems to identify any existing compromise,” WikiLeaks reported.
Figure 3 – Grasshopper Framework User Guide
The dropper described in the Grasshopper manual should only be loaded and run in memory; framework allows you to create your own malware that can compromise the target system and bypass the antivirus it uses. According to the documentation, each executable generated by the Grasshopper framework contains one or more installers.
“The Grasshopper executable contains one or more installers. An installer is a bundle of one or more installation components,” the manual says. “Grasshopper invokes each stack component in series to operate on the payload. The ultimate purpose of the installer is to hold the payload.”
The framework offers various persistence mechanisms to operators that can define a series of rules that must be met before the installation can run. The rules allow attackers to target specific systems specifying their technical details (ie x64 or x32 architecture, OS).
“The executable can have a global rule that will be evaluated before any installer is run. If a global rule is provided and evaluates to false, the executable aborts the operation,” the manual continues.
One of the persistence mechanisms mentioned in the user guide is called Stolen Goods. The CIA used mechanisms implemented by malicious code used by cybercriminals in the wild.
For example, the CIA modified some components of the popular Carberp rootkit.
“The persistence method and parts of the installer have been removed and modified to suit our needs,” the leaked document says. “The vast majority of the original Carberp code that was used was heavily modified. Very few pieces of the original code exist unaltered.
Another persistence mechanism uses the Windows Update Service to allow the payload to run each time the system boots or every 22 hours; this technique uses a number of DLLs specified in the registry.
Vault 7 Episode 5 – The Scribbles Project for document tracking
WikiLeaks released details of a CIA project codenamed Scribbles (aka “Snowden Stopper”). The Scribbles is software allegedly developed to insert “web beacons” into classified documents to track whistleblowers and foreign spies.
This kind of software allows the agency to track access to sensitive and classified documents and track the people accessing them.
WikiLeaks leaked the Scribbles documentation, which also contains the source code of the latest released version of the software (v1.0 RC1), which is dated March 1, 2016. This date suggests that Scribbles was used by the CIA until at least last year.
Scribbles is a “document pre-watermarking system that inserts ‘web beacon’-style marks into documents that are likely to be copied by insiders, whistleblowers, journalists or others.”
The Scribbles software was written in the C# programming language and generates a different random watermark for each document.
“(S//OC/NF) Scribbles (SCRIB) is a document watermarking tool that can be used to batch process a number of documents in a preset input directory. It generates a random watermark for each document, embeds that watermark in the document, saves all processed documents in the output directory, and creates a log file that identifies the watermarks embedded in each document. reads the Scribbles user manual.
Figure 4- Documentation Scribbles
Every time a user accesses a watermarked document, it reads the embedded file in the background and creates a record on the CIA’s tracking server. The Intelligence Agency collects several pieces of access information, including the user who copied the file, the time stamp, and the user’s IP address. In this way, it is possible to monitor access to documents and possible misuse.
A leaked CIA user manual revealed that the Scribbles surveillance software only works with Microsoft Office. According to the user manual, the tool was developed for off-line preprocessing of Microsoft Office documents; it could not be used with other applications. If the watermarked documents are opened in any other software such as OpenOffice or LibreOffice, users can reveal the watermarks and URLs.
According to the leaked documents, “the Scribbles document watermarking tool has been successfully tested on…Microsoft Office 2013 (on Windows 8.1 x64), Office 97-2016 documents (Office 95 documents will not work!) [and]…documents that they are not locked forms, encrypted or password protected.”
Another limitation of the software is that the watermarks are loaded from a remote server, so the tool should only work when the user accessing the marked documents is connected to the Internet.
Vault 7 Episode 6 Hack Tool Archimedes MitM
On Mat 5th, WikiLeaks released a batch of documents detailing a man-in-the-middle (MitM) attack tool called Archimedes, allegedly used by the CIA to target local networks.
Leaked documents from 2011 to 2014 provide details on the tool, originally codenamed Fulcrum and later renamed Archimedes by the development team.
Figure 5 – Archimedes Tool User Guide
A CIA hacking tool that allows operators to redirect LAN traffic from a target computer through an attacker-controlled machine before it is routed to a gateway.
“Archimedes is Fulcrum update 0.6.1.” reads the documentation for the Archimedes tool. “Archimedes is used to redirect LAN traffic from a target computer through a computer controlled by the attacker before it is passed to the gateway. This allows the tool to inject a fake web server response that redirects the target’s web browser to an arbitrary location. This technique is typically used to redirect a target to an exploitation server while providing the appearance of a normal browsing session. For more information about the tool, see the original Fulcrum 0.6.1 documentation.”
According to SANS instructor Jake Williams, who analyzed the leaked documents, the Archimedes tool appears to be a repackaged version of the popular MITM tool Ettercap.
Alleged CIA targets may have used leaked information about the Archimedes tool to check whether US intelligence had hacked their systems.
Potential victims can search their systems for these hashes.
Figure 6- Archimedes hashes
Archimedes introduced several improvements with respect to the Fulcrum tool, such as:
- Support for disabling the route validation check that takes place before exploit.
- Add support for a new HTTP embedding method based on using a hidden IFRAME element.
- Modify the DLLs to support the Fire and Forget specification (version 2).
- Provide a way to gracefully shut down the tool on demand.
- Removes most warning strings from release binaries.
- The tool itself is not sophisticated; it might be interesting to understand how CIA agents used it in targeted attacks.