The first full part of the series, “Year Zero”, comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virginia.
Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.
Many of these infection efforts are pulled together by the CIA’s Automated Implant Branch (AIB), which has developed several attack systems for automated infestation and control of CIA malware, such as “Assassin” and “Medusa”. Attacks against Internet infrastructure and webservers are developed by the CIA’s Network Devices Branch (NDB). The CIA has developed automated multi-platform malware attack and control systems covering Windows, Mac OS X, Solaris, Linux and more, such as EDB’s “HIVE” and the related “Cutthroat” and “Swindle” tools, which are described in the examples section below.
HIVE is a multi-platform CIA malware suite and its associated control software. The project provides customizable implants for Windows, Solaris, MikroTik (used in internet routers) and Linux platforms and a Listening Post (LP)/Command and Control (C2) infrastructure to communicate with these implants.
The implants are configured to communicate via HTTPS with the webserver of a cover domain; each operation utilizing these implants has a separate cover domain and the infrastructure can handle any number of cover domains.
Each cover domain resolves to an IP address that is located at a commercial VPS (Virtual Private Server) provider. The public-facing server forwards all incoming traffic via a VPN to a ‘Blot’ server that handles actual connection requests from clients. It is setup for optional SSL client authentication: if a client sends a valid client certificate (only implants can do that), the connection is forwarded to the ‘Honeycomb’ toolserver that communicates with the implant; if a valid certificate is missing (which is the case if someone tries to open the cover domain website by accident), the traffic is forwarded to a cover server that delivers an unsuspicious looking website.
The Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer, so the toolserver acts as a C2 (command and control) server for the implant.
And we all thought the NSA snooping was bad… it seems the CIA wanted to stop having to ask the NSA for information, so they made their own hacking division. I read the press release, and have only started to look through some of the actual documents, but holy hell. It reminds me of the Snowden leaks and the, ‘we kind of already knew, but never had proof’ feeling. The release contains everything from retrospectives to how-to’s and even Tradecraft Dos-and-Donts, there’s even some New Developer Exercises (my favorite is the ‘Capture The Flag’)
None of this is all that surprising, as anyone who has a vague concept of modern internet-connected technology would understand; however what is alarming, when compared to the Snowden/NSA leaks, is that the CIA is even further from public scrutiny than the NSA. Not to mention the new administration’s penchant for wannabe-totalitarianism.
I know there are some very knowledgeable IT and security folks here, what are you thoughts on these tools? Are they a concern for your networks? What about if these tools get out to the public space (which they basically already are)? Is it time to cut all electronics out of my life, move to a Faraday cage in the woods and wear an aluminum foil hat?