kentoh - Fotolia

WikiLeaks publishes code and analysis of CIA hacking tool

Security experts are questioning the wisdom of WikiLeaks releasing more source code for US intelligence agency hacking tools

Whistle-blowing organisation WikiLeaks has begun a new series of leaks of the source code of software allegedly designed to run on servers controlled by the US Central Intelligence Agency (CIA).

The first release in the series claims to be source code and analysis for a major component of the infrastructure used to control malware developed by the CIA.

“This publication will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components,” said WikiLeaks.

The latest publication, dubbed “Vault 8”, comes two months after the last of the “Vault 7” series of leaks made over a seven-month period.

WikiLeaks claimed the documents had come from an isolated, high-security network inside the CIA’s Center for Cyber Intelligence in Langley, Virginia, but this has never been confirmed by the CIA.

The previous series of leaks mentioned a multi-platform CIA malware suite and its associated control software, called “Hive”.

The project was said to provide customisable implants for Windows, Solaris, MikroTik and Linux platforms, and a command and control (C2) infrastructure to communicate with these implants.

Read more about cyber weapons

  • There is a lot of “fog” surrounding cyber weapons and cyber war because there is no way of knowing the true capability of any country, says security expert Mikko Hyppönen.
  • Countries are not attacking each other but striking at the IT infrastructure of enterprises in rival states, says security pundit Bruce Schneier.
  • Armed forces minister Nick Harvey has revealed the UK is working on a cyber weapon programme with offensive capabilities to counter cyber warfare threats to national security.

The latest release by WikiLeaks provides the source code, development logs and other documentation for Hive.

The documents complement the Hive users guide, developers guide, infrastructure installation and configuration guide, and documentation on the Hive Beacon Infrastructure published previously.

But WikiLeaks claims that, like the Vault7 series, the material published by WikiLeaks does not contain zero-days or other vulnerabilities that could be repurposed by others.

According to WikiLeaks, Hive is designed to make implants (malware) difficult to attribute to the CIA. “Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and receive new instructions from operators at the CIA,” it said.

Hive was designed to solve the “critical problem” of enabling the CIA to communicate with malware implants on target computers in a secure manner that does not draw attention.

Hive achieves this by anonymously registering a cover domain for each operation and using a virtual private server (VPS) rented from a commercial hosting provider to run the domain. These servers are then used as a relay for traffic over a virtual private network (VPN) connection to a “hidden” CIA server.

“Innocent content”

The cover domain delivers “innocent” content if anyone connects to it by chance and appears to be a normal website. But because the website uses an Optional Client Authentication hypertext transfer protocol secure (HTTPS) server option, implants can use this to authenticate and connect to the CIA server.

Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. According to WikiLeaks, three examples included in the source code build a fake certificate for the antivirus company Kaspersky Lab, pretending to be signed by Thawte Premium Server CA.

“In this way, if the target organisation looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated,” WikiLeaks said.

Within hours of the Vault 8 publication, Kaspersky Lab CEO Eugene Kaspersky responded with at tweet: “We’ve investigated the Vault 8 report and confirm the certificates in our name are fake. Our customers, private keys and services are safe and unaffected.”

In another reaction on TwitterAlan Woodward, Europol consultant, cyber security expert and visiting professor at Surrey University, said: “WikiLeaks is now releasing source for exploits in Vault 7. Do they remember what happened last time such exploit code was leaked? Standby for another WannaCry.”

A key component of WannaCry was the EternalBlue exploit of Microsoft’s server message block (SMB) protocol, reportedly stolen from the US National Security Agency (NSA) and released by the Shadow Brokers hacking group. 

Read more on Hackers and cybercrime prevention