WikiLeaks Vault 8 Part 1: CIA Wrote Code To Impersonate Russian Anti-Virus Company Kaspersky

by Aaron Kesel, Activist Post:

WikiLeaks has released part 1 of its new Vault 8 series following its popular and widely distributed Vault 7 series which exposed CIA spyware and malware capabilities.

The new release “will enable investigative journalists, forensic experts, and the general public to better identify and understand covert CIA infrastructure components,” the international whistleblower coalition wrote.

The CIA’s master virus control system known as “Hive” was exposed previously last April by WikiLeaks.

“Described as a multi-platform malware suite, Hive provides “customisable implants” for Windows, Solaris, MikroTik (software used in Internet routers), Linux OS, and AVTech Network Video Recorders, used for CCTV recording.

A 2015 user guide for the malware suite reveals the initial release of Hive was in 2010. The guide goes on to describes the software as having two primary functions – a beacon and interactive shell. Both are designed to provide a starting point for CIA cyber agents to deploy other tools that have been included in the WikiLeaks Vault 7 series release.

The implants communicate via HTTPS with the web server using a cover domain. Each cover domain is connected to an IP address that is hooked into a Virtual Private Server (VPS) provider. This forwards all incoming traffic to a ‘Blot’ server.

 

The redirected traffic is then examined to see if it contains a valid beacon. If it does, it’s sent to a tool handler, called a “Honeycomb.”

The CIA can then choose to initiate other actions on the targeted computer.

The user guide further details the commands that are available, including uploading and deleting files and executing applications on the computer.

“Source code published in this series contains software designed to run on servers controlled by the CIA. Like WikiLeaks’ earlier Vault7 series,” WikiLeaks wrote in a press release for the new Vault 8 series.

The release of Hive followed with wide-scale blowback against the CIA when security firm Symantec linked the agency and a hacking group Longhorn to 40 targets in 16 countries with many more expected to come. Longhorn has been active since at least 2011, according to Symantec, infiltrating targets in the financial, telecom, aerospace and natural resources industries. It has the markings of an intelligence-backed state attacker.

“The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks,” a Symantec statement said.

The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7 documents, in addition to following leaked guidelines on tacts to avoid detection. Given the close similarities between the tools and techniques, there can be little doubt that Longhorn’s activities and the Vault 7 documents are the work of the same group.

The latest leak is the CIA’s master infrastructure source code + logs for that malware control system created by its Embedded Development Branch (EDB.) and expands on the use of obfuscated spoofed tools to implicate another party in a cyber attack.

In March, WikiLeaks also released 676 files code-named ‘Marble’, which detailed CIA hacking techniques and how they can misdirect forensic investigators from attributing viruses, trojans and worms to their agency by using the source code of other languages as a scapegoat – in other words, false flag cyber attacks.

Read More @ ActivistPost.com