by Elizabeth Vos, Disobedient Media:
A few days ago, Wikileaks published Vault 8, which includes the source code for Wikileaks’ earlier Vault 7 publication. Wikileaks made clear that, like Vault 7, Vault 8 does not include ‘zero day’ exploits. Wikileaks‘ press release explains Vault 8’s inclusion source code and development logs of Hive, a “major component of the CIA infrastructure to control its malware.” Despite the importance of Vault 8’s content, legacy press has largely ignored news of its release.
Utter media silence surrounding Wikileaks’ latest publication may be somewhat explained by the shadow it casts on claims that Kaspersky Lab was involved in some sort of attempt at Russian interference, as establishment media claimed recently as part of their ongoing Russian hacking narrative. That the CIA actively impersonated Kaspersky Lab raises many questions regarding the impersonation of Russian and other groups by the CIA.
Increasing anti-Russia hysteria on the part of the media appears to have increased in recent weeks. This comes despite the issue having been largely debunked by the work of the Forensicator, first reported by this author at Disobedient Media.
Wikileaks’ press release notes that: “Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.”
Wikileaks wrote of Vault 8: “This publication will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components. Source code published in this series contains software designed to run on servers controlled by the CIA.” Wikileaks also tweeted on the subject:
One of the key points that can be drawn from Wikileaks’ release of Vault 8 is that the CIA had the capability to pretend to be Kaspersky Lab, and that in fact they did impersonate them, among others. This is significant because it directly illustrates the capability of US intelligence agencies to create false attribution. Likewise, the publication of Vault 7’s ‘Marble Framework‘ earlier this year revealed issues of misattribution.
Wikileaks wrote that Marble Framework was “[D]esigned to allow for flexible and easy-to-use obfuscation” as “string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop.”
Vault 8 and earlier Vault 7 publications also shed light on the issue previously raised by Adam Carter, who repeatedly indicated over the last few months that Guccifer 2.0’s data was created in such a way that it demonstrated an intentional attempt to impersonate Russian hacking “fingerprints.”
It should also be noted that while the recent publication of Vault 8 and the earlier publication of Vault 7 sheds important light on issues of misattribution, it is not directly related to Carter or the Forensicator’s studies of the Guccifer 2.0 material. Carter told Disobedient Media that very similar mimicry methods are observed in both cases.
This similarity can be seen in Carter’s assessment of the available evidence regarding Guccifer 2.0, where he concluded that it was much more likely that Crowdstrike, in association with the DNC, created the Guccifer 2.0 persona, rather than Russian state actors or Eastern European hackers.
Read More @ DisobedientMedia.com