WikiLeaks Vault 7: Projects

WikiLeaks Vault 7 is about a global hacking program being covertly run by the CIA

WikiLeaks Vault 7: Projects

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, that detail activities and capabilities of the United States Central Intelligence Agency to perform electronic surveillance and cyber warfare on anyone it chooses. The files, dated from 2013–2016, include details on the agency’s software capabilities, such as the ability to compromise cars, smart TVs, web browsers (including Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera Software ASA), and the operating systems of most smartphones (including Apple’s iOS and Google’s Android), as well as other operating systems such as Microsoft Windows, macOS, and Linux.

WikiLeaks Vault 7: Projects

 
 
 

Wikileaks: CIA Malware For Windows “Grasshopper”

RELEASE: CIA malware for Windows “Grasshopper” — which includes its own language

Wikileaks: CIA Malware For Windows "Grasshopper"

Grasshopper basically allows the Deep State to do anything it wants remotely to a Windows machine. It doesn’t seem to matter if it is Windows XP, Windows 7, Windows 8, or Windows Server versions 2003 or 2008. Almost all the attacks and hijacks bypassed the major intrusion detection systems (MS Security, Symantec, Kapersky, and Rising). No matter how locked down or safe you thought your Windows install was, you were wrong.

Oh even better. It looks like these were designed specifically to avoid the major security programs.

From Wikileaks:

Grasshopper

7 April, 2017

Today, April 7th 2017, WikiLeaks releases Vault 7 “Grasshopper” — 27 documents from the CIA’s Grasshopper framework, a platform used to build customized malware payloads for Microsoft Windows operating systems.

Grasshopper is provided with a variety of modules that can be used by a CIA operator as blocks to construct a customized implant that will behave differently, for example maintaining persistence on the computer differently, depending on what particular features or capabilities are selected in the process of building the bundle. Additionally, Grasshopper provides a very flexible language to define rules that are used to “perform a pre-installation survey of the target device, assuring that the payload will only [be] installed if the target has the right configuration”. Through this grammar CIA operators are able to build from very simple to very complex logic used to determine, for example, if the target device is running a specific version of Microsoft Windows, or if a particular Antivirus product is running or not.

Grasshopper allows tools to be installed using a variety of persistence mechanisms and modified using a variety of extensions (like encryption). The requirement list of the Automated Implant Branch (AIB) for Grasshopper puts special attention on PSP avoidance, so that any Personal Security Products like ‘MS Security Essentials’, ‘Rising’, ‘Symantec Endpoint’ or ‘Kaspersky IS’ on target machines do not detect Grasshopper elements.

One of the persistence mechanisms used by the CIA here is ‘Stolen Goods’ – whose “components were taken from malware known as Carberp, a suspected Russian organized crime rootkit.” confirming the recycling of malware found on the Internet by the CIA. “The source of Carberp was published online, and has allowed AED/RDB to easily steal components as needed from the malware.”. While the CIA claims that “[most] of Carberp was not used in Stolen Goods” they do acknowledge that “[the] persistence method, and parts of the installer, were taken and modified to fit our needs”, providing a further example of reuse of portions of publicly available malware by the CIA, as observed in their analysis of leaked material from the italian company “HackingTeam”.

The documents WikiLeaks publishes today provide an insights into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers, providing directions for those seeking to defend their systems to identify any existing compromise.

Leaked Documents

Grasshopper-v2_0_2-UserGuide
Grasshopper-v1_1-AdminGuide
StolenGoods-2_1-UserGuide
GH-Run-v1_1-UserGuide
GH-ServiceProxy-v1_1-UserGuide

 

“Grasshopper” re-installs itself every 22 hours by corrupting Windows Update… even if is disabled.


 

 

CIA Vault 7 Part 3 “Marble” Allows CIA To Cover Their Tracks!

Vault 7 Part 3: WikiLeaks releases the CIA ‘Marble’ dump

CIA Vault 7 Part 3 "Marble" Allows CIA To Cover Their Tracks
WikiLeaks has released the latest batch of documents detailing CIA hacking tactics. The third release, named ‘Marble’, contains 676 source code files for the agency’s secret anti-forensics framework.Marble Framework, which WikiLeaks explains is part of the CIA’s Core Library of malware, is used to hamper forensic investigators from attributing viruses, trojans and hacking attacks to the CIA. WikiLeaks said Marble was in use at the agency as recently as 2016.

WikiLeaks said Marble hides fragments of texts that would allow for the author of the malware to be identified. WikiLeaks stated the technique is the digital equivalent of a specialized CIA tool which disguises English language text on US produced weapons systems before they are provided to insurgents.

It’s “designed to allow for flexible and easy-to-use obfuscation” as “string obfuscation algorithms” often link malware to a specific developer, according to the whistleblowing site.

The source code released reveals Marble contains test examples in Chinese, Russian, Korean, Arabic and Farsi.

“This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion,” WikiLeaks explains, “But there are other possibilities, such as hiding fake error messages.”

From Wikileaks:

Marble Framework

31 March, 2017

Today, March 31st 2017, WikiLeaks releases Vault 7 “Marble” — 676 source code files for the CIA’s secret anti-forensic Marble Framework. Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.

Marble does this by hiding (“obfuscating”) text fragments used in CIA malware from visual inspection. This is the digital equivallent of a specalized CIA tool to place covers over the english language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA.

Marble forms part of the CIA’s anti-forensics approach and the CIA’s Core Library of malware code. It is “[D]esigned to allow for flexible and easy-to-use obfuscation” as “string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop.

The Marble source code also includes a deobfuscator to reverse CIA text obfuscation. Combined with the revealed obfuscation techniques, a pattern or signature emerges which can assist forensic investigators attribute previous hacking attacks and viruses to the CIA. Marble was in use at the CIA during 2016. It reached 1.0 in 2015.

The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, — but there are other possibilities, such as hiding fake error messages.

The Marble Framework is used for obfuscation only and does not contain any vulnerabilties or exploits by itself.

 
via

Wikileaks: CIA Hacks Dubbed ‘Dark Matter’ Reveal How Apple Products Are Infected

WikiLeaks Vault 7 shows that the CIA has developed a huge range of attacks against iPhones since at least 2008.

Wikileaks: CIA Hacks Dubbed Dark Matter Reveal How Apple Products Are Infected

Yesterday, Wikileaks released another series from their ‘Vault 7’ CIA hacks called ‘Dark Matter’ where they reveal how Apple products are infected.

According to Wikileaks, ‘Dark Matter’ contains documentation for several CIA projects that infect Apple MAC computer firmware developed by the CIA’s Embedded Development Branch (EDB). Interestingly… the infection persists even if the operating system is re-installed.

From Wikileaks:

Dark Matter

23 March, 2017

Today, March 23rd 2017, WikiLeaks releases Vault 7 “Dark Matter”, which contains documentation for several CIA projects that infect Apple Mac firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.

Among others, these documents reveal the “Sonic Screwdriver” project which, as explained by the CIA, is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting” allowing an attacker to boot its attack software for example from a USB stick “even when a firmware password is enabled”. The CIA’s “Sonic Screwdriver” infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.

“DarkSeaSkies” is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants.

Documents on the “Triton” MacOSX malware, its infector “Dark Mallet” and its EFI-persistent version “DerStarke” are also included in this release. While the DerStarke1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.

Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008.

While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise.

Leaked Documents

Sonic Screwdriver
DerStarke v1.4
DerStarke v1.4 RC1 – IVVRR Checklist
Triton v1.3
DarkSeaSkies v1.0 – URD

Dark Matter Dog

 
via

FLASHBACK – CIA Director David Petraeus: “We’ll Spy on You Through Your Dishwasher”

In a 2012 Wired article, entitled, “CIA Chief: We’ll Spy on You Through Your Dishwasher,” then CIA Director David Petraeus heralded emerging technologies in relation to spying.
FLASHBACK - CIA Director David Petraeus: "We’ll Spy on You Through Your Dishwasher"
CIA Director David Petraeus unwinds with some Wii Golf, 2008. Photo: Wikimedia

With Wikileaks latest, largest dump of confidential CIA files ever published, the world is beginning to realize just how far gone our privacy rights are. They have become virtually nonexistent thanks to Obama’s two terms in office.

As far back as a five years ago, then CIA Director General David Petraeus was touting how hi-tech advances offered countless ways Americans can be spied on.

With the rise of the “Smart Home,” you are sending tagged, Geo-located data that the CIA can intercept in real-time when you use the lighting app on your phone to adjust your living room’s ambiance.

The CIA had a plan that smart meters, smart phones, smart TVs and other smart household devices installed in every hopelessly “Dumbed Down” American’s home would permit the Deep State complete invasive access to you in the un-private, unsafe sanctuary you call home.

From Wired March 2012:

MORE AND MORE personal and household devices are connecting to the internet, from your television to your car navigation systems to your light switches. CIA Director David Petraeus cannot wait to spy on you through them.

Earlier this month, Petraeus mused about the emergence of an “Internet of Things” — that is, wired devices — at a summit for In-Q-Tel, the CIA’s venture capital firm. “‘Transformational’ is an overused word, but I do believe it properly applies to these technologies,” Petraeus enthused, “particularly to their effect on clandestine tradecraft.”

All those new online devices are a treasure trove of data if you’re a “person of interest” to the spy community. Once upon a time, spies had to place a bug in your chandelier to hear your conversation. With the rise of the “smart home,” you’d be sending tagged, geolocated data that a spy agency can intercept in real time when you use the lighting app on your phone to adjust your living room’s ambiance.

“Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation internet using abundant, low-cost, and high-power computing,” Petraeus said, “the latter now going to cloud computing, in many areas greater and greater supercomputing, and, ultimately, heading to quantum computing.”

Petraeus allowed that these household spy devices “change our notions of secrecy” and prompt a rethink of “our notions of identity and secrecy.” All of which is true — if convenient for a CIA director.

The CIA has a lot of legal restrictions against spying on American citizens. But collecting ambient geolocation data from devices is a grayer area, especially after the 2008 carve-outs to the Foreign Intelligence Surveillance Act. Hardware manufacturers, it turns out, store a trove of geolocation data; and some legislators have grown alarmed at how easy it is for the government to track you through your phone or PlayStation.

That’s not the only data exploit intriguing Petraeus. He’s interested in creating new online identities for his undercover spies — and sweeping away the “digital footprints” of agents who suddenly need to vanish.

“Proud parents document the arrival and growth of their future CIA officer in all forms of social media that the world can access for decades to come,” Petraeus observed. “Moreover, we have to figure out how to create the digital footprint for new identities for some officers.”

It’s hard to argue with that. Online cache is not a spy’s friend. But Petraeus has an inadvertent pal in Facebook.

Why? With the arrival of Timeline, Facebook made it super-easy to backdate your online history. Barack Obama, for instance, hasn’t been on Facebook since his birth in 1961. Creating new identities for CIA non-official cover operatives has arguably never been easier. Thank Zuck, spies. Thank Zuck.

 

Load More