WikiLeaks
Part
9 - Examples
The CIA's
Engineering Development Group (EDG) management system contains around
500 different projects (only some of which are documented by "Year
Zero") each with their own sub-projects, malware and hacker
tools.
The majority
of these projects relate to tools that are used for penetration,
infestation ("implanting"), control, and exfiltration.
Another
branch of development focuses on the development and operation of
Listening Posts (LP) and Command and Control (C2) systems used to
communicate with and control CIA implants; special projects are used
to target specific hardware from routers to smart TVs.
UMBRAGE
The CIA's
hand crafted hacking techniques pose a problem for the agency. Each
technique it has created forms a "fingerprint" that can be
used by forensic investigators to attribute multiple different
attacks to the same entity.
This is
analogous to finding the same distinctive knife wound on multiple
separate murder victims. The unique wounding style creates suspicion
that a single murderer is responsible. As soon one murder in the set
is solved then the other murders also find likely attribution.
The CIA's
Remote Devices Branch's UMBRAGE group collects and maintains a
substantial library of attack techniques 'stolen' from malware
produced in other states including the Russian Federation.
With UMBRAGE
and related projects the CIA cannot only increase its total number of
attack types but also misdirect attribution by leaving behind the
"fingerprints" of the groups that the attack techniques
were stolen from.
UMBRAGE
components cover keyloggers, password collection, webcam capture,
data destruction, persistence, privilege escalation, stealth,
anti-virus (PSP) avoidance and survey techniques.
Fine
Dining
Fine Dining
comes with a standardized questionnaire i.e menu that CIA case
officers fill out. The questionnaire is used by the agency's OSB
(Operational Support Branch) to transform the requests of case
officers into technical requirements for hacking attacks (typically
"exfiltrating" information from computer systems) for
specific operations. The questionnaire allows the OSB to identify how
to adapt existing tools for the operation, and communicate this to
CIA malware configuration staff. The OSB functions as the interface
between CIA operational staff and the relevant technical support
staff.
Among the
list of possible targets of the collection are 'Asset', 'Liason
Asset', 'System Administrator', 'Foreign Information Operations',
'Foreign Intelligence Agencies' and 'Foreign Government Entities'.
Notably absent is any reference to extremists or transnational
criminals. The 'Case Officer' is also asked to specify the
environment of the target like the type of computer, operating system
used, Internet connectivity and installed anti-virus utilities (PSPs)
as well as a list of file types to be exfiltrated like Office
documents, audio, video, images or custom file types. The 'menu' also
asks for information if recurring access to the target is possible
and how long unobserved access to the computer can be maintained.
This information is used by the CIA's 'JQJIMPROVISE' software (see
below) to configure a set of CIA malware suited to the specific needs
of an operation.
Improvise
(JQJIMPROVISE)
'Improvise'
is a toolset for configuration, post-processing, payload setup and
execution vector selection for survey/exfiltration tools supporting
all major operating systems like Windows (Bartender), MacOS (JukeBox)
and Linux (DanceFloor). Its configuration utilities like Margarita
allows the NOC (Network Operation Center) to customize tools based on
requirements from 'Fine Dining' questionairies.
HIVE
HIVE is a
multi-platform CIA malware suite and its associated control software.
The project provides customizable implants for Windows, Solaris,
MikroTik (used in internet routers) and Linux platforms and a
Listening Post (LP)/Command and Control (C2) infrastructure to
communicate with these implants.
The implants
are configured to communicate via HTTPS with the webserver of a cover
domain; each operation utilizing these implants has a separate cover
domain and the infrastructure can handle any number of cover domains.
Each cover
domain resolves to an IP address that is located at a commercial VPS
(Virtual Private Server) provider. The public-facing server forwards
all incoming traffic via a VPN to a 'Blot' server that handles actual
connection requests from clients. It is setup for optional SSL client
authentication: if a client sends a valid client certificate (only
implants can do that), the connection is forwarded to the 'Honeycomb'
toolserver that communicates with the implant; if a valid certificate
is missing (which is the case if someone tries to open the cover
domain website by accident), the traffic is forwarded to a cover
server that delivers an unsuspicious looking website.
The
Honeycomb toolserver receives exfiltrated information from the
implant; an operator can also task the implant to execute jobs on the
target computer, so the toolserver acts as a C2 (command and control)
server for the implant.
Similar
functionality (though limited to Windows) is provided by the
RickBobby project.
***
Source
and links:
Comments
Post a Comment