In particular, hard drives retain data after formatting which may be visible to a digital forensics team and flash media (USB sticks, memory cards and SSD drives) retain data even after a secure erasure. Today, June 1st 2017, WikiLeaks publishes documents from the “Pandemic” project of the CIA, a persistent implant for Microsoft Windows machines that share files (programs) with remote users in a local network. “Pandemic” targets remote users by replacing application code on-the-fly with a trojaned version if the program is retrieved from the infected machine.
To obfuscate its activity, the original file on the file server remains unchanged; it is only modified/replaced while in transit from the pandemic file server before being executed on the computer of the remote user. The implant allows the replacement of up to 20 programs with a maximum size of 800 MB for a selected list of remote users (targets). “Assassin” is a similar kind of malware; it is an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system.
The Protego project is a PIC-based missile control system that was developed by Raytheon. The documents indicate that the system is installed on-board a Pratt & Whitney aircraft (PWA) equipped with missile launch systems (air-to-air and/or air-to-ground). Protego is not the “usual” malware development project like all previous publications by WikiLeaks in the Vault7 series. Indeed there is no explicit indication why it is part of the project repositories of the CIA/EDG at all. If you have a very large submission, or a submission with a complex format, or are a high-risk source, please contact us.
OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain. Today, July 19th 2017, WikiLeaks publishes documents from the CIA contractor Raytheon Blackbird Technologies for the “UMBRAGE Component Library” (UCL) project. The documents were submitted to the CIA between November 21st, 2014 (just two weeks after Raytheon acquired Blackbird Technologies to build a Cyber Powerhouse) and September 11th, 2015. They mostly contain Proof-of-Concept ideas and assessments for malware attack vectors – partly based on public documents from security researchers and private enterprises in the computer security field.
- An operator can use CherryWeb, a browser-based user interface to view Flytrap status and security info, plan Mission tasking, view Mission-related data, and perform system administration tasks.
- BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted file for later exfiltration by other means.
- That order requires obtaining details of every prospective French export contract or deal valued at $200m or more.
- Like WikiLeaks’ earlier Vault7 series, the material published by WikiLeaks does not contain 0-days or similar security vulnerabilities which could be repurposed by others.
- Today, August 10th 2017, WikiLeaks publishes the the User Guide for the CoachPotato project of the CIA.
CIA malware targets Windows, OSx, Linux, routers
- Dumbo can identify, control and manipulate monitoring and detection systems on a target computer running the Microsoft Windows operating sytem.
- Today, April 14th 2017, WikiLeaks publishes six documents from the CIA’s HIVE project created by its “Embedded Development Branch” (EDB).
- Liaison officers overseeing this procedure will remain unsuspicious, as the data exfiltration disguises behind a Windows installation splash screen.
- Significantly, two CIA opposition espionage tasks, “What policies do they promote to help boost France’s economic growth prospects?” and “What are their opinions on the German model of export-led growth?” resonate with a U.S. economic espionage order from the same year.
Martin then completed a Fellowship in Hand Surgery in Sydney Australia, the Aesthetic (cosmetic) Fellowship at the McIndoe Surgical Centre and a Microsurgical Fellowship at the Queen Victoria Hospital. He is on the specialist GMC register as an accredited Plastic and Reconstructive Surgeon and is a Consultant at the Queen Victoria Hospital in East Grinstead where he became the Clinical Director for Plastic Surgery from 2018 for three years. Mr Jones is a UK trained Consultant in Plastic & Reconstructive Surgery and is on the GMC Specialist Register for Plastic Surgery. He is based in the Southeast of England and holds an NHS Consultant post in Queen Victoria Hospital, East Grinstead. They are booked on an automated system where public transport or walking are not given as options – which can result in some unusually long or short journeys.
Global Intelligence Files
I have recommended him to many of my friends and could not be happier or more confident in myself. “DarkSeaSkies” is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants. Today, June 15th 2017, WikiLeaks publishes documents from the CherryBlossom project of the CIA that was developed and implemented with the help of the US nonprofit Stanford Research Institute (SRI International). Dumbo is run by the field agent directly from an USB stick; it requires administrator privileges to perform its task.
Once the new firmware on the device is flashed, the router or access point will become a so-called FlyTrap. A FlyTrap will beacon over the Internet to a Command & Control server referred to as the CherryTree. The beaconed information contains device status and security information that the CherryTree logs to a database. In response to this information, the CherryTree sends a Mission with operator-defined tasking. An operator can use CherryWeb, a browser-based user interface to view Flytrap status and security info, plan Mission tasking, view Mission-related data, and perform system administration tasks. Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu).
The documents describe how a CIA operation can infiltrate a closed network (or a single air-gapped computer) within an organization or enterprise without direct access. It first infects a Internet-connected computer within the organization (referred to as “primary host”) and installs the BrutalKangeroo malware on it. When a user is using the primary host and inserts a USB stick into it, the thumbdrive itself is infected with a separate malware.
Vault 8
In our experience it is always possible to find a custom solution for even the most seemingly difficult situations. Tor is an encrypted anonymising network that makes it harder to intercept internet communications, or see where communications are coming from or going to. This publication will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components. Marble does this by hiding (“obfuscating”) text fragments used in CIA malware from visual inspection. This is the digital equivallent of a specalized CIA tool to place covers over the english language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA. One of the persistence mechanisms used by the CIA here is ‘Stolen Goods’ – whose “components were taken from malware known as Carberp, a suspected Russian organized crime rootkit.” confirming the recycling of malware found on the Internet by the CIA.
Vault 7: Archimedes
Source code and analysis for CIA software projects including those described in the Vault7 series. Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. I.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008. Marble forms part of the CIA’s anti-forensics approach and the CIA’s Core Library of malware code.
I felt very well looked after during the hospital stay and his administrative staff were fantastic in responding to any queries and arranging follow up. Post op pain was not too bad and the scars are healing beautifully, no doubt thanks to his surgical expertise. Martin prides himself on being a local man and believes it is extremely important to put his clients at ease from their very first meeting. His meticulous attention to detail combines his surgical passions with his artistic flair. Following his General Surgical training at St George’s Hospital, Tooting, he completed a research degree (MD) at the RAFT Institute for Plastic Surgical Research in 2000. He then started as a Plastic Surgery Registrar on the Pan Thames training scheme taking him to Mount Vernon Hospital, The Royal Free Hospital and the Queen Victoria Hospital in East Grinstead.
General plastic surgery
Documents on the “Triton” MacOSX malware, its infector “Dark Mallet” and its EFI-persistent version “DerStarke” are also included in this release. While the DerStarke1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0. Today, August 10th 2017, WikiLeaks publishes the the User Guide for the CoachPotato project of the CIA. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame. It utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity.
The orders state that the collected information is to “support” the activities of the CIA, the Defence Intelligence Agency (DIA)’s E.U section, and the U.S. Significantly, two CIA opposition espionage tasks, “What policies do they promote to help boost France’s economic growth prospects?” and “What are their opinions on the German model of export-led growth?” resonate with a U.S. economic espionage order from the same year. That order requires obtaining details of every prospective French export contract or deal valued at $200m or more. Specific instructions tasked CIA officers to discover Sarkozy’s private deliberations “on the other candidates” as well as how he interacted with his advisors. Sarkozy’s earlier self-identification as “Sarkozy the American” did not protect him from US espionage in the 2012 election or during his presidency.
Vault 7: Grasshopper Framework
Today, July 13th 2017, WikiLeaks publishes documents from the Highrise project of the CIA. HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3. It provides a redirector function for SMS messaging that could be used by a number of IOC tools that use SMS messages for communication between implants and listening posts. HighRise acts as a SMS proxy that provides greater separation between devices in the field (“targets”) and the listening post (LP) by proxying “incoming” and “outgoing” SMS messages to an internet LP. Highrise provides a communications channel between the HighRise field operator and the LP with a TLS/SSL secured internet communication. Each operation anonymously registers at least one cover domain (e.g. “perfectly-boring-looking-domain.com”) for its own use.
Once the tool is installed on the target, the implant is run within a Windows service process. “Assassin” (just like “AfterMidnight”) will then periodically beacon to its configured listening post(s) to request tasking and deliver results. Communication occurs over one or more transport protocols as configured before or during deployment. The “Assassin” C2 (Command and Control) and LP (Listening Post) subsystems are referred to collectively as” The Gibson” and allow operators to perform specific tasks on an infected target.. Today, May 19th 2017, WikiLeaks publishes documents from the “Athena” project of short term assets the CIA.