Early Friday
morning, Wikileaks released its fifth batch of Vault 7 documents
exposing the U.S. Central Intelligence Agency’s hacking techniques.
The latest release, titled “Hive,” exposes the agency’s
multi-platform malware suite that allows the CIA to monitor targets
via malware as well as the ability to realize specific tasks on
compromised machines.
Hive is said
to provide customizable implants for a variety of operating systems
for distinct types of devices, not just computers, tablets, and
phones. Among the platforms vulnerable to Hive include Linux,
Windows, Solaris, MikroTik (used in Internet routers), and AVTech
Network Video Recorders (often used in CCTV recording). First
released in 2010, Hive is essentially an “implant” that functions
as both a beacon and shell, allowing CIA hackers to gain a foothold
in devices that allow them to deploy any number of other tools, such
as those detailed in previous releases.
Wikileaks
has described Hive’s function as a “back-end infrastructure
malware” that uses public HTTPS interfaces which provide
“unsuspicious-looking cover domains” to hide its presence on
infected devices. Each of those domains is linked to an IP address at
a commercial Virtual Private Server (VPS) provider, which forwards
all incoming traffic to what is termed a “Blot” server. All
re-directed traffic is then examined by CIA hackers to see if it
contains a valid beacon. If it does, then a tool handler – called
Honeycomb in the released documents – and the CIA then begins
initiating other actions on the target computer. The released user
guide shows that Hive allows for the uploading and deleting of files
as well as the execution of applications on the device.
Unlike some
other Vault 7 tools which can persist indefinitely on targeted
devices, Hive comes with a “self-delete” function that allows the
malware to destroy itself if it receives no signal from the CIA for a
set amount of time. The self-deletion leaves only a log and
configuration file, containing only a time-stamp behind. Apparently
this feature posed difficulties to CIA developers as the
self-deletion can “be problematic due to the inability to
accurately assess the reliability of the host’s system clock,”
according to the Hive Developers Guide.
Wikileaks
noted that anti-virus companies along with forensic experts have
noticed before that malware, potentially originating from a
state-actor, utilized the same back-end infrastructure implantation
that Hive employs. Through the analysis of the communication between
specific implants, these experts and software companies were able to
determine that the malware’s origin came from a “well-resourced
organization which was involved in intelligence gathering
operations.”
However,
there had been unable to attribute the back-end or the implants to
the CIA, though Wikileaks’ release of Hive may change that. Indeed,
Wikileaks noted in its press release that “The documents from
this publication might further enable anti-malware researchers and
forensic experts to analyse this kind of communication between
malware implants and back-end servers used in previous illegal
activities.”
Wikileaks’
latest release comes on the heels of CIA director Mike Pompeo’s
aggressive statements against the transparency organization in which
he labeled them “non-state hostile intelligence service.”
He also condemned Wikileaks’ editor-in-chief, Julian Assange of
making “common cause with dictators.” While other CIA
directors have targeted both Wikileaks and Assange in the past,
Wikileaks now five releases of top secret CIA hacking tools may have
prompted an escalation in Pompeo’s rhetoric. It remains to be seen
if this rhetoric will translate into action, however.
Assange, for
his part, doesn’t seem too concerned, choosing to respond with a
witty retort that incisively pointed out the CIA’s lack of
credibility in making such accusations:
Called a "non-state intelligence service" today by the "state non-intelligence agency" which produced al-Qaeda, ISIS, Iraq, Iran & Pinochet.— Julian Assange (@JulianAssange) April 14, 2017
Source
and links:
Comments
Post a Comment