The deeper story behind CIA's attempt to 'impersonate' Russian cybersecurity company using hacking tool Hive

globinfo freexchange

In 9 November 2017, WikiLeaks published the source code and development logs to Hive, a major component of the CIA infrastructure to control its malware.

According to WikiLeaks, Hive uses the uncommon Optional Client Authentication so that the user browsing the website is not required to authenticate - it is optional. But implants talking to Hive do authenticate themselves and can therefore be detected by the Blot server. Traffic from implants is sent to an implant operator management gateway called Honeycomb (see graphic above) while all other traffic go to a cover server that delivers the insuspicious content for all other users.

Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.

This CIA cybertool could be proven very useful for accusing foreign agencies and organizations for hacking US facilities and processes, but beyond that, there is a deeper reason for which CIA has targeted the specific Russian company and it is related to the first discovered malware that spies on and subverts industrial systems.

Former British intelligence officer and Whistleblower, Annie Machon, reveals why CIA has targeted Kaspersky Lab:

Obviously, the CIA will be interested in a very successful Russian-based company that offers protection on the Internet. But it goes back a bit further because, it was 2010 the very first proven cyberwarfare weapon was deployed. And this was against the Iranian domestic civilian nuclear development capability. And this was at the time when the Americans were drumming up the war against Iran.

There was an attack made against their civilian nuclear capability, and in this case, this virus, which was called Stuxnet, was deployed against the centrifuges that enriched the Uranium. Nobody knew where it came from. It seemed to be very weaponized, a state level. And it was actually Kaspersky that unveiled who had developed it. It was the Americans and the Israeli intelligence agencies. So, Kaspersky has been very much in the cross-chairs of both the American and the Israeli intelligence agencies.

From Wikipedia, Stuxnet is a malicious computer worm, first uncovered in 2010 by Kaspersky Labs, the antivirus company. Thought to have been in development since at least 2005, stuxnet targets SCADA systems and was responsible for causing substantial damage to Iran's nuclear program. Although neither country has admitted responsibility, since 2012 the worm is frequently described as a jointly built American/Israeli cyberweapon.

Stuxnet, discovered by Sergey Ulasen, initially spread via Microsoft Windows, and targeted Siemens industrial control systems. While it is not the first time that hackers have targeted industrial systems, nor the first publicly known intentional act of cyberwarfare to be implemented, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit.