Vault7: CIA Hacking Tools Revealed Wikileaks Press Release Today, To day, Tuesday 7 March 2017, WikiLeaks WikiLeaks begins its new series of leaks on the U.. !entral "ntelligence #gency. !ode$na%ed !ode$na%ed &'ault &'ault 7& by b y WikiLeaks, it is the largest e(er )ublication of confidential docu%ents on the agency. The first full )art of the series, &*ear +ero&, co%)rises ,7-1 docu%ents and files fro% an isolated, high$ security network situated inside the !"#s !enter for !yber "ntelligence in "ntelligence in Langley, 'irgina. "t follows an introductory disclosure last %onth of !"# targeting /rench )olitical )arties and candidates in the lead u) to the 2012 )residential election. election . ecently, the !"# lost control of the %aority of its hacking arsenal including %alware, (iruses, troans, wea)onied &ero day& e3)loits, %alware re%ote control syste%s and associated docu%entation. This e3traordinary collection, which a%ounts to %ore than several hundred hundred million lines of code, gi(es its )ossessor the entire hacking ca)acity of the !"#. The archi(e a))ears to ha(e been circulated a%ong a%ong for%er U.. go(ern%ent hackers and contractors in an unauthoried %anner, one of who% has )ro(ided WikiLeaks with )ortions of the archi(e. &*ear +ero& introduces the sco)e and direction of the !"#s global co(ert hacking )rogra%, its %alware arsenal and doens of &ero day& weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, oogle's Android and !icrosoft's "indows and even Samsung #$s, which are turned into covert microphones .
ince 2001 the !"# has gained )olitical and budgetary )ree%inence o(er the U.. 4ational ecurity #gency 54#6. The !"# found itself building not ust its now infa%ous drone fleet, but a (ery different ty)e of co(ert, globe$s)anning force its own substantial fleet of hackers. The agencys hacking di(ision freed it fro% ha(ing to disclose its often contro(ersial o)erations to the 4# 5its )ri%ary bureaucratic ri(al6 in order to draw on the 4#s hacking ca)acities. 8y the end of 201-, the !"#s hacking di(ision, which for%ally falls under the agencys !enter for !yber "ntelligence 5!!"6, had o(er 9000 registered users and had )roduced more than a thousand hac%ing systems, tro&ans, viruses, and other weaponized malware . uch is the scale of the !"#s
undertaking that by 201-, its hackers had utilied %ore code than that used to run /acebook. The !"# had created, in effect, its &own 4#& with e(en less accountability and without )ublicly answering the :uestion as to whether such a %assi(e budgetary s)end on du)licating the ca)acities of a ri(al agency could be ustified. "n a state%ent to WikiLeaks the source details )olicy :uestions that they say urgently need to be debated in )ublic, including whether the !"#s hacking ca)abilities e3ceed its %andated )owers and the )roble% of )ublic o(ersight of the agency. The The source wishes to initiate a )ublic debate about the security, s ecurity, creation, use, )roliferation and de%ocratic control of cyberwea)ons. ;nce a single cyber wea)on is loose it can s)read around the world in seconds, to be used by ri(al states, cyber %afia and teenage hackers alike.
which results fro% the inability to contain the% co%bined with their high %arket (alue, and the global ar%s trade. 8ut the significance of &*ear +ero& goes well beyond the choice between cyberwar and cyber)eace. The disclosure is also e3ce)tional fro% a )olitical, legal and forensic )ers)ecti(e.& Wikileaks has carefully re(iewed the &*ear +ero& disclosure and )ublished substanti(e !"# docu%entation while avoiding the distribution of 'armed' cyberweapons until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed, disarmed and published .
Wikileaks has also decided to redact and anony%ise so%e identifying infor%ation in &*ear +ero& for in de)th analysis. These redactions include ten of thousands of ()A targets and attac% machines throughout Latin #%erica, =uro)e and the United tates. While we are aware of the i%)erfect results of any a))roach chosen, we re%ain co%%itted to our )ublishing %odel and note that the :uantity of )ublished )ages in &'ault 7& part one *+ear -ero/ already eclipses the total num0er of pages pu0lished over the first three years of the Edward Snowden 1SA lea%s .
Analysis CIA malware targets iPhone Android smart TVs !"# %alware and hacking tools are built by =>? 5=ngineering >e(elo)%ent ?rou)6, a software de(elo)%ent grou) within !!" 5!enter for !yber "ntelligence6, a de)art%ent belonging to the !"#s >>" 5>irectorate for >igital "nno(ation6. The >>" is one of the fi(e %aor directorates of the !"# 5see this organiational chart of the !"# for %ore details6. The E2 is responsi0le for the development, testing and operational support of all 0ac%doors, exploits, malicious payloads, tro&ans, viruses and any other %ind of malware used 0y the ()A in its covert operations world3wide .
The increasing so)histication of sur(eillance techni:ues has drawn co%)arisons with ?eorge ;rwells 1@A, but &Wee)ing #ngel&, de(elo)ed by the !"#s =%bedded >e(ices 8ranch 5=>86, which infests smart #$s, transforming them into covert microphones , is surely its %ost e%ble%atic realiation.
The attack against a%sung s%art T's was de(elo)ed in coo)eration with the United Bingdo%s M"9C8T. #fter infestation, "eeping Angel places the target #$ in a '4a%e35ff' mode, so that the owner falsely 0elieves the #$ is off when it is on. )n '4a%e35ff' mode the #$ operates as a 0ug, recording conversations in the room and sending them over the )nternet to a covert ()A server . As of 5cto0er 6789 the ()A was also loo%ing at infecting the vehicle control systems used 0y modern cars and truc%s. #he purpose of such control is not specified, 0ut it would permit the ()A to engage in nearly undetectable assassinations. #he ()A's !o0ile 2evices :ranch *!2:/ developed numerous attac%s to remotely hac% and control popular smart phones. )nfected phones can 0e instructed to send the ()A the user's geolocation, audio and text communications as well as covertly activate the phone's camera and microphone .
>es)ite iDhones %inority share 51A.9E6 of the global s%art )hone %arket in 201-, a s)ecialied unit in the !"#s Mobile >e(elo)%ent 8ranch )roduces %alware to infest, control and e3filtrate data fro% iDhones and other #))le )roducts running i;, such as iDads . !"#s arsenal includes nu%erous local and
re%ote &ero days& de(elo)ed by !"# or obtained fro% ?!FG, 4#, /8" or )urchased fro% cyber ar%s contractors such as 8aitsho). The dis)ro)ortionate focus on i; %ay be e3)lained by the )o)ularity of the iDhone a%ong social, )olitical, di)lo%atic and business elites. # si%ilar unit targets ?oogles #ndroid which is used to run the %aority of the worlds s%art )hones 5H9E6 including a%sung, FT! and ony . 1.19 billion #ndroid )owered )hones were sold last year. &*ear +ero& shows that as of 678; the ()A had 69 weaponized Android zero days which it has developed itself and o0tained from (<=, 1SA and cy0er arms contractors . These techniques permit the CIA to bypass the encryption of WhatsApp, ignal, Telegram, Wiebo, Confide and Cloac!man by hac!ing the "smart" phones that they run on and collecting audio and message traffic before encryption is applied .
CIA malware targets Windows !"# $inu# routers #he ()A also runs a very su0stantial effort to infect and control !icrosoft "indows users with its malware. #his includes multiple local and remote weaponized zero days, air gap &umping viruses such as &Fa%%er >rill& which infects software distributed on !>C>'>s, infectors for
re%o(able %edia such as U8s, syste%s to hide data in i%ages or in co(ert disk areas 5 &8rutal Bangaroo&6 and to kee) its %alware infestations going. Many of these infection efforts are )ulled together by the !"#s #uto%ated "%)lant 8ranch 5#"86, which has de(elo)ed se(eral attack syste%s for auto%ated infestation and control of !"# %alware, such as &#ssassin& and &Medusa&. #ttacks against "nternet infrastructure and webser(ers are de(elo)ed by the !"#s 4etwork >e(ices 8ranch 54>86. #he ()A has developed automated multi3platform malware attac% and control systems covering "indows, !ac 5S >, Solaris, ?inux and more, such as E2:'s <)$E and the related (utthroat and Swindle tools , which are described in the e3a%)les section below.
CIA %hoarded% vulnera&ilities '()ero days(* "n the wake of =dward nowdens leaks about the 4#, the U.. technology industry secured a co%%it%ent fro% the ;ba%a ad%inistration that the e3ecuti(e would disclose on an ongoing basis rather than hoard serious (ulnerabilities, e3)loits, bugs or &ero days& to #))le, ?oogle, Microsoft, and other U$based %anufacturers. erious (ulnerabilities not disclosed to the %anufacturers )laces huge swathes of the )o)ulation and critical infrastructure at risk to foreign intelligence or cyber cri%inals who inde)endently disco(er or hear ru%ors of the (ulnerability. "f the !"# can disco(er such (ulnerabilities so can others. The U.. go(ern%ents co%%it%ent to the 'ulnerabilities =:uities Drocess ca%e after significant lobbying by U technology co%)anies, who risk losing their share of the global %arket o(er real and )ercei(ed hidden (ulnerabilities. The go(ern%ent stated that it would disclose all )er(asi(e (ulnerabilities disco(ered after 2010 on an ongoing basis. &*ear +ero& docu%ents show that the !"# breached the ;ba%a ad%inistrations co%%it%ents. Many of
the (ulnerabilities used in the !"#s cyber arsenal are )er(asi(e and so%e %ay already ha(e been found by ri(al intelligence agencies or cyber cri%inals. #s an e3a%)le, specific ()A malware revealed in ear -ero is a0le to penetrate, infest and control 0oth the Android phone and iPhone software that runs or has run presidential #witter accounts . The !"# attacks this software by using undisclosed security (ulnerabilities 5&ero days&6
)ossessed by the !"# but if the !"# can hack these )hones then so can e(eryone else who has obtained or disco(ered the (ulnerability. #s long as the !"# kee)s these (ulnerabilities concealed fro% #))le and ?oogle 5who %ake the )hones6 they will not be fi3ed, and the )hones will re%ain hackable. The same vulnerabilities e#ist for the population at large, including the $%% Cabinet, Congress, top C&s, system administrators, security officers and engineers% (y hiding these security flaws from manufacturers li!e Apple and )oogle the CIA ensures that it can hac! everyone* at the e#pense of leaving everyone hac!able%
%Cy&erwar% +rograms are a serious +roli,eration risk !yber wea)ons are not )ossible to kee) under effecti(e control. While nuclear )roliferation has been restrained by the enor%ous costs and (isible infrastructure in(ol(ed in asse%bling enough fissile %aterial to )roduce a critical nuclear %ass, cyber wea)ons, once de(elo)ed, are (ery hard to retain. !yber wea)ons are in fact ust co%)uter )rogra%s which can be )irated like any other. ince they are entirely co%)rised of infor%ation they can be co)ied :uickly with no %arginal cost. ecuring such wea)ons is )articularly difficult since the sa%e )eo)le who de(elo) and use the% ha(e the skills to e3filtrate co)ies without lea(ing traces so%eti%es by using the (ery sa%e wea)ons against the organiations that contain the%. There are substantial price incentives for government hac!ers and consultants to obtain copies since there is a global "vulnerability mar!et" that will pay hundreds of thousands to millions of dollars for copies of such 'weapons'% imilarly, contractors and companies who obtain such 'weapons' sometimes use them for their own purposes, obtaining advantage over their competitors in selling 'hac!ing' services .
;(er the last three years the United tates intelligence sector, which consists of go(ern%ent agencies such as the !"# and 4# and their contractors, such as 8ooe #llan Fa%ilton, has been subect to un)recedented series of data e3filtrations by its own workers. # nu%ber of intelligence co%%unity %e%bers not yet )ublicly na%ed ha(e been arrested or subect to federal cri%inal in(estigations in se)arate incidents. Most (isibly, on /ebruary , 2017 a U.. federal grand ury indicted Farold T. Martin """ with 20 counts of %ishandling classified infor%ation. The >e)art%ent of
-.". Consulate in /rank,urt is a covert CIA hacker &ase )n addition to its operations in ?angley, $irginia the ()A also uses the U.S. consulate in 4ran%furt as a covert 0ase for its hac%ers covering Europe, the !iddle East and Africa.
!"# hackers o)erating out of the /rankfurt consulate 5 &!enter for !yber "ntelligence =uro)e& or !!"=6 are gi(en di)lo%atic 5&black&6 )ass)orts and tate >e)art%ent co(er. The instructions for inco%ing !"# hackers %ake ?er%anys counter$intelligence efforts a))ear inconse:uentialI &8reee through ?er%an !usto%s because you ha(e your co(er$for$action story down )at, and all they did was sta%) your )ass)ort& Your Cover Story (for this trip) =@ Why are you hereJ A@ u))orting technical consultations at the !onsulate.
Two earlier WikiLeaks )ublications gi(e further detail on !"# a))roaches to custo%s and secondary screening )rocedures. ;nce in /rankfurt !"# hackers can tra(el without further border checks to the 29 =uro)ean countries that are )art of the hengen o)en border area including /rance, "taly and witerland. # nu%ber of the !"#s electronic attack %ethods are designed for )hysical )ro3i%ity. These attack %ethods are able to )enetrate high security networks that are disconnected fro% the internet, such as )olice record database. "n these cases, a !"# officer, agent or allied intelligence officer acting under instructions, )hysically infiltrates the targeted work)lace. The attac!er is provided with a $( containing malware developed for the CIA for this purpose, which is inserted into the targeted computer% The attac!er then infects and e#filtrates data to removable media% 0or e#ample, the CIA attac! system 0ine 1ining , provides 23 decoy applications for CIA spies to use% To witnesses, the spy appears to be running a program showing videos 4e%g 56C7, presenting slides 48rezi7, playing a computer game 4(rea!out2, 2397 or even running a fa!e virus scanner 4:aspers!y, .cAfee, ophos7% (ut while the decoy application is on the screen, the underlaying system is automatically infected and ransac!ed .
How the CIA dramatically increased +roli,eration risks "n what is surely one of the %ost astounding intelligence own goals in li(ing %e%ory, the !"# structured its classification regi%e such that for the %ost %arket (aluable )art of &'ault 7& the !"#s wea)onied %alware 5i%)lants K ero days6, Listening Dosts 5LD6, and !o%%and and !ontrol 5!26 syste%s the agency has little legal recourse. The !"# %ade these syste%s unclassified. Why the !"# chose to %ake its cyberarsenal unclassified re(eals how conce)ts de(elo)ed for %ilitary use do not easily crosso(er to the battlefield of cyber war. To attack its targets, the !"# usually re:uires that its i%)lants co%%unicate with their control )rogra%s o(er the internet. If CIA implants, Command ; Control and 6istening 8ost software were classified, then CIA officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet% Consequently the CIA has secretly made most of its cyber spying
U.. !onstitution. This %eans that cyber ar%s %anufactures and co%)uter hackers can freely &)irate& these wea)ons if they are obtained. The !"# has )ri%arily had to rely on obfuscation to )rotect its %alware secrets. !on(entional wea)ons such as %issiles %ay be fired at the ene%y 5i.e into an unsecured area6. Dro3i%ity to or i%)act with the target detonates the ordnance including its classified )arts. Fence %ilitary )ersonnel do not (iolate classification rules by firing ordnance with classified )arts. ;rdnance will likely e3)lode. "f it does not, that is not the o)erators intent. ;(er the last decade U.. hacking o)erations ha(e been increasingly dressed u) in %ilitary argon to ta) into >e)art%ent of >efense funding strea%s. /or instance, atte%)ted &%alware inections& 5co%%ercial argon6 or &i%)lant dro)s& 54# argon6 are being called &fires& as if a wea)on was being fired. Fowe(er the analogy is :uestionable. Unlike bullets, bo%bs or %issiles, most ()A malware is designed to live for days or even years after it has reached its 'target' . !"# %alware does not &e3)lode on i%)act& but rather )er%anently infests its
target. "n order to infect targets de(ice, co)ies of the %alware %ust be )laced on the targets de(ices, gi(ing )hysical )ossession of the %alware to the target. To e3filtrate data back to the !"# or to await further instructions the %alware %ust co%%unicate with !"# !o%%and !ontrol 5!26 syste%s )laced on internet connected ser(ers. 8ut such ser(ers are ty)ically not a))ro(ed to hold classified infor%ation, so !"# co%%and and control syste%s are also %ade unclassified. # successful attack on a targets co%)uter syste% is %ore like a series of co%)le3 stock %aneu(ers in a hostile take$o(er bid or the careful )lanting of ru%ors in order to gain control o(er an organiations leadershi) rather than the firing of a wea)ons syste%. "f there is a %ilitary analogy to be %ade, the infestation of a target is )erha)s akin to the e3ecution of a whole series of %ilitary %aneu(ers against the targets territory including obser(ation, infiltration, occu)ation and e3)loitation.
0vading ,orensics and anti1virus # series of standards lay out !"# %alware infestation )atterns which are likely to assist forensic cri%e scene in(estigators as well as #))le, Microsoft, ?oogle, a%sung, 4okia, 8lackberry, ie%ens and anti$ (irus co%)anies attribute and defend against attacks. &Tradecraft >;s and >;4Ts& contains !"# rules on how its %alware should be written to a(oid finger)rints i%)licating the &!"#, U go(ern%ent, or its witting )artner co%)anies& in &forensic re(iew&. i%ilar secret standards co(er the use of encry)tion to hide !"# hacker and %alware co%%unication 5)df6, describing targets e3filtrated data 5)df6 as well as e3ecuting )ayloads 5)df6 and )ersisting 5)df6 in the targets %achines o(er ti%e. !"# hackers de(elo)ed successful attacks against %ost well known anti$(irus )rogra%s. These are docu%ented in #' defeats, Dersonal ecurity Droducts, >etecting and defeating DDs and DDC>ebuggerC= #(oidance. /or e3a%)le, !o%odo was defeated by !"# %alware )lacing itself in the Windows &ecycle 8in&. While !o%odo -.3 has a &?a)ing Fole of >;;M&. !"# hackers discussed what the 4#s &=:uation ?rou)& hackers did wrong and how the !"#s %alware %akers could a(oid si%ilar e3)osure.
0#am+les The !"#s =ngineering >e(elo)%ent ?rou) 5=>?6 %anage%ent syste% contains around 900 different )roects 5only so%e of which are docu%ented by &*ear +ero&6 each with their own sub$)roects, %alware and hacker tools. The %aority of these )roects relate to tools that are used for )enetration, infestation 5&i%)lanting&6, control, and e3filtration. #nother branch of de(elo)%ent focuses on the de(elo)%ent and o)eration of Listening Dosts 5LD6 and !o%%and and !ontrol 5!26 syste%s used to co%%unicate with and control !"# i%)lants s)ecial )roects are used to target s)ecific hardware fro% routers to s%art T's. o%e e3a%)le )roects are described below, but see the table of contents for the full list of )roects described by WikiLeaks &*ear +ero&.
-23RA40 The !"#s hand crafted hacking techni:ues )ose a )roble% for the agency. =ach techni:ue it has created for%s a &finger)rint& that can be used by forensic in(estigators to attribute %ulti)le different attacks to the sa%e entity. This is analogous to finding the sa%e distincti(e knife wound on %ulti)le se)arate %urder (icti%s. The uni:ue wounding style creates sus)icion that a single %urderer is res)onsible. #s soon one %urder in the set is sol(ed then the other %urders also find likely attribution. #he ()A's emote 2evices :ranch's U!:AE group collects and maintains a su0stantial li0rary of attac% techniBues 'stolen' from malware produced in other states including the ussian 4ederation .
With UM8#?= and related )roects the !"# cannot only increase its total nu%ber of attack ty)es but also %isdirect attribution by lea(ing behind the &finger)rints& of the grou)s that the attack techni:ues were stolen fro%. $.(=A)& components cover !eyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti>virus 4887 avoidance and survey techniques%
/ine 5ining /ine >ining co%es with a standardied :uestionnaire i.e %enu that !"# case officers fill out. The :uestionnaire is used by the agencys ;8 5;)erational u))ort 8ranch6 to transfor% the re:uests of case officers into technical re:uire%ents for hacking attacks 5ty)ically &e3filtrating& infor%ation fro% co%)uter syste%s6 for s)ecific o)erations. The :uestionnaire allows the ;8 to identify how to ada)t e3isting tools for the o)eration, and co%%unicate this to !"# %alware configuration staff. The ;8 functions as the interface between !"# o)erational staff and the rele(ant technical su))ort staff. #%ong the list of )ossible targets of the collection are #sset, Liason #sset, yste% #d%inistrator, /oreign "nfor%ation ;)erations, /oreign "ntellige nce #gencies and /oreign ?o(ern%ent =ntities. 1ota0ly a0sent is any reference to extremists or transnational criminals . The !ase ;fficer is also
asked to s)ecify the en(iron%ent of the target like the ty)e of co%)uter, o)erating syste% used, "nternet connecti(ity and installed anti$(irus utilities 5DDs6 as well as a list of file ty)es to be e3filtrated like
;ffice docu%ents, audio, (ideo, i%ages or custo% file ty)es. The %enu also asks for infor%ation if recurring access to the target is )ossible and how long unobser(ed access to the co%)uter can be %aintained. This infor%ation is used by the !"#s
Im+rovise '66I2PR!VI"0* ')mprovise' is a toolset for configuration, post3processing, payload setup and execution vector selection for surveyCexfiltration tools supporting all ma&or operating systems li%e "indows *:artender/, !ac5S *Du%e:ox/ and ?inux *2ance4loor/ . "ts configuration utilities like Margarita
allows the 4;! 54etwork ;)eration !enter6 to custo%ie tools based on re:uire%ents fro% /ine >ining :uestionairies.
HIV0 <)$E is a multi3platform ()A malware suite and its associated control software. #he pro&ect provides customiza0le implants for "indows, Solaris, !i%ro#i% *used in internet routers/ and ?inux platforms and a ?istening Post *?P/C(ommand and (ontrol *(6/ infrastructure to communicate with these implants.
The i%)lants are configured to co%%unicate (ia FTTD with the webser(er of a co(er do%ain each o)eration utiliing these i%)lants has a se)arate co(er do%ain and the infrastructure can handle any nu%ber of co(er do%ains. =ach co(er do%ain resol(es to an "D address that is located at a co%%ercial 'D 5'irtual Dri(ate er(er6 )ro(ider. The )ublic$facing ser(er forwards all inco%ing traffic (ia a 'D4 to a 8lot ser(er that handles actual connection re:uests fro% clients. It is setup for optional 6 client authentication? if a client sends a valid client certificate 4only implants can do that7, the connection is forwarded to the '-oneycomb' toolserver that communicates with the implant* if a valid certificate is missing 4which is the case if someone tries to open the cover domain website by accident7, the traffic is forwarded to a cover server that delivers an unsuspicious loo!ing website%
The Foneyco%b toolser(er recei(es e3filtrated infor%ation fro% the i%)lant an o)erator can also task the i%)lant to e3ecute obs on the target co%)uter, so the toolser(er acts as a !2 5co%%and and control6 ser(er for the i%)lant. i%ilar functionality 5though li%ited to Windows6 is )ro(ided by the ick8obby )roect. ee the classified user and de(elo)er guides for F"'=.
