Bekker's Blog

Blog archive

WikiLeaks Details Parts of CIA Playbook Against Windows

The massive WikiLeaks dump on Tuesday of alleged U.S. Central Intelligence Agency documents purports to reveal elements of the CIA's tactics and tools for exploiting Windows-based computers.

The flashiest revelations in the 8,761 documents, dubbed "Vault 7" by WikiLeaks, had to do with non-Windows operating systems: platform exploits against Apple's iOS that could theoretically make application-level encryption and secure communications tools like Signal and WhatsApp moot on iPhones, a catalog of two dozen Android zero-day exploits, and details of how the agency could turn Samsung smart TVs into listening devices.

CIA officials declined to confirm the veracity of the documents, which WikiLeaks said were dated between 2013 and 2016. Edward Snowden, the National Security Agency whistleblower currently living in exile in Moscow who has a complicated relationship with WikiLeaks' founder Julian Assange, tweeted that he found the documents credible:

Microsoft officials had little to say about the revelations immediately. "We are aware of the report and are looking into it," the company said in a statement released to news organizations.

There was much in the document dump to concern Windows administrators, partners and end users, especially given WikiLeaks' assertion that the CIA has "lost control" of the tools catalogued in the document dump. The organization did not release all of the CIA materials that it claims to have, most notably any of the code for carrying out attacks. However, WikiLeaks said it would publish more from the archive in the future.

"This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA," WikiLeaks said in a statement. The assertion that WikiLeaks, in fact, has the CIA's entire hacking capacity drew healthy skepticism from security observers, although the organization does claim to have more to release.

Whether the tools are already in the wild or if WikiLeaks subsequently releases them, any organization, not just likely CIA targets, could be attacked with the now widely public tools and techniques.

Describing tools affecting Windows PCs, servers and networks, a WikiLeaks analysis statement said:

"The CIA also runs a very substantial effort to infect and control Microsoft Windows users with its malware. This includes multiple local and remote weaponized 'zero days', air gap jumping viruses such as 'Hammer Drill' which infects software distributed on CD/DVDs, infectors for removable media such as USBs, systems to hide data in images or in covert disk areas ('Brutal Kangaroo') and to keep its malware infestations going."

Links to materials in the WikiLeaks dump are uneven, with some entries completely blank and others describing introductory-level, how-to information about performing basic tasks in Windows, Visual Studio and other Microsoft tools. Many of the vulnerabilities described involve older versions of software, with most references for the Windows desktop client being to Windows 8 or earlier iterations.

But other sections describe security problems with Microsoft software or provide overviews of sophisticated tools, such as automated multi-platform malware attack and control systems. Some of those systems or components go by the names Fine Dining, HIVE, Cutthroat, Swindle, RickyBobby and Bartender.

The documents also catalogue tools and techniques for evading anti-virus and other personal security products.

The dump has started a fire drill of security checks throughout the Windows tools ecosystem that could lead to a flurry of security patches and updates over the next few months.

Posted by Scott Bekker on March 08, 2017 at 11:40 AM