Bekker's Blog

Blog archive

WikiLeaks Details Parts of CIA Playbook Against Windows

The massive WikiLeaks dump on Tuesday of alleged U.S. Central Intelligence Agency documents purports to reveal elements of the CIA's tactics and tools for exploiting Windows-based computers.

The flashiest revelations in the 8,761 documents, dubbed "Vault 7" by WikiLeaks, had to do with non-Windows operating systems: platform exploits against Apple's iOS that could theoretically make application-level encryption and secure communications tools like Signal and WhatsApp moot on iPhones, a catalog of two dozen Android zero-day exploits, and details of how the agency could turn Samsung smart TVs into listening devices.

CIA officials declined to confirm the veracity of the documents, which WikiLeaks said were dated between 2013 and 2016. Edward Snowden, the National Security Agency whistleblower currently living in exile in Moscow who has a complicated relationship with WikiLeaks' founder Julian Assange, tweeted that he found the documents credible:

Microsoft officials had little to say about the revelations immediately. "We are aware of the report and are looking into it," the company said in a statement released to news organizations.

There was much in the document dump to concern Windows administrators, partners and end users, especially given WikiLeaks' assertion that the CIA has "lost control" of the tools catalogued in the document dump. The organization did not release all of the CIA materials that it claims to have, most notably any of the code for carrying out attacks. However, WikiLeaks said it would publish more from the archive in the future.

"This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA," WikiLeaks said in a statement. The assertion that WikiLeaks, in fact, has the CIA's entire hacking capacity drew healthy skepticism from security observers, although the organization does claim to have more to release.

Whether the tools are already in the wild or if WikiLeaks subsequently releases them, any organization, not just likely CIA targets, could be attacked with the now widely public tools and techniques.

Describing tools affecting Windows PCs, servers and networks, a WikiLeaks analysis statement said:

"The CIA also runs a very substantial effort to infect and control Microsoft Windows users with its malware. This includes multiple local and remote weaponized 'zero days', air gap jumping viruses such as 'Hammer Drill' which infects software distributed on CD/DVDs, infectors for removable media such as USBs, systems to hide data in images or in covert disk areas ('Brutal Kangaroo') and to keep its malware infestations going."

Links to materials in the WikiLeaks dump are uneven, with some entries completely blank and others describing introductory-level, how-to information about performing basic tasks in Windows, Visual Studio and other Microsoft tools. Many of the vulnerabilities described involve older versions of software, with most references for the Windows desktop client being to Windows 8 or earlier iterations.

But other sections describe security problems with Microsoft software or provide overviews of sophisticated tools, such as automated multi-platform malware attack and control systems. Some of those systems or components go by the names Fine Dining, HIVE, Cutthroat, Swindle, RickyBobby and Bartender.

The documents also catalogue tools and techniques for evading anti-virus and other personal security products.

The dump has started a fire drill of security checks throughout the Windows tools ecosystem that could lead to a flurry of security patches and updates over the next few months.

Posted by Scott Bekker on March 08, 2017


  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Microsoft Sets September Launch for Purview Data Governance

    Microsoft's AI-powered Purview solution to address governance and security challenges is set to become generally available on Sept. 1.

  • An image of planes flying around a globe

    2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • End of the Road for Kaspersky in the United States

    Kaspersky on Monday said it is shuttering its U.S. operations, just days before a nationwide ban on sales of its security software was set to take effect.