WikiLeaks published the next release in their CIA Vault 7 series today, revealing details on a geolocation tracking project named ELSA.
WikiLeaks describes the ELSA project as, “a geo-location malware for WiFi-enabled devices like laptops running the Microsoft Windows operating system.” The exploit is installed on a target system using other CIA bugs that WikiLeaks has previously detailed; once installed ELSA scans all visible WiFi access points in the area and records the ESS identifier, MAC address and signal strength of the access points at regular intervals. The targeted device does not need to be connected to the WiFi access point to record this information; the device simply needs to be WiFi enabled.
The ELSA malware automatically attempts to use public geo-location databases from tech companies such as Google or Microsoft to resolve the position of the device and records the longitude and latitude data along with the timestamp. This information is then stored on the device in an encrypted format to be later be transferred to another device. This encrypted information is not transferred wirelessly. Instead, a CIA operator must gain access to the device using other CIA exploits in order to transfer and gain access to the encrypted information.
The WikiLeaks page further states, “The ELSA project allows the customization of the implant to match the target environment and operational objectives like sampling interval, maximum size of the logfile and invocation/persistence method. Additional back-end software (again using public geo-location databases from Google and Microsoft) converts unprocessed access point information from exfiltrated logfiles to geo-location data to create a tracking profile of the target device.”