WikiLeaks recently published material from their “Vault 8” series, an extension of the “Vault 7” releases, containing the source code of hacking tools allegedly used by the CIA.
Earlier this year, WikiLeaks announced a new series of leaks titled “Vault 7.” These leaks contained a number of tools and viruses allegedly used by the CIA to hack computers and databases. Now, the whistleblowing group has published the source code of the hacking tools revealed in March as part of a new series titled “Vault 8.” This series seems to be an attempt to prove the veracity of the tools published in Vault 7. WikiLeaks has previously released documentation to add to the legitimacy of the tools found in Vault 7, but this is the first time the group has published the source code of a CIA spying tool.
“This publication will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components,” WikiLeaks said in their press release for Vault 8. “Source code published in this series contains software designed to run on servers controlled by the CIA. Like WikiLeaks’ earlier Vault7 series, the material published by WikiLeaks does not contain 0-days or similar security vulnerabilities which could be repurposed by others.”
WikiLeaks then details the source code and development logs of the “Hive” tool previously published in Vault 7. WikiLeaks describes Hive’s function saying:
Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention. Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet. Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.
Hive can serve multiple operations using multiple implants on target computers. Each operation anonymously registers at least one cover domain (e.g. “perfectly-boring-looking-domain.com”) for its own use. The server running the domain website is rented from commercial hosting providers as a VPS (virtual private server) and its software is customized according to CIA specifications. These servers are the public-facing side of the CIA back-end infrastructure and act as a relay for HTTP(S) traffic over a VPN connection to a “hidden” CIA server called ‘Blot’.
Jake Williams, a former NSA hacker currently employed at the cybersecurity firm Rendition InfoSec, spoke to Motherboard about the possible uses for the source code released by WikiLeaks. Williams doesn’t believe that the code is dangerous and that it will “help forensics professionals and cause CIA to refactor code, but nothing that will enable a cyberattack.” Williams did warn however that, “releasing code for other tools described in Vault 7 could give attackers the ability to exploit and implant new machines.”
Williams warned of specific Vault 7 tools saying, “for instance, the code for Pandemic and Brutal Kangaroo tools could be a game changer,” he continued “there’s still a possibility that an unpatched zero-day exists for USB infection as described in the Brutal Kangaroo documents.” Martijn Grooten, the current editor of Virus Bulletin, concurred with Williams saying that the source code released by WikiLeaks is not dangerous and is not useful to criminals “not more than an average advanced malware analysis (or a DEF CON) talk is useful to them,” said Grooten.
The CIA continues to state that they have “no comment on the authenticity of purported intelligence documents released by Wikileaks.”