WikiLeaks’ latest release from the Vault 7 leaks, titled “Marble,” claims that the CIA can use string obfuscating algorithms to attribute cyber attacks to other countries.
WikiLeaks released the “Marble Framework” leak today on their website, describing Marble as a tool used to “hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.”
“Marble does this by hiding (‘obfuscating’) text fragments used in CIA malware from visual inspection,” WikiLeaks claims. “This is the digital equivalent of a specialized CIA tool to place covers over the english language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA.”
Marble is reportedly an obfuscation tool that is not used as a cyber attack itself but to hide and cover up previous attacks. WikiLeaks claims it is part of the CIA’s anti-forensics approach and the CIA’s core library of cyber attacks and viruses, “Designed to allow for flexible and easy-to-use obfuscation” as “string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop.”
The source code also reportedly contains a deobfuscator used to reverse CIA text obfuscation. WikiLeaks believes that with the framework now made public, forensic investigators should be able to notice patterns and signatures which can be followed to attribute previous cyber attacks and viruses to the CIA.
WikiLeaks also believes that Marble could be used to attribute cyber attacks to multiple countries due to evidence of Marble test examples in English, Chinese, Russian, Korean, Arabic, and Farsi. WikiLeaks states, “This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, — but there are other possibilities, such as hiding fake error messages.”