WikiLeaks Documents CIA Tool to Defeat ‘Air Gap’ Security with ‘Brutal Kangaroo’ Virus

A USB drive like those used by the CIA in the "Brutal Kangaroo" virus
Shou-Hui Wang/Flickr

WikiLeaks released the latest documents in their CIA Vault 7 series of leaks yesterday, titled “Brutal Kangaroo,” the documents describe a virus which uses USB drives to gain access to air-gapped computers.

WikiLeaks latest release contains documents relating to a Microsoft tool suite called “Brutal Kangaroo” which uses USB drives to access air-gapped computers. Air-gapped computers are computers that have no access to the internet or local network whatsoever, making them relatively safe from cyber attacks, however, “Brutal Kangaroo” aims to piggyback off of USB drives to infect air-gapped devices. Brutal Kangaroo creates a closed covert network within the targeted device or devices, enabling the execution of surveys, directory listings and other executables.

The WikiLeaks document page reads, “It [Brutal Kangaroo] first infects an Internet-connected computer within the organization (referred to as ‘primary host’) and installs the BrutalKangaroo malware on it. When a user is using the primary host and inserts a USB stick into it, the thumbdrive itself is infected with a separate malware. If this thumbdrive is used to copy data between the closed network and the LAN/WAN, the user will sooner or later plug the USB disk into a computer on the closed network. By browsing the USB drive with Windows Explorer on such a protected computer, it also gets infected with exfiltration/survey malware. If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange.” WikiLeaks further states, “Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked.”

The Brutal Kangaroo tool suite contains multiple components, the Drifting Deadline component to infect the USB drive, the Shattered Assurance server tool which automates the infection USB drives, Broken Promise acts as a post processor evaluating information collected from the air-gapped device and Shadow acts as a secret command-and-control centre, assigning tasks across a covert closed network. The programs use vulnerabilities in the Microsoft Windows file system to infect devices once the USB stick is inserted into the computer.

Read the full WikiLeaks release here.

Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship. Follow him on Twitter @LucasNolan_ or email him at


Please let us know if you're having issues with commenting.