WikiLeaks Details CIA Vault 7 ‘BothanSpy’ Secure Shell Exploit

WikiLeaks has revealed the details of an exploit called “BothanSpy,” which attacks secure shell (SSH) network connections, as part of their CIA Vault 7 series of leaks.

WikiLeaks published a new CIA exploit from their Vault 7 series of leaks this week, the new release is called “BothanSpy” and is designed to, “intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors” according to the WikiLeaks release page. BothanSpy is an exploit that is implanted on Windows computers, targeting the SSH client program Xshell and stealing all user credentials and information for active SSH sessions stored within the program.

SSH is a network protocol for creating a secure connection over an unsecure network. It is commonly used for remote login to networks by authorized users.

BothanSpy is capable of transferring this user data to CIA controlled servers or save the information in an encrypted file for retrieval at a later date.

Included in the BothanSpy leak is another Linux targeting program called “Gyrfalcon” that targets the OpenSSH client on Linux platforms such as Centos, Debian, Rhel, Suse and Ubuntu. This implant goes a step further than BothanSpy, not just stealing the user information and details of active SSH sessions but actively collecting full or partial OpenSSH session traffic. This information is then stored in an encrypted file on the target machine for exfiltration at a later date. “The tool runs in an automated fashion. It is configured in advance, executed on the remote host and left running,” reads the user manual of Gyrfalcon. “Sometime later, the operator returns and commands gyrfalcon to flush all of its collection to disk. The operator retrieves the collection file, decrypts it, and analyzes the collected data.”

The full release data can be found on WikiLeaks website here.