After having released documents on over 20 software that CIA uses, WikiLeaks released Vault 8, the source code to some of the software documented in the Vault 7 leaks series. WikiLeaks stated that no 0 days or other vulnerabilities were released in the Vault 8 series. The source code for the software that the CIA uses to control its malware was released. The malware control software is known as Hive. The new leaks from WikiLeaks show that the CIA also impersonated digital authentication certificates. The Russian antivirus company, Kaspersky, was one of the domains that the CIA built fake certificates for.
The new Vault 8 series of leaks also contains the development logs for Hive. Earlier this year in WikiLeaks Vault 7 series of leaks, it was revealed that the CIA used Hive to hack devices and exfiltrate data from infected devices. Hive allowed CIA operatives to control infected devices covertly. The malware control software allowed CIA operatives to operate their malware anonymously by using Virtual Private Servers (VPS) and Virtual Private Networks (VPN). The VPS’ used by the CIA obfuscated the traffic sent to and received from an infected device. Even if a victim discovered that their device infected by the malware, the Hive system made difficult to attribute the hack to the CIA.
“The cover domain delivers ‘innocent’ content if somebody browses it by chance. A visitor will not suspect that it is anything else but a normal website. The only peculiarity is not visible to non-technical users – a HTTPS server option that is not widely used: Optional Client Authentication. But Hive uses the uncommon Optional Client Authentication so that the user browsing the website is not required to authenticate – it is optional but implants talking to Hive do authenticate themselves and can therefore be detected by the Blot server,” WikiLeaks stated on their website.
Hive uses a cover domain and passes exfiltrated data through a VPN and relays the data to a CIA server called Blot. The traffic from the infected devices is passed on to a cover server as well as a CIA server called Honeycomb. Honeycomb is a malware management gateway which CIA operatives can use to access infected devices.
The CIA uses the Hive malware to confuse victims and when CIA malware is discovered, victims will often misattribute who performed the hack. Hacks are misattributed to others through the use of impersonating CA digital certificates. The American spy agency can use these counterfeit certificates to make it appear the attack is originating from a different source such as the Russian antivirus company Kaspersky Laboratory and the South African SSL Certificate Authority Thawte.com. By impersonating digital certificates the CIA is able to confuse victims as to the source of the malware that was implanted on their device.
“In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated,” WikiLeaks stated in a press release for Vault 8.
Eugene Kaspersky told Kaspersky customers that the certificates were indeed faked by the CIA, but that customers private keys and data were safe. It is expected that WikiLeaks will soon release the source code to more of the CIA’s hacking tools in the near future as part of the Vault 8 series of leaks. By releasing the source to some of the CIA’s hacking tools, WikiLeaks hopes that computer forensics experts, journalists, and the general public will be able to have a better understanding of the CIA’s hacking tools. Previously, WikiLeaks exposed hacking targets of the CIA in their Vault 7 series of leaks. The CIA’s SSH hacks for Microsoft Windows and Linux was also exposed in the Vault 7 series of leaks. The Vault 7 leaks from WikiLeaks also exposed how the CIA works with private corporations to hack Microsoft Windows machines.