Skip to main content

CIA hacking tools revealed

WikiLeaks

Part 9 - Examples

The CIA's Engineering Development Group (EDG) management system contains around 500 different projects (only some of which are documented by "Year Zero") each with their own sub-projects, malware and hacker tools.

The majority of these projects relate to tools that are used for penetration, infestation ("implanting"), control, and exfiltration.

Another branch of development focuses on the development and operation of Listening Posts (LP) and Command and Control (C2) systems used to communicate with and control CIA implants; special projects are used to target specific hardware from routers to smart TVs.

UMBRAGE

The CIA's hand crafted hacking techniques pose a problem for the agency. Each technique it has created forms a "fingerprint" that can be used by forensic investigators to attribute multiple different attacks to the same entity.

This is analogous to finding the same distinctive knife wound on multiple separate murder victims. The unique wounding style creates suspicion that a single murderer is responsible. As soon one murder in the set is solved then the other murders also find likely attribution.

The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation.

With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the "fingerprints" of the groups that the attack techniques were stolen from.

UMBRAGE components cover keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques.

Fine Dining

Fine Dining comes with a standardized questionnaire i.e menu that CIA case officers fill out. The questionnaire is used by the agency's OSB (Operational Support Branch) to transform the requests of case officers into technical requirements for hacking attacks (typically "exfiltrating" information from computer systems) for specific operations. The questionnaire allows the OSB to identify how to adapt existing tools for the operation, and communicate this to CIA malware configuration staff. The OSB functions as the interface between CIA operational staff and the relevant technical support staff.

Among the list of possible targets of the collection are 'Asset', 'Liason Asset', 'System Administrator', 'Foreign Information Operations', 'Foreign Intelligence Agencies' and 'Foreign Government Entities'. Notably absent is any reference to extremists or transnational criminals. The 'Case Officer' is also asked to specify the environment of the target like the type of computer, operating system used, Internet connectivity and installed anti-virus utilities (PSPs) as well as a list of file types to be exfiltrated like Office documents, audio, video, images or custom file types. The 'menu' also asks for information if recurring access to the target is possible and how long unobserved access to the computer can be maintained. This information is used by the CIA's 'JQJIMPROVISE' software (see below) to configure a set of CIA malware suited to the specific needs of an operation.

Improvise (JQJIMPROVISE)

'Improvise' is a toolset for configuration, post-processing, payload setup and execution vector selection for survey/exfiltration tools supporting all major operating systems like Windows (Bartender), MacOS (JukeBox) and Linux (DanceFloor). Its configuration utilities like Margarita allows the NOC (Network Operation Center) to customize tools based on requirements from 'Fine Dining' questionairies.

HIVE

HIVE is a multi-platform CIA malware suite and its associated control software. The project provides customizable implants for Windows, Solaris, MikroTik (used in internet routers) and Linux platforms and a Listening Post (LP)/Command and Control (C2) infrastructure to communicate with these implants.

The implants are configured to communicate via HTTPS with the webserver of a cover domain; each operation utilizing these implants has a separate cover domain and the infrastructure can handle any number of cover domains.

Each cover domain resolves to an IP address that is located at a commercial VPS (Virtual Private Server) provider. The public-facing server forwards all incoming traffic via a VPN to a 'Blot' server that handles actual connection requests from clients. It is setup for optional SSL client authentication: if a client sends a valid client certificate (only implants can do that), the connection is forwarded to the 'Honeycomb' toolserver that communicates with the implant; if a valid certificate is missing (which is the case if someone tries to open the cover domain website by accident), the traffic is forwarded to a cover server that delivers an unsuspicious looking website.

The Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer, so the toolserver acts as a C2 (command and control) server for the implant.

Similar functionality (though limited to Windows) is provided by the RickBobby project.

***

Source and links:


[1] [2] [3] [4] [5] [6] [7] [8]

Comments

Popular posts from this blog

Why the US rushed to propagate the 'naval mine' scenario to explain recent attacks on two oil tankers in the Gulf of Oman

globinfo freexchange

The incident of the recent attack against two oil tankers in the Gulf of Oman elevated the heat between the US and Iran. Naturally, the attack also produced some level of turmoil in the oil global market.

Trump's hostile attitude against Iran was clearly evident even before his election. His totally unjustifiable and completely incomprehensible action to kill the Iran nuclear deal, destroyed any remnants of US reliability. Consequently, even the US Western allies refused to follow this evidently counterproductive strategy.

Under these circumstances and given the endless history of US manufactured incidents used to justify the start of another war, most people rightfully thought that this has been just another false flag operation.

And it makes sense actually. Why the hell Iran would attempt to blow up its relations with Japan in the midst of Japanese PM Shinzo Abe visit in the country? Only the US empire would have reasons to do it in order to force one of its…

Confirmed: the US empire seeks to 'clear' the path for the invasion of Iran

globinfo freexchange

Sometimes it's quite surprising how fast some estimations appear to be confirmed.

Only four days ago, we wrote that the US imperialists know that an all-out war with Iran would equal a suicide. The goal is probably a 'surgical' invasion on the south shores of the country that would last just as long as to permit the US and allies to control the Strait of Hormuz, and therefore, the global oil market. The first step towards such an operation would be the mine-clearing of the strait.

This probably explains why the Western media insisted to circulate the scenario of the 'naval mine'. They want to drag Western leaderships behind US in an operation to clear the mines in the Strait of Hormuz, in the name of global energy security.

Well, we were quite close actually. Three days later, the US leadership attempted a broader global alignment - including rival countries like China - towards the protection of "freedom of navigation in the region". …

Όσοι περνάν των χώρα της απόγνωσης παθαίνουν αμνησία ...

globinfo freexchange
Δανειστήκαμε αυτή τη φράση από ένα παλιό κομμάτι της Ελληνικής ροκ μπάντας "Τρύπες", για να περιγράψουμε με λίγα λόγια αυτό που φαίνεται να έχει πάθει η Ελληνική κοινωνία. 
Πώς είναι δυνατόν μια ολόκληρη κοινωνία να έχει ξεχάσει ποιοι τη χρεοκόπησαν; Ποιοι έστησαν το άθλιο σύστημα των κρατικοδίαιτων 'ημέτερων' και της οικογενειοκρατίας; Ποιοι έσωσαν τις τράπεζες με πακτωλό δισεκατομμυρίων σε βάρος της μεσαίας τάξης; Ποιοι έκαναν τη μίζα και το ρουσφέτι επάγγελμα; Πώς είναι δυνατόν αυτή η κοινωνία να ετοιμάζεται να ξαναφέρει στην εξουσία ένα κομμάτι αυτού του άθλιου πολιτικού κατεστημένου, με την επιστροφή μάλιστα του αμετανόητα νεοφιλελεύθερου Κυριάκου Μητσοτάκη και της ομάδας του;  
Η απόγνωση που έφεραν εννέα χρόνια βάρβαρων νεοφιλελεύθερων πολιτικών και σκληρής λιτότητας και που ανάγκασε τη χώρα να διαβεί τον εφιαλτικό μονόδρομο της μόνιμης χρεοκοπίας, πρέπει να έπαιξε σημαντικό ρόλο. 
Διότι ως γνωστόν, η απελπισία λίγο απέχει από τ…

The 'Julian Assange' index: another evidence that Elizabeth Warren is establishment's last resort

 globinfo freexchange

We should be grateful to Julian Assange and WikiLeaks for uncovering the ruthless and ugly face of the establishment. For the exposure of the biggest war crimes by the US empire in the Iraq war. For the exposure of the dirty war by the DNC against Bernie Sanders, and many more.
But even now, being in this extremely hard situation because of the absolutely inhuman treatment by this imperialistic crypto-fascist regime, Assange remarkably becomes the cause that forces more masks to fall.

Therefore, the 'Julian Assange' index can even help us identify the real and the fake progressives.

As The Interceptreported:
The Justice Department filed 17 charges against WikiLeaks co-founder Julian Assange on Thursday, deploying the controversial Espionage Act as a cudgel against First Amendment protections and press freedom. It’s the first time the U.S. government has used the Espionage Act to prosecute a publisher, according to the Committee to Protect Journalists.

[..…

Brussels bureaufascists are ready to replace Alexis Tsipras with their most faithful puppet in Greece

globinfo freexchange
The latest European election in Greece was a real shock for the government. Alexis Tsipras and his party SYRIZA took the second place and suffered a heavy defeat with almost 10 points behind the right-wing New Democracy. Tsipras was forced to declare national elections on July 7th and it seems that blog's predictions are about to become true.

As we wrote already in 2016, right after the internal elections for the new leadership in New Democracy:
The result for the leadership of the main opposition party, New Democracy, in Greece after Sunday's elections, must had brought waves of relief to the Brussels-Berlin axis. Brussels bureaufascists and Berlin directorate have now the best "backup" alternative in case that Tsipras administration attempt to diverge from the catastrophic policies imposed by the European Financial Dictatorship (EFD).
The new leader of New Democracy, Kyriakos Mitsotakis, is probably the ideal alternative solution. The man that co…

Το σύστημα της διαπλοκής παίζει τα ρέστα του, αλλά ο Τσίπρας δεν φαίνεται να βάζει μυαλό ...

failed evolution
Η εικόνα αρχίζει σιγά-σιγά να γίνεται όλο και πιο ξεκάθαρη. Όσο πλησιάζουμε προς την ημέρα των εθνικών εκλογών το σύστημα της διαπλοκής παίζει τα ρέστα του. Τα ιδιωτικά κανάλια των ολιγαρχών συνεχίζουν την προπαγάνδα και σε συνδυασμό με την Τρόικα εσωτερικού και εξωτερικού προωθούν 'με τα χίλια' το νεοφιλελεύθερο οδοστρωτήρα, Κυριάκο Μητσοτάκη.

Η απόπειρα σαμποτάζ ξεκίνησε από ένα κομμάτι της Τρόικας εσωτερικού, προκειμένου να δημιουργήσει σύγχυση και επιπλέον αγανάκτηση στους πολίτες μέσω του ευαίσθητου τομέα της υγείας. Προς το παρόν, η συγκεκριμένη φράξια της Τρόικας εσωτερικού αποφάσισε την αναστολή των κινητοποιήσεων, μετά τις αντιδράσεις που προκάλεσε το εκβιαστικό lock out με την υπογραφή του Γιώργου Πατούλη, σύμφωνα με το οποίο απαιτούσε από τους ασφαλισμένους να καταβάλλουν το 85% του κόστους των εξετάσεων. Φαίνεται ότι το σαμποτάζ δεν είχε πολύ μεγάλη επιτυχία.  
Στη συνέχεια είχαμε τις καταγγελίες Αγγελή, ο οποίος εμφανίστηκε 'όλως τ…

Έρχεται ο νεοφιλελεύθερος "οδοστρωτήρας" Κούλης που θα ισοπεδώσει τους εργαζόμενους

globinfo freexchange
«Επταήμερο εργασίας. Όχι ο εκβιασμός που γίνεται από τους ελέγχους εδώ πέρα, όχι εξαήμερο, επταήμερο! Απαιτούμε να γίνει πιο εύκολο, πιο ευέλικτο το θέμα των 7 ημερών και όχι να επικρέμεται η σπάθη των προστίμων», απαίτησε ο "ευγενής" επιχειρηματίας από τον Κυριάκο Μητσοτάκη που επισκέφτηκε την Κω. 
Δηλαδή, το "αφεντικό" δεν θέλει να έχει κανένα έλεγχο πάνω από το κεφάλι του και να κάνει ότι γουστάρει με τους εργαζόμενους. Αν μπορεί δηλαδή να τους βάζει να δουλεύουν και δωδεκάωρα (όπως πέρασε με νόμο στην Αυστρία η συντηρητική δεξιά) και να τους δίνει ένα ξεροκόμματο, ίσα-ίσα για να μπορούν να δουλεύουν.  Θεωρεί τον έλεγχο, δηλαδή αν τηρείται με λίγα λόγια η εργασιακή νομοθεσία, "εκβιασμό". Καταλάβατε νοοτροπία; 
Προσέξτε το ύφος του: το "αφεντικό" με θράσος απαιτεί, χτυπώντας σχεδόν το χέρι στο τραπέζι, να μπορεί ουσιαστικά να εφαρμόζει συνθήκες σύγχρονης δουλείας, όχι μόνο χωρίς καμία επίπτωση, αλλά ούτε καν ενόχληση.  

The prosecution of Julian Assange is an attack on our Freedom of Speech

The Intercept
The Trump Department of Justice has openly declared war on the First Amendment. And the case they have chosen to pave the way for criminally prosecuting journalists and publishers is that of WikiLeaks founder Julian Assange under the Espionage Act. It is the first time since the First Amendment to the U.S. Constitution was enshrined in law, that the government is criminally charging a publisher for publishing truthful information.
This indictment centers around the exposure of war crimes committed by the forces of the most powerful nation on Earth. It is about publishing documents that laid bare the blackmail, the backroom deals, the threats, the lies of the U.S. government in nations across the world. It is retaliation against an organization that presented to the world video evidence of a U.S. helicopter gunship massacre on Iraqi civilians and two Reuters news journalists. 
This prosecution is revenge for publishing documents on the U.S. kill campaign in Iraq and Afgha…

Masks fall at last: Bernie officially declares war on corporate Dems who seek to survive around Warren

globinfo freexchange

On early June, Politico published an article which actually unfolded, in plain sight, the plans of the corporate branch of the Democratic party to stop Bernie Sanders.
As we wrote back then:

This is an amazingly straight admission by the establishment apparatus, concerning a certain strategy as part of the whole anti-Sanders operation. And it is also clear that Elizabeth Warren is establishment's key player around this strategy.

Perhaps it's not accidental that this article was published right after Elizabeth Warren signaled to the establishment that she will 'play by the rules' at least on some issues, through her neocon-style statement on Julian Assange.

Only a couple of weeks later, Politico revealed Warren's upgraded role in the anti-Sanders operation. According to a new article, "Centrists who once said the senator would lead the party to ruin are coming around to her as an alternative to Bernie Sanders." It seems almost certain …

Οι λούμπεν μικροαστοί είναι έτοιμοι να επιλέξουν τον δήμιο τους που αποτελεί και την καλύτερη εφεδρεία για τους γραφειοφασίστες των Βρυξελλών

του system failure
Το πρόσφατο αποτέλεσμα των ευρωεκλογών δείχνει ότι το νεοφιλελεύθερο ιερατείο Βρυξελλών/Βερολίνου θεωρεί ότι έφτασε η ώρα να αντικατασταθεί ο Αλέξης Τσίπρας με την καλύτερη εφεδρεία του: τον Κυριάκο Μητσοτάκη. 
Πράγματι, οι προβλέψεις φαίνεται να επαληθεύονται εντυπωσιακά. Όπως είχαμε αναφέρει σε προηγούμενο άρθρο ήδη από το 2016 και αμέσως μετά την εκλογή Μητσοτάκη στην ηγεσία της ΝΔ, τα αποτελέσματα των εκλογών στη ΝΔ λύνουν τα χέρια του άξονα Βρυξελλών-Βερολίνου. Οι γραφειοφασίστες των Βρυξελλών και το διευθυντήριο του Βερολίνου έχουν τώρα μια πρώτης τάξεως εφεδρεία σε περίπτωση που τα πράγματα "στραβώσουν" με την σημερινή κυβέρνηση.  
Ήδη, η κυβέρνηση ΣΥΡΙΖΑ έδωσε κάποια μικρά σημάδια ανυπακοής ενάντια στη λιτότητα που επιβάλλει το ιερατείο, ρέποντας 'επικίνδυνα' προς μια πιο φιλολαϊκή πολιτική. Δεν είναι τυχαίο φυσικά ότι τα πρώτα αυτά σημάδια άρχισαν να γίνονται ορατά μόλις η χώρα βγήκε από το πρόγραμμα επιτήρησης που επέβαλε η Τρό…