Skip to main content

CIA hacking tools revealed

WikiLeaks

Part 9 - Examples

The CIA's Engineering Development Group (EDG) management system contains around 500 different projects (only some of which are documented by "Year Zero") each with their own sub-projects, malware and hacker tools.

The majority of these projects relate to tools that are used for penetration, infestation ("implanting"), control, and exfiltration.

Another branch of development focuses on the development and operation of Listening Posts (LP) and Command and Control (C2) systems used to communicate with and control CIA implants; special projects are used to target specific hardware from routers to smart TVs.

UMBRAGE

The CIA's hand crafted hacking techniques pose a problem for the agency. Each technique it has created forms a "fingerprint" that can be used by forensic investigators to attribute multiple different attacks to the same entity.

This is analogous to finding the same distinctive knife wound on multiple separate murder victims. The unique wounding style creates suspicion that a single murderer is responsible. As soon one murder in the set is solved then the other murders also find likely attribution.

The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation.

With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the "fingerprints" of the groups that the attack techniques were stolen from.

UMBRAGE components cover keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques.

Fine Dining

Fine Dining comes with a standardized questionnaire i.e menu that CIA case officers fill out. The questionnaire is used by the agency's OSB (Operational Support Branch) to transform the requests of case officers into technical requirements for hacking attacks (typically "exfiltrating" information from computer systems) for specific operations. The questionnaire allows the OSB to identify how to adapt existing tools for the operation, and communicate this to CIA malware configuration staff. The OSB functions as the interface between CIA operational staff and the relevant technical support staff.

Among the list of possible targets of the collection are 'Asset', 'Liason Asset', 'System Administrator', 'Foreign Information Operations', 'Foreign Intelligence Agencies' and 'Foreign Government Entities'. Notably absent is any reference to extremists or transnational criminals. The 'Case Officer' is also asked to specify the environment of the target like the type of computer, operating system used, Internet connectivity and installed anti-virus utilities (PSPs) as well as a list of file types to be exfiltrated like Office documents, audio, video, images or custom file types. The 'menu' also asks for information if recurring access to the target is possible and how long unobserved access to the computer can be maintained. This information is used by the CIA's 'JQJIMPROVISE' software (see below) to configure a set of CIA malware suited to the specific needs of an operation.

Improvise (JQJIMPROVISE)

'Improvise' is a toolset for configuration, post-processing, payload setup and execution vector selection for survey/exfiltration tools supporting all major operating systems like Windows (Bartender), MacOS (JukeBox) and Linux (DanceFloor). Its configuration utilities like Margarita allows the NOC (Network Operation Center) to customize tools based on requirements from 'Fine Dining' questionairies.

HIVE

HIVE is a multi-platform CIA malware suite and its associated control software. The project provides customizable implants for Windows, Solaris, MikroTik (used in internet routers) and Linux platforms and a Listening Post (LP)/Command and Control (C2) infrastructure to communicate with these implants.

The implants are configured to communicate via HTTPS with the webserver of a cover domain; each operation utilizing these implants has a separate cover domain and the infrastructure can handle any number of cover domains.

Each cover domain resolves to an IP address that is located at a commercial VPS (Virtual Private Server) provider. The public-facing server forwards all incoming traffic via a VPN to a 'Blot' server that handles actual connection requests from clients. It is setup for optional SSL client authentication: if a client sends a valid client certificate (only implants can do that), the connection is forwarded to the 'Honeycomb' toolserver that communicates with the implant; if a valid certificate is missing (which is the case if someone tries to open the cover domain website by accident), the traffic is forwarded to a cover server that delivers an unsuspicious looking website.

The Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer, so the toolserver acts as a C2 (command and control) server for the implant.

Similar functionality (though limited to Windows) is provided by the RickBobby project.

***

Source and links:


[1] [2] [3] [4] [5] [6] [7] [8]

Comments

Popular posts from this blog

It's definite: Elizabeth Warren is the female Obama, can't be trusted

globinfo freexchange

One year from the 2020 US presidential election, things start to become clearer day by day. In the US political scene, we can now recognize the authentic progressives from the fakes, and certainly, from the establishment neoliberal centrists. 
In the presidential-candidates level we can now identify only Bernie Sanders and Tulsi Gabbard as the ones who are willing to fight the establishment and try to implement progressive, anti-imperialist policies. After her latest position, concerning the military coup in Bolivia against the democratically elected Evo Morales, Elizabeth Warren could be considered a pseudo-progressive, equal to a female Barack Obama. Therefore, progressives definitely can't trust her.
Warren tweeted:
The Bolivian people deserve free and fair elections, as soon as possible. Bolivia's interim leadership must limit itself to preparing for an early, legitimate election. Bolivia's security forces must protect demonstrators, not commit …

It's now or never: the first step for a Sanders/Corbyn synchronization in power must be done on 12 December in UK

This is a once-in-a-lifetime opportunity for the global working class
by system failure
Two years ago, we wondered whether a US government under Bernie Sanders, together with a UK government under Jeremy Corbyn, could mark a decisive victory against neoliberalism. Whether it could mark the beginning of the end of the Reagan/Thatcher awful legacy.

It seems that the time has come for the first step towards this prospect.

The oncoming UK general election on Thursday 12 December 2019, will be the most critical for decades, especially for the global working class. The outcome will determine to a significant degree, whether the capitalist West will change course away from the destructive neoliberalism, towards a form of Democratic Socialism. A new model that will resurrect the social state, while at the same time, will seriously deal with the great environmental challenges, defying big interests and rejecting the for-profit-wars model.



As we already pointed out, the whole Brexit issue is pri…

Latest WikiLeaks revelation and its treatment by the mainstream press explicitly demonstrate why the imperialists are determined to eliminate Julian Assange

globinfo freexchange
On November, 23, WikiLeaks published an e-mail, sent by a member of an OPCW fact-finding mission to Syria to his superiors, in which he expresses his gravest concern over intentional bias introduced to a redacted version of the report he co-authored.
The Organisation for the Prohibition of Chemical Weapons sent a team of experts to investigate allegations that a chemical attack took place in the Syrian city of Douma on the 7th of April 2018. The author of the e-mail was a member of that team and claims the redacted preliminary version of the report, misrepresents the facts he and his colleagues discovered on the ground. The e-mail is dated 22nd of June. It is addressed to Robert Fairweather, Chief of Cabinet, and forwarded to his deputy Aamir Shouket and members of the fact-finding mission to Douma.  


In short, the OPCW whistleblower actually claims that the report has been somehow altered. And it was done in a way to fit the scenario, according to which, the Assa…

Mainstream media pro-Johnson propaganda gets into full swing

by Craig Murray
We are now under election broadcasting rules.

Ian Austin left the Labour Party nine months ago. He was then appointed by the Tories as Prime Ministerial Trade Envoy to Israel. As of yesterday, he is neither a MP nor a candidate for election. He is a minor politician who achieved only the most junior ministerial rank, PUSS, and for only seven months. He is best known for heckling Jeremy Corbyn while Jeremy Corbyn was delivering the official Labour response to the Chilcot Report on the illegal invasion of Iraq, shouting “Sit down and shut up” and “You stupid disgrace” at Corbyn for criticising the war.
We are now under election broadcasting rules. How and why was Ian Austin invited onto the BBC Radio 4 Today programme today? He left the Labour Party six months ago, and has been a huge critic of Corbyn. It is hardly a surprise that the Tory’s Trade Envoy to Israel advises people to vote Tory. So who initiated Ian Austin’s appearance on the BBC Today programme, and why? It…

LIVE: Bolivians resist military coup in La Paz

Οργανισμός Αμερικανικών Κρατών: Στην υπηρεσία της Ουάσινγκτον

του Ανδρέα Κοσιάρη
Ο Οργανισμός Αμερικανικών Κρατών, που εξέδωσε την έκθεση για την εκλογική αναμέτρηση στη Βολιβία, η οποία «δικαιολόγησε» το πραξικόπημα εναντίον του Έβο Μοράλες, είναι στη θεωρία ένας ουδέτερος οργανισμός κρατών. Στην πραγματικότητα όμως έχει μακρά ιστορία υποστήριξης των επεμβάσεων των ΗΠΑ στη Λατινική Αμερική, και σήμερα χρηματοδοτείται κατά πλειοψηφία από τα ταμεία του αμερικανικού κράτους. 
Παρά την ίδρυσή του το 1948 με σκοπό την «προώθηση της ειρήνης και τη διευθέτηση διαφωνιών μεταξύ των κρατών-μελών», ήταν μάλλον από την αρχή όργανο της αντικομμουνιστικής εξωτερικής πολιτικής των ΗΠΑ.

Ο ΟΑΚ υπήρξε σιωπηλός ή και στήριξε όλες ανεξαιρέτως τις αμερικανικές επεμβάσεις στη Λατινική Αμερική, είτε αυτές λάμβαναν τη μορφή εισβολής, όπως στην Κούβα το 1961, είτε τη μορφή στήριξης σε πραξικοπήματα και δικτατορικά καθεστώτα, όπως στη Χιλή το 1973 (και στην Αργεντινή, τη Βολιβία, τη Γουατεμάλα, τη Νικαράγουα, την Αϊτή, τον Παναμά, τη Βραζιλία, την Παραγουάη και τον Ισημ…

Fears for an assassination attempt against Evo Morales

BREAKING
Independent journalist, Ben Norton, tweeted that he has been informed about a possible assassination attempt against the Bolivian president Evo Morales. According to Norton:
          Sources are telling me they are afraid that Bolivia's elected President Evo Morales might be killed tonight in the right-wing coup.

Sources are telling me they are afraid that Bolivia's elected President Evo Morales might be killed tonight in the right-wing coup.

This is a full-fronted imperialist attack on democracy. It is a blatant attempt to recolonize Latin America and overthrow all efforts at progress. — Ben Norton (@BenjaminNorton) November 10, 2019
Updates

EU giving cover to the military coup that just took place in Bolivia. Neither the EU nor the US support democracy. The people of Bolivia already expressed their “democratic will” by re-electing Evo Morales. A right wing US-backed coup stole that from them, this is disgusting https://t.co/qamCSvYmz9— Rania Khalek (@RaniaKhalek)…

Nos oponemos al golpe

Declaración de Noam Chomsky y Vijay Prashad
En Bolivia se está gestando un golpe de Estado contra el gobierno electo liderado por Evo Morales. Sectores de la policía han dicho abiertamente que están dispuestos a permitir que grupos de milicias fascistas ataquen el palacio presidencial en La Paz. La situación es muy grave.

Evo Morales ha invitado a los cuatro principales partidos a sentarse y conversar sobre el camino a seguir para la democracia boliviana. Ha pedido el establecimiento de un diálogo para evitar el regreso de los días de las dictaduras militares y los gobiernos oligárquicos. Morales ha hecho un llamado a las Naciones Unidas, a la Organización de los Estados Americanos (OEA), al Vaticano y a otros más para que contribuyan a encontrar el camino para alejarse del golpe.

El golpe es promovido por la oligarquía boliviana que está enojada por la cuarta elección que sus partidos pierden frente el Movimiento al Socialismo. La oligarquía cuenta con el total apoyo del gobierno de los…

Here's why Bernie could end up being better than even FDR

globinfo freexchange

In his speeches, Bernie Sanders frequently refers to the 32nd president of the United States, Franklin D. Roosevelt (FDR), and his New Deal program that helped millions of Americans after the 1929 Wall Street crash. Sanders and other progressives are proposing a similar program adjusted to the modern environmental challenges. The Green New Deal has now become a popular vision, especially among young Americans. Around it, the progressives are aiming to build a whole new model beyond destructive neoliberalism and even obsolete capitalism.

Many would argue that this is quite an extremely optimistic view. That Sanders is just an old-school moderate Social-Democrat who will only manage to revive some typical social policies of the past, and that's it. He will never manage to seriously challenge the current power structure, which, indeed, has grown enormously, controlling nearly every aspect of the political and economic life.

Yet Sanders already managed to achieve …

Bolivian UN ambassador: “racist elite” engineered coup to restore neoliberalism in Bolivia

Democracy Now!
Thousands marched across Bolivia Monday to demand the resignation of Jeanine Áñez, the right-wing senator who declared herself president of Bolivia last week after longtime socialist President Evo Morales resigned under pressure from the military. 
The coup d’état has thrown Bolivia into crisis, with violence across the country leaving at least 23 dead. On Friday, the military gunned down nine pro-Morales protesters outside Cochabamba, where indigenous people took to the streets again on Monday. Thousands more marched to the presidential palace in La Paz. 
The wave of protests are condemning the spike in anti-indigenous violence under interim President Áñez and demanding the return of Evo Morales. Áñez has a history of using racist, anti-indigenous language, and last week she issued a decree protecting the military from prosecution for violent acts and said that Morales would face prosecution if he returned to Bolivia. 
Morales is Bolivia’s first indigenous president, a…