Early Friday morning, Wikileaks released its fifth batch of Vault 7 documents exposing the U.S. Central Intelligence Agency’s hacking techniques. The latest release, titled “Hive,” exposes the agency’s multi-platform malware suite that allows the CIA to monitor targets via malware as well as the ability to realize specific tasks on compromised machines.
Hive is said to provide customizable implants for a variety of operating systems for distinct types of devices, not just computers, tablets, and phones. Among the platforms vulnerable to Hive include Linux, Windows, Solaris, MikroTik (used in Internet routers), and AVTech Network Video Recorders (often used in CCTV recording). First released in 2010, Hive is essentially an “implant” that functions as both a beacon and shell, allowing CIA hackers to gain a foothold in devices that allow them to deploy any number of other tools, such as those detailed in previous releases.
Wikileaks has described Hive’s function as a “back-end infrastructure malware” that uses public HTTPS interfaces which provide “unsuspicious-looking cover domains” to hide its presence on infected devices. Each of those domains is linked to an IP address at a commercial Virtual Private Server (VPS) provider, which forwards all incoming traffic to what is termed a “Blot” server. All re-directed traffic is then examined by CIA hackers to see if it contains a valid beacon. If it does, then a tool handler – called Honeycomb in the released documents – and the CIA then begins initiating other actions on the target computer. The released user guide shows that Hive allows for the uploading and deleting of files as well as the execution of applications on the device.
Unlike some other Vault 7 tools which can persist indefinitely on targeted devices, Hive comes with a “self-delete” function that allows the malware to destroy itself if it receives no signal from the CIA for a set amount of time. The self-deletion leaves only a log and configuration file, containing only a time-stamp behind. Apparently this feature posed difficulties to CIA developers as the self-deletion can “be problematic due to the inability to accurately assess the reliability of the host’s system clock,” according to the Hive Developers Guide.
Wikileaks noted that anti-virus companies along with forensic experts have noticed before that malware, potentially originating from a state-actor, utilized the same back-end infrastructure implantation that Hive employs. Through the analysis of the communication between specific implants, these experts and software companies were able to determine that the malware’s origin came from a “well-resourced organization which was involved in intelligence gathering operations.”
However, there had been unable to attribute the back-end or the implants to the CIA, though Wikileaks’ release of Hive may change that. Indeed, Wikileaks noted in its press release that “The documents from this publication might further enable anti-malware researchers and forensic experts to analyse this kind of communication between malware implants and back-end servers used in previous illegal activities.”
Wikileaks’ latest release comes on the heels of CIA director Mike Pompeo’s aggressive statements against the transparency organization in which he labeled them “non-state hostile intelligence service.” He also condemned Wikileaks’ editor-in-chief, Julian Assange of making “common cause with dictators.” While other CIA directors have targeted both Wikileaks and Assange in the past, Wikileaks now five releases of top secret CIA hacking tools may have prompted an escalation in Pompeo’s rhetoric. It remains to be seen if this rhetoric will translate into action, however.
Assange, for his part, doesn’t seem too concerned, choosing to respond with a witty retort that incisively pointed out the CIA’s lack of credibility in making such accusations:
Called a "non-state intelligence service" today by the "state non-intelligence agency" which produced al-Qaeda, ISIS, Iraq, Iran & Pinochet.— Julian Assange (@JulianAssange) April 14, 2017
Source and links: