Earlier this month, WikiLeaks began the first in a series of Vault8 releases, which includes source code linked to stolen hacking tools from the CIA.
This is the next stage in a slow drip of information from Wikileaks (which began several months ago) revealing the size and scope of the American agency’s cyberspace initiatives. In September, Wikileaks issued details of 23 secret CIA hacking tool projects under Vault7.
Now it’s going even further with a publication that it says “will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components”.
However, in the brief accompanying statement, Wikileaks also reassures that, “like WikiLeaks’ earlier Vault7 series, the material published by WikiLeaks does not contain 0-days or similar security vulnerabilities which could be repurposed by others.”
Several security experts on Twitter, including Martijn Grooten, the editor of Virus Bulletin, have agreed that the source code won’t be able to be manipulated by cyber criminals (“no more than an average advanced malware analysis”). Furthermore, the source code in the Vault8 series contains only software designed to run on servers controlled by the CIA.
Jake Williams, a former NSA hacker now employed by cybersecurity firm Rendition InfoSec told Motherboard Vice that he doesn’t believe the code is dangerous; however, he did warn that if code is released “for other tools described in Vault 7, [it] could give attackers the ability to exploit and implant new machines.”
The Vault8 release does include source code for “Project Hive”, revealing that the project is a malware tool for communications (an advanced command-and-control server that sends commands to carry out specific tasks on the targets and receive exfiltrated information from the target machines). Hive is a multi-user all-in-one system that multiple CIA operatives use to remotely control malware implants embedded across multiple operations. Its infrastructure deliberately prevents attribution, and includes a public facing false website after multi-stage communication over a Virtual Private Network (VPN).
Vault8 also provides details of the creation of false certificates to hide malware from security filters and network administrators.
“Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities,” WikiLeaks says.
The three examples included in the source code generate a false certificate for the anti-virus company Kaspersky Labs headquartered in Moscow pretending to bear the signature of digital certificate company, Thawte Premium Server CA, Cape Town.
WikiLeaks explained: “In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.”
Rick McElroy, senior security strategist at Carbon Black, pointed out that the CIA’s creation of false certificates for Kaspersky Lab further “muddies the waters when it comes to the question of is Kaspersky really part of Russian intelligence.”
“They [the CIA] have shown repeatedly that they can make their operations look like other teams (Russia, China etc) which makes attribution of cyber-attacks difficult and in and of itself makes conspiracy theories run rampant,” he added.
McElroy further explained that the carelessness of US intelligence agencies could lead to attacks from countries.
“It helps all the nations understand how we do our operations which makes them better able to defend. It also ‘justifies’ countries like Russia doing it. After all, if the US is the leader, how can we expect others to not do it?” he argued.
“If you think the 2016 election cycle was bad, wait, because it won’t just be Russia in 2020.”
The CIA continues to state that they have “no comment on the authenticity of purported intelligence documents released by Wikileaks.”