March 8, 2017

WHAT IS VAULT 7?




From the Pentagon Papers to Watergate, the Iraq War Logs to Snowden, we now have Wikileaks'       Vault 7.  After a series of cryptic messages by Wikileaks, we now have the answer to 'What is Vault 7?'.  The first part in a series of the Vault 7 documents, named "Year Zero", consists of approximately 8,700 documents and files directly from the CIA's isolated high-security network at Langley, Virginia.


With this information we can see HOW the CIA collects information, destroys information and spies on targets.  This is important in order to determine scope and legality of the CIA's operations domestically as well as overseas.  Within the documents is a list of projects, operations and tools that the CIA uses to accomplish everything from hacking wifi networks with your smart phone to taking control of your Smart TV and Smart Car.  Little imagination is needed to see how these capabilities could be exploited by an agency with an agenda.  Furthermore, it may make you wonder if you have ever been inadvertently part of a CIA operation or the subject of an investigation.

I have taken the time to look through the leaks for capabilities and specific programs used by the CIA that may be of some interest to you.


UMBRAGE

Is a library of stolen malware and attack techniques that can be used to create a false narrative (Russian hacking?) or attribution as to the source of a cyber attack. Some of the techniques used within UMBRAGE include: keyloggers, covert password collection, webcam capture, data destruction, data upload, antivirus avoidance and stealth infiltration.


Fine Dining

A questionnaire that a CIA operative can fill out in order to obtain the appropriate tools to exploit a user, computer or system. Though seemingly innocuous, when considered under UMBRAGE an operation can be controlled in a way which can create a narrative that can be exploited through government propaganda.  (Here is a link to the document in order to read the questionnaire:  https://wikileaks.org/ciav7p1/cms/page_20251099.html)

Improvise (JQJIMPROVISE)

A tool-set for configuring, post-processing, payload setup and execution selection for infiltration/ex-filtration tools for all major operating systems. Windows (code name Bartender), MacOS (JukeBox) and Linux (DanceFloor).  It works in conjunction with 'Fine Dining' to customize the tools necessary as a result of the questionnaire.


HIVE

Its a multi-platform malware suite and its associated control software.  It provides customized implants for Windows, Solaris, MikroTik (for routers) and Linux platforms and creates a listening post/command and control infrastructure to communicate with these implants.  The implants communicate through HTTPS using the webserver of a cover domain.  Each operation that uses these implants has a cover domain.
Each cover domain leads to a commercial private server provider.  A true connection to the server can only be established by the implant, all others are directed to an unsuspicious looking website.


RickyBobby

Umbrella cryptographic tools to develop trojans under code name "FightClub".  It is similar to HIVE in function.  It allows undetected upload/download of files and provides for manipulation of executable files on target systems using Windows and Windows Server.

A list of exploitable programs the CIA uses in this program are:  VLC Player, Win-Rar, TrueCrypt, ConnectifyMe, Shamela Reader, Microsoft Office Standalone Installer, Adobe Reader Installer. EDG was able to supply the following trojans in the operational timeline: VLC Player, Win-Rar, TrueCrypt, Shamela. The six thumbdrives sent to the field for operational use had 4 self-extracting Win-Rars (Wraith), 2 VLC players, 2 TrueCrypt applications, 2 Shamela applications.  Cover documents included TrueCrypt containers with keys, videos, documents and images.

The project can hijack DLL files on Skype, Opera, Sandisk, Notepad, Chrome and FoxitReader.  It can also infect GIFs and other media with trojan in order to create and exploit for other hacking tools.


Rain Maker

Utilizes a free and open source media player in order to collect information from a computer using removable media.


Spottsroide

Turns an Android phone into a Bulk-spy device for wifi networks within range of any Android device.


Wrecking Crew

A list of programs and techniques to kill processes and "troll people" in order to frustrate the user of a computer and/or its processes.  It can also be used to "knockover" PSP's.

TheIronBank

Collects all TCP connections, open TCP ports, all open UDP ports, the ARP table, DNS cache and the local routing table at set intervals on a target system.


DriftingShadows

A program that utilizes remotely programmable DLL files in order to accomplish 'process hollowing' via a program called GRAVITYTURN.  It injects malware into a system in a way that avoids detection by that systems checks and balances by hijacking and existing process and adding undetectable code to perform malware tasks.  An open port trojan.


StrawHat

Utilizes the Microsoft plugin IFilter in order to collect just the text from file extensions chosen by the operator.  Commonly exploited through Adobe Reader, Microsoft Office and Open Office.


Captain Jack

Used to steal stored passwords from browsers and your OS.


Below is a list of known programs, systems and delivery devices the CIA uses or exploits:

ClamAV
Norton
Kaspersky
Avira
Zone Alarm
Rising
F-secure
Semana Antilogger
EMET
Malwarebytes
Bitdefender
Panda Security
Trend Micro
ESET
Avast
AVG
Symantec
McAfee
Comodo
Microsoft Security Essentials
GDATA
Ubuntu
Linux
Windows
DirectX
Windows API
VLC Player
Win Rar
TrueCrypt
ConnectifyMe
Shamela Reader
Microsoft Office Standalon Installer
Adobe Reader Installer
Android
OSx
Routers
USB devices
CD/DVD's
Images
GIFs



These CIA revelations in conjunction with those of the NSA paints a pretty dark future for privacy and freedom. Edward Snowden made us aware of the NSA's program XKEYSCORE and PRISM which are utilized to monitor and bulk collect information from virtually any electronic device on the planet and put it into a searchable database.  Now Wikileaks has published what appears to be additional Big Brother techniques used by a competing agency.  Say what you want about the method of discovery, but Pandora's box has been opened.

No comments:

Post a Comment