Vault 8 – WikiLeaks releases source code for CIA Hive malware control platform

Pierluigi Paganini November 09, 2017

Wikileaks released the first batch of documents starting with the source code and development logs of the Project Hive.

Today the popular whistleblower organization Wikileaks announced a new Vault 8 series that shed the light on the source code and the hacking infrastructure developed by the CIA.

Anyone can access the source code and analyze it, likely in the next days, the security community will share the findings of the analysis conducted by independent experts.

Wikileaks released the first batch of documents starting with the source code and development logs of the Project Hive.

“Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention.” Plus.google.com/b/114665933116427757135/ Wikileaks. “Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet. Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.”

This isn’t the first time that documents related to the Project Hive were leaked online, in April Wikileaks published some documents about it, describing it as a sort of malware command and control infrastructure used by the US agency to control its malicious code and exfiltrate information from the target systems.

Hive infrastructure can be used by CIA agents involved in multiple operations and using multiple implants on target computers.

CIA experts have developed the Hive platform to make hard the attribution of the attacks, the infrastructure leverages public facing fake websites of the CIA back-end infrastructure that operated as a relay for traffic over a VPN connection to a “hidden” CIA server called ‘Blot’. With this network design, even when an implant is discovered on the infected machine, it is very hard to attribute it by monitoring the malicious traffic.

“Each operation anonymously registers at least one cover domain (e.g. “perfectly-boring-looking-domain.com”) for its own use. The server running the domain website is rented from commercial hosting providers as a VPS (virtual private server) and its software is customized according to CIA specifications. These servers are the public-facing side of the CIA back-end infrastructure and act as a relay for HTTP(S) traffic over a VPN connection to a “hidden” CIA server called ‘Blot’.” continues Wikileaks.

The CIA implants communicate with a fake website that runs over commercial VPS (Virtual Private Server).

Hive

The Blot server is used to forward the traffic to an implant operator management gateway called ‘Honeycomb.’

In order to evade detection, the malicious codes were digitally signed, a common practice in the community of malware authors. CIA used digital certificates for authentication of the implants that are generated by its experts by impersonating existing entities.

The three examples included in the leaked source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town.

“Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town.” continues Wikileaks. “In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.”

Wikileaks confirmed that no zero-day exploit will be exploited to avoid abuses in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Vault 8, CIA)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment