Contributed from Queensland
Yesterday (31 March 2017), WikiLeaks releasedmore files from the Vault 7 collection of leaked documents, which includes software and associated manuals used for hacking purposes.Excess to the 676 source code files, reveals
the CIA’s secret anti-forensic Marble Framework.
It is no secret that the CIA has been involved in penetrating and interfering with sites since the Internet came into existence. As well as intelligence gathering, penetration is used to hamper operation these sites, and sometimes, to insert false information.
It is a mistake to assume that it is only “designated” terror organisations and foreign governments are spied on. A great deal of the attention aimed against organisations and individuals, considered a political risk and critical of American policy. This includes thousands of Australians.
Although the nature and sophistication of an attack may point to CIA involvement, it is often hard to prove. WikiLeak’s access to the Vault 7 files has been a game breaker. The leaked treasure trove includes software used by the spy agency.
Marble is an example. It is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA, by hiding (“obfuscating”) text fragments used in CIA malware from visual inspection. This is the digital equivalent of a specialised CIA tool to place covers over the English language text on U.S. produced weapons systems, before giving them to insurgents secretly backed by the CIA.
Marble forms part of the CIA’s anti-forensics approach and the CIA’s Core Library of malware code. It is “[D]esigned to allow for flexible and easy-to-use obfuscation” as “string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop.”
The Marble source code also includes a deobfuscator, to reverse CIA text obfuscation. Combined with the revealed obfuscation techniques, a pattern or signature emerges which can assist forensic investigators attribute previous hacking attacks and viruses to the CIA. Marble was in use at the CIA during 2016.
The source code shows that Marble has test examples, not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example, by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion – but there are other possibilities, such as hiding fake error messages.
The CIA also uses several projects that infect Apple Mac firmware (meaning the infection persists even if the operating system is re-installed), developed by the CIA’s Embedded Development Branch (EDB). WikiLeaks obtained documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.
Among other things, these documents reveal the “Sonic Screwdriver” project which, as explained by the CIA, is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting,” allowing an attacker to boot its attack software, for example, from a USB stick, “even when a firmware password is enabled”. Another program, the “Sonic Screwdriver” infector, is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.
Then there is “DarkSeaSkies,” which is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants. Add to this “Triton” Mac OSX malware, its infector “Dark Mallet” and the EFI-persistent version “DerStarke”
Night skies, a “beacon/loader/implant tool,” is designed to be physically installed into factory fresh iPhones and has been in use since 2008. This is a tracking tool that can also be used to re-direct communications.