WikiLeaks Docs Show How the CIA Allegedly Infected Offline Computers
It seems that more and more information continues to come to light regarding hacking, not just by the average hacker, but by the CIA and other government agencies, too.
At the end of June, WikiLeaks documents have revealed how the CIA infected offline computers using air-gap hacking. Air-gapping refers to a security measure that involves isolating a computer or network and preventing it from establishing an external connection. Being segregated in this way, devices cannot connect wirelessly or physically with other computers or network devices, making them virtually immune to remote hacking.
Classified military networks, the payment networks responsible for processing credit and debit card transactions for retailers, or industrial control systems that operate vital infrastructure, these are examples of networks that typically use air-gapping. Maintaining security requires such networks to remain on internal networks that aren’t connected to the company’s business network. This ensures intruders can’t enter the corporate network by way of the Internet and weasel their way into sensitive systems.
But sometimes, as is being revealed by WikiLeaks, there’s a way around an air-gap. WikiLeaks recently published a series of alleged CIA documents showing how the CIA’s malware was designed to infect these types of targets.
The exposed documents reveal how the CIA has continued to develop its own hacking tools, apparently to get into devices such as smart TVs and Internet routers. Called Brutal Kangaroo, the tool suite’s components consist of various components including Drifting Deadline, a thumbdrive infection tool, Shattered Assurance, a server tool responsible for automated infection of USB drives), Broken Promise, a post processor that evaluates collected information; and Shadow, the main persistence mechanism.
“Brutal Kangaroo is a tool suite for targeting closed networks by air gap jumping using thumbdrives,” one of the documents notes. The 11 files in question come from the CIA’s Engineering Development Group, and allegedly span from 2012 to 2016.
According to the documents, the CIA gets around air-gapped computers by first remotely installing a piece of malware on a system connected to the internet called the “primary host.” Next, an unaware user plugs the infected USB into an air-gapped computer unavailable to the CIA. The malware then works to send any data back to the CIA once it’s plugged into the primary host again.
The project sets up its own “custom covert network” in the air-gapped computers once the malware has infected a target. The CIA is given access to files for collection. It can also survey the victim machines, launch its own executables, delete a predetermined list of files, and more.
As the leak notes, there’s a section of the user guide that reveals problems that certain antivirus products have against the CIA malware. For instance, Symantec’s product is said to create a pop-up when the malware tried to automatically run.
A court filing from earlier this year, revealed that the Department of Justice may have mistakenly confirmed the credibility of the CIA documents.
In February of 2015, the FBI took over Playpen, a dark web child pornography site. During this time, it utilized a network investigative technique, a piece of malware, to try to expose the site’s users. While the investigation resulted in hundreds of arrests, it also generated dozens of court cases across the U.S. regarding the legality of the warrant used to authorize the hacking operation, along with the source code of the tool used to hack computers.
Hacking undoubtedly remains a controversial subject, and while it can be useful in exposing dangers to society, it also raises serious ethical issues about the value and safekeeping of our privacy.
November 26, 2017
Also available in: Français