Professional Documents
Culture Documents
L e a k s Ne ws A b o ut P a r tne r s
Vault7:Projects
ThispublicationseriesisaboutspecificprojectsrelatedtotheVault7mainpublication.
Releases Documents
AllReleases
Athena19May,2017
AfterMidnight12May,2017
Archimedes5May,2017
Scribbles28April,2017
WeepingAngel21April,2017
Hive14April,2017
Grasshopper7April,2017
MarbleFramework31March,2017
DarkMatter23March,2017
Athena
19May,2017
Today,May19th2017,WikiLeakspublishesdocumentsfromthe"Athena" LeakedDocuments
projectoftheCIA."Athena"liketherelated"Hera"systemprovides
Athenav1.0UserGuide
remotebeaconandloadercapabilitiesontargetcomputersrunningthe
MicrosoftWindowsoperatingsystem(fromWindowsXPtoWindows10).
Onceinstalled,themalwareprovidesabeaconingcapability(including AthenaTechnology
Overview
configurationandtaskhandling),thememoryloading/unloadingofmalicious
payloadsforspecifictasksandthedeliveryandretrievaloffilesto/froma Athena(Design)
specifieddirectoryonthetargetsystem.Itallowstheoperatortoconfigure
settingsduringruntime(whiletheimplantisontarget)tocustomizeittoan Athena(Demo)
WikiLeaks
operation.
S earch S ho p D o na te S ub m i t
Athena(Design/Engine)
LAccordingtothedocumentation(seeAthenaTechnologyOverview),the
e a k s Ne ws A b o ut P a r tne r s
malwarewasdevelopedbytheCIAincooperationwithSiegeTechnologies,
aselfproclaimedcybersecuritycompanybasedinNewHampshire,US.On Seemore
theirwebsite,SiegeTechnologiesstatesthatthecompany"...focuseson
leveragingoffensivecyberwartechnologiesandmethodologiesto
developpredictivecybersecuritysolutionsforinsurance,governmentand
othertargetedmarkets.".OnNovember15th,2016NehemiahSecurity
announcedtheacquisitionofSiegeTechnologies.
InanemailfromHackingTeam(publishedbyWikiLeakshere),Jason
Syversen,founderofSiegeTechnologieswithabackgroundincryptography
andhacking,"...saidhesetouttocreatetheequivalentofthemilitarysso
calledprobabilityofkillmetric,astatisticalanalysisofwhetheranattackis
likelytosucceed.'Ifeelmorecomfortableworkingonelectronicwarfare,'
hesaid.'Itsalittledifferentthanbombsandnuclearweaponsthatsa
morallycomplexfieldtobein.Nowinsteadofbombingthingsandhaving
collateraldamage,youcanreallyreduceciviliancasualties,whichisawin
foreverybody.'"
AfterMidnight
12May,2017
Today,May12th2017,WikiLeakspublishes"AfterMidnight"and"Assassin", LeakedDocuments
twoCIAmalwareframeworksfortheMicrosoftWindowsplatform.
AfterMidnightv1.0Users
Guide
"AfterMidnight"allowsoperatorstodynamicallyloadandexecutemalware
payloadsonatargetmachine.Themaincontrollerdisguisesasaself
AlphaGremlinv0.1.0
persistingWindowsServiceDLLandprovidessecureexecutionof UsersGuide
"Gremlins"viaaHTTPSbasedListeningPost(LP)systemcalled
AfterMidnightDiagrams
"Octopus".OnceinstalledonatargetmachineAMwillcallbacktoa
configuredLPonaconfigurableschedule,checkingtoseeifthereisanew
planforittoexecute.Ifthereis,itdownloadsandstoresallneeded Assassinv1.4Users
Guide
componentsbeforeloadingallnewgremlinsinmemory."Gremlins"are
smallAMpayloadsthataremeanttorunhiddenonthetargetandeither Assassinv1.3Users
subvertthefunctionalityoftargetedsoftware,surveythetarget(including Guide
dataexfiltration)orprovideinternalservicesforothergremlins.Thespecial
Seemore
payload"AlphaGremlin"evenhasacustomscriptlanguagewhichallows
WikiLeaks S earch
operatorstoschedulecustomtaskstobeexecutedonthetargetmachine.
S ho p D o na te S ub m i t
L"Assassin"isasimilarkindofmalwareitisanautomatedimplantthat
e a k s Ne ws A b o ut P a r tne r s
providesasimplecollectionplatformonremotecomputersrunningthe
MicrosoftWindowsoperatingsystem.Oncethetoolisinstalledonthetarget,
theimplantisrunwithinaWindowsserviceprocess."Assassin"(justlike
"AfterMidnight")willthenperiodicallybeacontoitsconfiguredlistening
post(s)torequesttaskinganddeliverresults.Communicationoccursover
oneormoretransportprotocolsasconfiguredbeforeorduringdeployment.
The"Assassin"C2(CommandandControl)andLP(ListeningPost)
subsystemsarereferredtocollectivelyas"TheGibson"andallowoperators
toperformspecifictasksonaninfectedtarget..
Archimedes
5May,2017
Today,May5th2017,WikiLeakspublishes"Archimedes",atoolusedbythe LeakedDocuments
CIAtoattackacomputerinsideaLocalAreaNetwork(LAN),usuallyusedin
Archimedes1.0User
offices.Itallowstheredirectingoftrafficfromthetargetcomputerinsidethe
Guide
LANthroughacomputerinfectedwiththismalwareandcontrolledbythe
Archimedes1.3
CIA.ThistechniqueisusedbytheCIAtoredirectthetarget'scomputers
Addendum
webbrowsertoanexploitationserverwhileappearingasanormalbrowsing
session. Archimedes1.2
Addendum
Thedocumentillustratesatypeofattackwithina"protectedenvironment"as
thethetoolisdeployedintoanexistinglocalnetworkabusingexisting Archimedes1.1
Addendum
machinestobringtargetedcomputersundercontrolandallowingfurther
exploitationandabuse. FulcrumUserManual
v0.62
Seemore
Scribbles
28April,2017
Today,April28th2017,WikiLeakspublishesthedocumentationandsource LeakedDocuments
codeforCIA's"Scribbles"project,adocumentwatermarkingpreprocessing
systemtoembed"Webbeacon"styletagsintodocumentsthatarelikelyto
WikiLeaks S earch
becopiedbyInsiders,Whistleblowers,Journalistsorothers.Thereleased
S ho p D o na te S ub m i t
Scribblesv1.0RC1User
version(v1.0RC1)isdatedMarch,1st2016andclassified Guide
LSECRET//ORCON/NOFORNuntil2066.
e a k s Ne ws A b o ut P a r tne r s
ScribblesisintendedforofflinepreprocessingofMicrosoftOffice Scribbles(Source
documents.Forreasonsofoperationalsecuritytheuserguidedemandsthat Code)
"[t]heScribblesexecutable,parameterfiles,receiptsandlogfilesshouldnot
Scribblesv1.0RC1
beinstalledonatargetmachine,norleftinalocationwhereitmightbe IVVRRChecklist
collectedbyanadversary."
Scribblesv1.0RC1
ReadinessReview
Accordingtothedocumentation,"theScribblesdocumentwatermarkingtool
Worksheet
hasbeensuccessfullytestedon[...]MicrosoftOffice2013(onWindows8.1
x64),documentsfromOfficeversions972016(Office95documentswillnot
work!)[andd]ocumentsthatarenotbelockedforms,encrypted,or
passwordprotected".ButthislimitationtoMicrosoftOfficedocuments
seemstocreateproblems:"Ifthetargetedenduseropensthemupina
differentapplication,suchasOpenOfficeorLibreOffice,thewatermark
imagesandURLsmaybevisibletotheenduser.Forthisreason,always
makesurethatthehostnamesandURLcomponentsarelogicallyconsistent
withtheoriginalcontent.Ifyouareconcernedthatthetargetedendusermay
openthesedocumentsinanonMicrosoftOfficeapplication,pleasetake
sometestdocumentsandevaluatetheminthelikelyapplicationbefore
deployingthem."
Securityresearchesandforensicexpertswillfindmoredetailedinformation
onhowwatermarksareappliedtodocumentsinthesourcecode,whichis
includedinthispublicationasazippedarchive.
WeepingAngel
21April,2017
Today,April21st2017,WikiLeakspublishestheUserGuideforCIA's LeakedDocuments
"WeepingAngel"toolanimplantdesignedforSamsungFSeriesSmart
ExtendingUserGuide
Televisions.Basedonthe"Extending"toolfromtheMI5/BTSS,theimplantis
designedtorecordaudiofromthebuiltinmicrophoneandegressorstore
thedata.
TheclassificationmarksoftheUserGuidedocumenthintthatiswas
originallywrittenbythebritishMI5/BTSSandlatersharedwiththeCIA.Both
agenciescollaboratedonthefurtherdevelopmentofthemalwareand
WikiLeaks
coordinatedtheirworkinJointDevelopmentWorkshops.
S earch S ho p D o na te S ub m i t
L e a k s Ne ws A b o ut P a r tne r s
Hive
14April,2017
Today,April14th2017,WikiLeakspublishessixdocumentsfromtheCIA's LeakedDocuments
HIVEprojectcreatedbyits"EmbeddedDevelopmentBranch"(EDB).
UsersGuide
HIVEisabackendinfrastructuremalwarewithapublicfacingHTTPS
interfacewhichisusedbyCIAimplantstotransferexfiltratedinformation
DevelopersGuide
fromtargetmachinestotheCIAandtoreceivecommandsfromits
operatorstoexecutespecifictasksonthetargets.HIVEisusedacross
DevelopersGuide
multiplemalwareimplantsandCIAoperations.ThepublicHTTPSinterface
(Figures)
utilizesunsuspiciouslookingcoverdomainstohideitspresence.
HiveBeacon
AntiViruscompaniesandforensicexpertshavenoticedthatsomepossible Infrastructure
stateactormalwareusedsuchkindofbackendinfrastructurebyanalyzing
HiveInfrastructure
thecommunicationbehaviourofthesespecificimplants,butwereunableto
Installationand
attributethebackend(andthereforetheimplantitself)tooperationsrunby ConfigurationGuide
theCIA.InarecentblogpostbySymantec,thatwasabletoattributethe
Seemore
"Longhorn"activitiestotheCIAbasedontheVault7,suchbackend
infrastructureisdescribed:
ForC&Cservers,Longhorntypicallyconfiguresaspecificdomain
andIPaddresscombinationpertarget.Thedomainsappeartobe
registeredbytheattackershowevertheyuseprivacyservicesto
hidetheirrealidentity.TheIPaddressesaretypicallyownedby
legitimatecompaniesofferingvirtualprivateserver(VPS)or
webhostingservices.ThemalwarecommunicateswithC&Cservers
overHTTPSusingacustomunderlyingcryptographicprotocolto
protectcommunicationsfromidentification.
Thedocumentsfromthispublicationmightfurtherenableantimalware
researchersandforensicexpertstoanalysethiskindofcommunication
betweenmalwareimplantsandbackendserversusedinpreviousillegal
activities.
Grasshopper
7April,2017
Today,April7th2017,WikiLeaksreleasesVault7"Grasshopper"27
WikiLeaks S earch
documentsfromtheCIA'sGrasshopperframework,aplatformusedtobuild LeakedDocuments
S ho p D o na te S ub m i t
customizedmalwarepayloadsforMicrosoftWindowsoperatingsystems. Grasshopperv1_1
L e a k s Ne ws A b o ut P a r tne r s AdminGuide
GrasshopperisprovidedwithavarietyofmodulesthatcanbeusedbyaCIA
operatorasblockstoconstructacustomizedimplantthatwillbehave Grasshopperv2_0_2
UserGuide
differently,forexamplemaintainingpersistenceonthecomputerdifferently,
dependingonwhatparticularfeaturesorcapabilitiesareselectedinthe StolenGoods2_1
processofbuildingthebundle.Additionally,Grasshopperprovidesavery UserGuide
flexiblelanguagetodefinerulesthatareusedto"performapreinstallation
GHModuleNullv2_0
surveyofthetargetdevice,assuringthatthepayloadwillonly[be]installedif UserGuide
thetargethastherightconfiguration".ThroughthisgrammarCIAoperators
areabletobuildfromverysimpletoverycomplexlogicusedtodetermine, GHModuleBuffalo
Bamboov1_0
forexample,ifthetargetdeviceisrunningaspecificversionofMicrosoft UserGuide
Windows,orifaparticularAntivirusproductisrunningornot.
Seemore
Grasshopperallowstoolstobeinstalledusingavarietyofpersistence
mechanismsandmodifiedusingavarietyofextensions(likeencryption).
TherequirementlistoftheAutomatedImplantBranch(AIB)for
GrasshopperputsspecialattentiononPSPavoidance,sothatanyPersonal
SecurityProductslike'MSSecurityEssentials','Rising','Symantec
Endpoint'or'KasperskyIS'ontargetmachinesdonotdetectGrasshopper
elements.
OneofthepersistencemechanismsusedbytheCIAhereis'StolenGoods'
whose"componentsweretakenfrommalwareknownasCarberp,a
suspectedRussianorganizedcrimerootkit."confirmingtherecyclingof
malwarefoundontheInternetbytheCIA."ThesourceofCarberpwas
publishedonline,andhasallowedAED/RDBtoeasilystealcomponentsas
neededfromthemalware.".WhiletheCIAclaimsthat"[most]ofCarberp
wasnotusedinStolenGoods"theydoacknowledgethat"[the]persistence
method,andpartsoftheinstaller,weretakenandmodifiedtofitourneeds",
providingafurtherexampleofreuseofportionsofpubliclyavailablemalware
bytheCIA,asobservedintheiranalysisofleakedmaterialfromtheitalian
company"HackingTeam".
ThedocumentsWikiLeakspublishestodayprovideaninsightsintothe
processofbuildingmodernespionagetoolsandinsightsintohowtheCIA
maintainspersistenceoverinfectedMicrosoftWindowscomputers,
providingdirectionsforthoseseekingtodefendtheirsystemstoidentifyany
existingcompromise
WikiLeaks S earch S ho p D o na te S ub m i t
MarbleFramework
L31March,2017
e a k s Ne ws A b o ut P a r tne r s
Today,March31st2017,WikiLeaksreleasesVault7"Marble"676source LeakedDocuments
codefilesfortheCIA'ssecretantiforensicMarbleFramework.Marbleis
MarbleFramework
usedtohamperforensicinvestigatorsandantiviruscompaniesfrom
(SourceCode)
attributingviruses,trojansandhackingattackstotheCIA.
Marbledoesthisbyhiding("obfuscating")textfragmentsusedinCIA
malwarefromvisualinspection.Thisisthedigitalequivallentofaspecalized
CIAtooltoplacecoversovertheenglishlanguagetextonU.S.produced
weaponssystemsbeforegivingthemtoinsurgentssecretlybackedbythe
CIA.
MarbleformspartoftheCIA'santiforensicsapproachandtheCIA'sCore
Libraryofmalwarecode.Itis"[D]esignedtoallowforflexibleandeasyto
useobfuscation"as"stringobfuscationalgorithms(especiallythosethat
areunique)areoftenusedtolinkmalwaretoaspecificdeveloperor
developmentshop."
TheMarblesourcecodealsoincludesadeobfuscatortoreverseCIAtext
obfuscation.Combinedwiththerevealedobfuscationtechniques,apattern
orsignatureemergeswhichcanassistforensicinvestigatorsattribute
previoushackingattacksandvirusestotheCIA.Marblewasinuseatthe
CIAduring2016.Itreached1.0in2015.
ThesourcecodeshowsthatMarblehastestexamplesnotjustinEnglishbut
alsoinChinese,Russian,Korean,ArabicandFarsi.Thiswouldpermita
forensicattributiondoublegame,forexamplebypretendingthatthespoken
languageofthemalwarecreatorwasnotAmericanEnglish,butChinese,but
thenshowingattemptstoconcealtheuseofChinese,drawingforensic
investigatorsevenmorestronglytothewrongconclusion,butthereare
otherpossibilities,suchashidingfakeerrormessages.
TheMarbleFrameworkisusedforobfuscationonlyanddoesnotcontain
anyvulnerabiltiesorexploitsbyitself.
DarkMatter
23March,2017
Today,March23rd2017,WikiLeaksreleasesVault7"DarkMatter",which
WikiLeaks S earch
containsdocumentationforseveralCIAprojectsthatinfectAppleMac LeakedDocuments
S ho p D o na te S ub m i t
firmware(meaningtheinfectionpersistseveniftheoperatingsystemisre SonicScrewdriver
L e a k s Ne ws A b o ut P a r tne r s
installed)developedbytheCIA'sEmbeddedDevelopmentBranch(EDB).
ThesedocumentsexplainthetechniquesusedbyCIAtogain'persistence'
DerStarkev1.4
onAppleMacdevices,includingMacsandiPhonesanddemonstratetheir
useofEFI/UEFIandfirmwaremalware.
DerStarkev1.4RC1
Amongothers,thesedocumentsrevealthe"SonicScrewdriver"project IVVRRChecklist
which,asexplainedbytheCIA,isa"mechanismforexecutingcodeon
DarkSeaSkiesv1.0
peripheraldeviceswhileaMaclaptopordesktopisbooting"allowingan TestPlanProcedures
attackertobootitsattacksoftwareforexamplefromaUSBstick"evenwhen
afirmwarepasswordisenabled".TheCIA's"SonicScrewdriver"infectoris
storedonthemodifiedfirmwareofanAppleThunderbolttoEthernet
FDOS_1_0_FINAL_freedos_setup_odin
adapter.
Seemore
"DarkSeaSkies"is"animplantthatpersistsintheEFIfirmwareofanApple
MacBookAircomputer"andconsistsof"DarkMatter","SeaPea"and
"NightSkies",respectivelyEFI,kernelspaceanduserspaceimplants.
Documentsonthe"Triton"MacOSXmalware,itsinfector"DarkMallet"and
itsEFIpersistentversion"DerStarke"arealsoincludedinthisrelease.
WhiletheDerStarke1.4manualreleasedtodaydatesto2013,otherVault7
documentsshowthatasof2016theCIAcontinuestorelyonandupdate
thesesystemsandisworkingontheproductionofDerStarke2.0.
AlsoincludedinthisreleaseisthemanualfortheCIA's"NightSkies1.2"a
"beacon/loader/implanttool"fortheAppleiPhone.Noteworthyisthat
NightSkieshadreached1.2by2008,andisexpresslydesignedtobe
physicallyinstalledontofactoryfreshiPhones.i.etheCIAhasbeeninfecting
theiPhonesupplychainofitstargetssinceatleast2008.
WhileCIAassetsaresometimesusedtophysicallyinfectsystemsinthe
custodyofatargetitislikelythatmanyCIAphysicalaccessattackshave
infectedthetargetedorganization'ssupplychainincludingbyinterdicting
mailordersandothershipments(opening,infecting,andresending)leaving
theUnitedStatesorotherwise.
MediaPartners
DERSPIEGELGermany
LAREPUBBLICAItaly
LIBERATIONFrance
WikiLeaks S earch S ho p D o na te S ub m i t
MEDIAPARTFrance
LExpertOrganizations
e a k s Ne ws A b o ut P a r tne r s
Top