CIA Vault 7 Data Leak: What Do We Know Now?

Pierluigi Paganini
May 8, 2017 by
Pierluigi Paganini

The Vault 7

The WikiLeaks organization obtained thousands of files allegedly originating from a network of the U.S. Central Intelligence Agency (CIA). In this post, I will try to summarize what has happened in the last weeks and what has been disclosed by the organization

  • The Year Zero that revealed CIA hacking exploits for hardware and software.
  • The Dark Matter dump is containing iPhone and Mac hacking exploits.
  • The Marble batch focused on a framework used by the CIA to make hard the attribution of cyber attacks.
  • The Grasshopper batch that reveals a framework to customize malware for breaking into Microsoft's Windows and bypassing antivirus protection.
  • The Scribbles Project for document tracking

The YearZero dump – The Beginning

On March 7th, 2017 WikiLeaks published the first batch of files allegedly originating from a high-security network of the U.S. Central Intelligence Agency (CIA).

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The organization announced it had obtained thousands of files that expose the hacking capabilities of the CIA and its internal organizations, the huge trove of data was called "Vault 7."

WikiLeaks dubbed the first part of the precious archive "Year Zero," a collection of 8,761 secret documents and files stolen from the CIA Centre in Langley.

"The first full part of the series, "Year Zero," comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina." reads the announcement issued by WikiLeaks.

The archive includes the hacking tools and malicious code used by the US intelligence during its operations. Some of the exploits included in the dump were specifically designed to target popular products from various IT companies, including Samsung, Apple, Google, and Microsoft.

"Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero days" exploits, malware remote control systems and associated documentation."

According to WikiLeaks, the precious archive appears to have been circulated among former US government experts and contractors in an unauthorized manner. One of them likely provided the files to WikiLeaks.

The CIA arsenal includes hacking tools developed by the CCI's Engineering Development Group (EDG) to target almost every technology, from mobile devices to desktop computers, and of course IoT devices such as routers and smart TVs.

The archive confirmed that the US intelligence leverages dozens of zero-day exploit code in its arsenal that can be used to target almost any platform, from Windows and Linux PC to Android and iOS mobile devices.

The document revealed the existence of the EDG development team that is tasked with creating and test any malicious code, including implants, backdoors, exploits, Trojans and viruses.

"CIA malware and hacking tools are built by EDG (Engineering Development Group), a software development group within CCI (Center for Cyber Intelligence), a department belonging to the CIA's DDI (Directorate for Digital Innovation)." continues WikiLeaks.

While leaking the precious information, WikiLeaks confirmed that it would not release the tools and exploits "until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyze, disarmed and published."

The precious documentation confirms the intense collaboration with other internal and foreign intelligence agencies, including the NSA, the British GCHQ and MI5, and also other contractors.

One of the documents belonging to the first lot reports the details of a hacking tool dubbed Weeping Angel, used to hack Samsung Smart TV, that was developed by the CIA with peers at the MI5.

"The attack against Samsung smart TVs was developed in cooperation with the United Kingdom's MI5/BTSS. After infestation, Weeping Angel places the target TV in a 'Fake-Off' mode, so that the owner falsely believes the TV is off when it is on. In 'Fake-Off' mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server." continues WikiLeaks.

Digging the YearZero dump experts also discovered that the CIA hackers were able to bypass the encryption implemented by most popular secure messaging apps such as Signal, WhatsApp, and Telegram.

Figure 1 - CIA Organization chart

Vault 7 Episode 2 – The Dark Matter

On March 23, WikiLeaks released the second batch of the CIA's Vault 7 dump containing documents that expose the Agency was hacking systems worldwide.

The second batch of information dubbed the 'Dark Matter' contains five documents related the hacking tools and techniques and exploit codes used by the CIA to hack Apple MacBook and iOS devices.

Figure 2 - Vault 7 Dark Matter

The hacking tools and techniques were devised by CIA unit, called Embedded Development Branch (EDB).

"Today, March 23rd, 2017, WikiLeaks releases Vault 7 'Dark Matter,' which contains documentation for several CIA projects that infect Apple Mac Computer firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA's Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain 'persistence' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware." reads the Dark Matter description provided by WikiLeaks.

The CIA experts have found a way to infect Apple firmware to gain persistence, in this way the attackers were able to maintain the infection on Mac OS and iOS devices even if the operating system has been re-installed.

According to WikiLeaks, one of the most interesting documents is related to the "Sonic Screwdriver" project, which is a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting"allowing an attacker to boot its attack software for example from a USB stick "even when a firmware password is enabled".

The technique allows a local attacker to boot its hacking tool using a peripheral device (i.e. USB stick, screwdriver),"even when a firmware password is enabled" on the device. This implied that the Sonic Screwdriver allows attackers to modify the read-only memory of a device, the documents revealed that malware is stored in the Apple Thunderbolt-to-Ethernet adapter.

Digging in the Dark Matter dump, we can find the NightSkies 1.2 hacking tool, which is described as a "beacon/loader/implant tool" for the Apple iPhone.

"Also included in this release is the manual for the CIA's "NightSkies 1.2" a "beacon/loader/implant tool" for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. I.e., the CIA has been infecting the iPhone supply chain of its targets since at least 2008." continues WikiLeaks.

The tool was developed by the CIA expert to infect "factory fresh" iPhones; it could be used for example to compromise mobile devices in the shipment phase.The existence of the tool suggests that the Central Intelligence Agency has been targeting the iPhone supply chain since at least 2008.

"While CIA assets are sometimes used to infect systems in the custody of a target physically it is likely that many CIA physical access attacks have infected the targeted organization's supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise," says WikiLeaks.

"DarkSeaSkies" is another implant detailed in the documents included in the Dark Matter repository, it is "an implant that persists in the EFI firmware of an Apple MacBook Air computer" and consists of "DarkMatter," "SeaPea" and "NightSkies," respectively EFI, kernel-space and user-space implants.

Vault 7 Episode 3 – the Marble framework

On April 1st, WikiLeaks released the third batch of the CIA Vault7 archive that shed light the anti-forensics tools used by the Intelligence Agency.

This lot of documents was dubbed Mable and includes the source code files for an anti-forensic platform codenamed Marble Framework. The dump contains 676 source code files of the Marble Framework that was developed by the CIA to make hard forensics activities on its malicious codes.

The code developed by the CIA expert was able to evade detection implementing various techniques, for example, it can detect if the code runs in virtual machine sandbox.

The Marble platform makes hard the attribution of the attacks; the documents show how CIA can conduct a cyber attack in a way experts attributed it to other countries, including Russia, China, North Korea and Iran.

"Today, March 31st, 2017, WikiLeaks releases Vault 7 "Marble" — 676 source code files for the CIA's secret anti-forensic Marble Framework. Marble is used to hampering forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA." reads WikiLeaks.

"Marble does this by hiding ("obfuscating") text fragments used in CIA malware from visual inspection. This is the digital equivalent of a specialized CIA tool to place covers over the English language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA."

The Marble Framework includes algorithms for inserting multiple strings into various languages into the malware source code. In this way, cyber spies make hard the attribution and obstacle the research conducted by forensics experts.

Using such kind of techniques malware authors try to trick victims into believing that the malware was developed by American/English Vxers.

"The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi." continues WikiLeaks. "This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, but there are other possibilities, such as hiding fake error messages."

The Marble dump also includes a deobfuscator to reverse CIA text obfuscation, using it experts can identify patterns of attacks conducted by the CIA and attribute previous hacking attacks and malicious codes to the Agency.

The Marble Framework does not contain any vulnerabilities or exploits, it was in use at the CIA during 2016, in 2015 the cyber spies were using the 1.0 version.

Vault 7 Episode 4 – the Grasshopper framework

On April 7th, WikiLeaks published a batch of 27 documents detailing a framework codenamed Grasshopper that was allegedly used by the CIA to create custom installers for Windows malware.

The framework allows operators to build a custom payload, run it and analyzed the results of the execution.

The leaked documents compose a user guide classified as "secret" that was available to the CIA cyber spies.

"The documents WikiLeaks publishes today provide insights into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers, providing directions for those seeking to defend their systems to identify any existing compromise," WikiLeaks said.

Figure 3 - Grasshopper framework user guide

The dropper described in the Grasshopper manual should be loaded and executed only in memory; the framework allows creating custom malware that can compromise the target system bypassing the antivirus it is using. According to the documentation, each executable generated with the Grasshopper framework contains one or more installers.

"A Grasshopper executable contains one or more installers. An installer is a stack of one or more installer components," reads the manual. "Grasshopper invokes each component of the stack in series to operate on a payload. The ultimate purpose of an installer is to persist a payload."

The framework offers operators various persistence mechanisms that can define a series of rules that need to be met before an installation is launched. The rules allow attackers to target specific systems specifying its technical details (i.e. x64 or x32 architecture, OS).

"An executable may have a global rule that will be evaluated before execution of any installers. If a global rule is provided and evaluates to false the executable aborts operation" continues the manual.

One of the persistence mechanisms reported in the user guide is called Stolen Goods. The CIA exploited mechanisms implemented by the malicious codes used by cyber criminals in the wild.

For example, the CIA has modified some components of the popular Carberp rootkit.

"The persistence method and parts of the installer were taken and modified to fit our needs," reads a leaked document. "A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified."

Another persistence mechanism leverages the Windows Update Service to allow the execution of the payload on every system boot or every 22 hours; this technique uses a series of DLLs specified in the registry.

Vault 7 Episode 5 - The Scribbles Project for document tracking

WikiLeaks disclosed the details of a CIA project codenamed Scribbles (a.k.a. the "Snowden Stopper"). The Scribbles is a software allegedly developed to embed 'web beacon' tags into confidential documents aiming to track whistleblowers and foreign spies.

Such kind of software allows the Agency to monitor the access to the sensitive and secret document and to track people that access them.

WikiLeaks leaked the Scribbles documentation that also includes the source code of the latest released version of the software (v1.0 RC1) that is dated March 1, 2016. This date suggests Scribbles was used until at least last year by the CIA.

Scribbles is "a document-watermarking preprocessing system to embed "Web beacon"-style tags into documents that are likely to be copied by insiders, whistleblowers, journalists or others."

The Scribbles software was written in C# programming language and generate a different random watermark for each document.

"(S//OC/NF) Scribbles (SCRIB) is a document watermarking tool that can be used to batch process a number of documents in a pre-seeded input directory. It generates a random watermark for each document, inserts that watermark into the document, saves all such processed documents in an output directory, and creates a log file which identifies the watermarks inserted into each document." reads the Scribbles user guide.

Figure 4- Scribbles Documentation

Every time a user access a watermarked document, it will load an embedded file in the background and creates an entry on the CIA's tracking server. The Intelligence Agency collects several information about the access, including the user who copied the file, the time stamp, and user's IP address. In this way, it is possible to track document accesses and any abuses.

The user guide leaked by the CIA revealed that the Scribbles tracking software only works with Microsoft Office. According to the user manual, the tool was developed for off-line preprocessing of Microsoft Office documents; it could not be used with other applications. If the watermarked documents are opened in any other software like OpenOffice or LibreOffice, they may reveal watermarks and URLs to the user.

According to the leaked documents, "the Scribbles document watermarking tool has been successfully tested on…Microsoft Office 2013 (on Windows 8.1 x64), documents from Office versions 97–2016 (Office 95 documents will not work!) [and]…documents that are not be locked forms, encrypted, or password-protected."

Another limitation of the software is that watermarks are loaded from a remote server, so the tool should work only when the user accessing the marked documents is connected to the Internet.

Vault 7 Episode 6 the Archimedes MitM hacking tool

On Mat 5th, WikiLeaks has released a batch of documents detailing a man-in-the-middle (MitM) attack tool dubbed Archimedes allegedly used by the CIA to target local networks.

The leaked documents, dated between 2011 and 2014, provide details about a tool initially codenamed Fulcrum and later renamed Archimedes by the development team.

Figure 5 - Archimedes tool user guide

The CIA hacking tool that allows the operators to redirect LAN traffic from a targeted computer through a machine controlled by the attackers before it is routed to the gateway.

"Archimedes is an update to Fulcrum 0.6.1." reads the Archimedes Tool Documentation. "Archimedes is used to redirect LAN traffic from a target's computer through an attacker-controlled computer before it is passed to the gateway. This enables the tool to inject a forged webserver response that will redirect the target's web browser to an arbitrary location. This technique is typically used to redirect the target to an exploitation server while providing the appearance of a normal browsing session.  For more tool information, please refer to the original Fulcrum 0.6.1 documentation." 

According to the SANS instructor Jake Williams who analyzed the leaked documents, the Archimedes tool seems to be a repackaged version of popular MITM tool Ettercap.

CIA alleged targets could use the leaked information about the Archimedes tool to check if the US Intelligence had compromised their systems.

Potential victims can search for these hashes on their systems.

Figure 6- Archimedes hashes

Archimedes introduced several improvements respect the Fulcrum tool such as:

  • Support disabling the route verification check that occurs before exploitation.
  • Add support for a new HTTP injection method based on using a hidden IFRAME.
  • Modify the DLLs to support the Fire and Forget specification (version 2).
  • Provide a method of gracefully shutting down the tool on demand.
  • Removes the most alerting strings from the release binaries.

The tool itself is not sophisticated; it could be interesting to understand how CIA agents did use it in targeted attacks.














What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.


Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.