Vault 7: Digital Forensics
Understanding The "Vault 7" Release From a Forensic Perspective
Hello, I am digicrypt and thank you for checking out this post. My blog covers a variety of Info-Sec related topics. Recently I have been doing a series on Cryptology, however I will also be doing a series on Digital Forensics in the near future. I wanted to share this post to help people understand some of the less obvious implications of the "Vault 7" release from a forensic perspective.
People often use the label "Computer Forensics" when referring to the field of digital forensics. Computer forensics involves obtaining and analyzing digital information for use as evidence in civil, criminal or administrative cases. I prefer the term Digital Forensics, which I believe is a more accurate description of the field. Within digital forensics there are a variety of specialties including "dead box forensics", network forensics and malware analysis for example.
Once a crime has been committed it is up to the forensic investigator to obtain, analyze and prepare evidence. I will save the complexities of the field for a later article and will just focus on "Vault 7".
Most of the attention surrounding "Vault 7" has been about the extent of surveillance and volume of "zero day exploits".
From a digital forensics standpoint I am more interested in the revelations about how the agency intended to confuse forensic investigators and misplace attribution.
"Tradecraft DO's and DON'Ts" contains CIA rules on how its malware should be written to avoid fingerprints implicating the "CIA, US government, or its witting partner companies" in "forensic review"
"CIA hackers discussed what the NSA's "Equation Group" hackers did wrong and how the CIA's malware makers could avoid similar exposure."
The "Tradecraft DO's and DON'Ts" outlined steps to be taken in order to avoid detection and attribution to the CIA. Some of these techniques included the following examples...
"DO NOT leave dates/times such as compile timestamps, linker timestamps, build times, access times, etc. that correlate to general US core working hours (i.e. 8am-6pm Eastern time)"
"DO NOT have data that contains CIA and USG cover terms, compartments, operation code names or other CIA and USG specific terminology in the binary. "
"DO strip all debug symbol information, manifests(MSVC artifact), build paths, developer usernames from the final build of a binary."
The "Tradecraft DO's and DON'Ts" act as a guideline/ checklist for CIA operatives to follow when carrying out an operation.
(Important) Not only did the CIA try and hide the origin of the tools but they actively tried to pass the blame.
"The CIA's hand crafted hacking techniques pose a problem for the agency. Each technique it has created forms a "fingerprint" that can be used by forensic investigators to attribute multiple different attacks to the same entity."
"This is analogous to finding the same distinctive knife wound on multiple separate murder victims. The unique wounding style creates suspicion that a single murderer is responsible. As soon one murder in the set is solved then the other murders also find likely attribution."
The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a library of attack techniques 'stolen' from malware produced in other states to be used to misdirect attribution.
"With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the "fingerprints" of the groups that the attack techniques were stolen from."
"UMBRAGE components cover keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques."
So What Does This All Mean?
Much of this information about trade craft is not shocking. In fact it is not only logical but expected that the CIA would attempt to obfuscate their involvement in an operation.
What is important is the fact that their methodology, tactics, tools and exploits have been exposed.
This effectively neuters much of the power they have.
Not only are they limited in future operations but past operations could be in jeopardy.
This is the point I think is being missed and that I really want people to understand.
Past attacks and intrusions will be examined by forensic investigators with "Vault 7" as a template.
There will be retroactive attribution.
And it appears it has already started...
A recent tweet from Wikileaks references an excerpt from a Reuters article
"One anti-virus researcher has told me that a virus they once suspected came from the Russians or Chinese can now be attributed to the CIA, as it matches the description perfectly to something in the leak,"
I need a keyloger. Have somebody a tip for me.
upvoted + following, nice post.
Thank you! Much appreciated!
It makes you wonder about the accuracy of the attribution of the attacks against the DNC e-mail servers. I mean if you didn't already.
Do you think the software companies they have been compromised by the CIA will be in a position to sue?
I don't know but I would be surprised if they did. No company, especially software based wants to advertise the fact there product was broken into. That being said, I would expect to see some consumer driven pressure as well as prosecution in the court of public opinion, a rebuke of the agency/spying and a renewed interest in internet freedom for an example. I would also keep an eye on what happens in Germany in regards to the revelations about the consulate in Frankfurt.
Yes. I hope Germany make more noise about it that than the French did 2 weeks ago.
I hope the tech companies make more of it. Security features on tech is a selling point.
Microsoft are advocates for a digital Geneva convention.
VLC and McAfee hove both been vocal. A few others as well.
My main issue with what these leaks show is how the CIA have weakened the security of the internet for everyone by not disclosing zero days etc then releasing them into the wild. As its been said once you release an exploit and it has reached its target it doesn't then die or explode.
Wikileaks just exposed the CIAs entire cyber divisions arsenal of cyber weapons in 1% of the leaks so if that's anything to go by the rest of the 99% is going to be explosive.
Yes, I believe many people share your concern in regards to the zero day issue. Lots of work to be done to patch the holes. Keep your AV up to date. Thanks for reading!