WIKILEAKS WEEK DAY 2 | Vault 7
To continue our celebration of 10 years of Wikileaks we will be taking a closer look at part 1 of their most recent leaks code-named Vault 7. Vault 7 is a collection of documents and files leaked from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virginia, and is the largest ever publication of confidential documents from the CIA. The build up to the publication of Vault 7 was an interesting one, and one that was completely different from their usual publications.
It all started on February 4th 2017 with a cryptic message tweeted from Wikileaks main Twitter account. All it said was What is Vault 7? with a picture of a strange looking building set into the side of a snowy mountain. These cryptic tweets continued over the following 5 days with Where, When, Who, Why and finally How did Vault7 make its way to WikiLeaks?
The first part of Vault 7, called zero day, was finally released on March 7th 2017 and contained 8,761 documents and files exposing the CIA's hacking arsenal of malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems. Wikileaks press release at the time states:
Vault 7: CIA Hacking Tools Revealed | Wikileaks -03/07/2017
Press Release
This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.
"Year Zero" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.
Below is the organization chart mapped out from the documentation and put together by Wikileaks outlining the structure of the CIAs cyber division.
In their press release Wikileaks finally goes on to reassure the public that the Zero Day documents do not include the actual code to the various exploits and malware, thus cannot be used by criminals or other state actors for nefarious activities.
Wikileaks has carefully reviewed the "Year Zero" disclosure and published substantive CIA documentation while avoiding the distribution of 'armed' cyberweapons until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed, disarmed and published.
Julian Assange Press Conference On The CIA Vault 7 Release | March 9th, 2017
To date there has been 21 different publication from the Vault 7 Zero Day leaks. All of them outlining the various tools and methods used by the CIA to perform covert hacking and surveillance. So far the leaks only described how these tools work and have yet to explain exactly who these tools have been used on and for what purpose, but we can assume they were used on government and private citizens alike. Below is a run down of all the publications:
Dark Matter - 03/27/2017
contains documentation for several CIA projects that infect Apple Mac firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA's Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain 'persistence' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.
Marble Framework - 03/31/2017
676 source code files for the CIA's secret anti-forensic Marble Framework. Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.
Grasshopper - 04/07/2017
27 documents from the CIA's Grasshopper framework, a platform used to build customized malware payloads for Microsoft Windows operating systems.
Hive - 04/14/2017
HIVE is a back-end infrastructure malware with a public-facing HTTPS interface which is used by CIA implants to transfer exfiltrated information from target machines to the CIA and to receive commands from its operators to execute specific tasks on the targets. HIVE is used across multiple malware implants and CIA operations. The public HTTPS interface utilizes unsuspicious-looking cover domains to hide its presence.
Weeping Angel - 04/21/2017
User Guide for CIA's "Weeping Angel" tool - an implant designed for Samsung F Series Smart Televisions. Based on the "Extending" tool from the MI5/BTSS, the implant is designed to record audio from the built-in microphone and egress or store the data.
Scribbles - 04/28/2017
documentation and source code for CIA's "Scribbles" project, a document-watermarking preprocessing system to embed "Web beacon"-style tags into documents that are likely to be copied by Insiders, Whistleblowers, Journalists or others. The released version (v1.0 RC1) is dated March, 1st 2016 and classified SECRET//ORCON/NOFORN until 2066.
Archimedes - 05/05/2017
a tool used by the CIA to attack a computer inside a Local Area Network (LAN), usually used in offices. It allows the re-directing of traffic from the target computer inside the LAN through a computer infected with this malware and controlled by the CIA. This technique is used by the CIA to redirect the target's computers web browser to an exploitation server while appearing as a normal browsing session.
AfterMidnight - 05/12/2017
"AfterMidnight" allows operators to dynamically load and execute malware payloads on a target machine. The main controller disguises as a self-persisting Windows Service DLL and provides secure execution of "Gremlins" via a HTTPS based Listening Post (LP) system called "Octopus".
Athena - 05/19/2017
"Athena" - like the related "Hera" system - provides remote beacon and loader capabilities on target computers running the Microsoft Windows operating system (from Windows XP to Windows 10). Once installed, the malware provides a beaconing capability (including configuration and task handling), the memory loading/unloading of malicious payloads for specific tasks and the delivery and retrieval of files to/from a specified directory on the target system.
Pandemic - 06/01/2017
a persistent implant for Microsoft Windows machines that share files (programs) with remote users in a local network. "Pandemic" targets remote users by replacing application code on-the-fly with a trojaned version if the program is retrieved from the infected machine.
Cherry Blossom - 06/152017
Project of the CIA that was developed and implemented with the help of the US nonprofit Stanford Research Institute (SRI International). CherryBlossom provides a means of monitoring the Internet activity of and performing software exploits on Targets of interest. In particular, CherryBlossom is focused on compromising wireless networking devices, such as wireless routers and access points (APs), to achieve these goals.
Brutal Kangaroo - 06/22/2017
a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives. Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables.
Elsa - 06/28/2017
A geo-location malware for WiFi-enabled devices like laptops running the Micorosoft Windows operating system. Once persistently installed on a target machine using separate CIA exploits, the malware scans visible WiFi access points and records the ESS identifier, MAC address and signal strength at regular intervals. To perform the data collection the target machine does not have to be online or connected to an access point; it only needs to be running with an enabled WiFi device.
OutlawCountry - 06/29/2017
Allows for the redirection of all outbound network traffic on the target computer to CIA controlled machines for ex- and infiltration purposes. The malware consists of a kernel module that creates a hidden netfilter table on a Linux target; with knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from an user or even system administrator.
BothanSpy - 07/06/2017
an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used.
Highrise - 07/13/2017
An Android application designed for mobile devices running Android 4.0 to 4.3. It provides a redirector function for SMS messaging that could be used by a number of IOC tools that use SMS messages for communication between implants and listening posts. HighRise acts as a SMS proxy that provides greater separation between devices in the field ("targets") and the listening post (LP) by proxying "incoming" and "outgoing" SMS messages to an internet LP.
UCL / Raytheon - 07/19/2017
documents from the CIA contractor Raytheon Blackbird Technologies for the "UMBRAGE Component Library" (UCL) project. The documents were submitted to the CIA between November 21st, 2014 (just two weeks after Raytheon acquired Blackbird Technologies to build a Cyber Powerhouse) and September 11th, 2015. They mostly contain Proof-of-Concept ideas and assessments for malware attack vectors - partly based on public documents from security researchers and private enterprises in the computer security field.
Imperial - 07/27/2017
A selections of 3 tools.
Achilles is a capability that provides an operator the ability to trojan an OS X disk image (.dmg) installer with one or more desired operator specified executables for a one-time execution.
Aeris is an automated implant written in C that supports a number of POSIX-based systems (Debian, RHEL, Solaris, FreeBSD, CentOS).
SeaPea is an OS X Rootkit that provides stealth and tool launching capabilities. It hides files/directories, socket connections and/or processes.
Dumbo - 08/03/2017
capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a PAG deployment. The PAG (Physical Access Group) is a special branch within the CCI (Center for Cyber Intelligence); its task is to gain and exploit physical access to target computers in CIA field operations.
CouchPotato - 08/10/2017
a remote tool for collection against RTSP/H.264 video streams. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame. It utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity. CouchPotato relies on being launched in an ICE v3 Fire and Collect compatible loader.
So there we have it. All of the CIA's hacking tools and exploits so far. It's really is incredible the amount of tools and code they have built up over the years. The amount of man power invested into this must be immense, all paid for by the US tax payer. The CIA would argue that these tools are used strictly to monitor criminals and terrorists for the sake of national security. But as we saw in the initial Vault 7 pre-release in February the CIA used human and electronic spies to spy on the French 2012 presidential election.
In tomorrows edition of Wikileaks Week we will be taking a look back over the last 12 months of Wikileaks, and particularly their editor Julian Assange, and will be exploring some of the highlights, struggles, and attacks from the media and governments that they've had to endure over the last year.
Previous Wikileaks Week Posts:
WIKILEAKS WEEK DAY 1 | The Leaks
Vault 7, it mind blowing haha.
The way they can spy in the public these days goes way to far in my book.
12 years ago i already told people that it was easy to ping the location of their phones.
Impossible they said.... and continued to do stupid shit i would have no part in!
Locked up they were pretty soon after.
It certainly is. The cyber weapons described in this post is still only part one of Vault7. Lots more to come.
Thanks
@fortified
Another great piece! Reshared @phibetaiota
Respect as ever.
I've just posted Day 3 if you're interested.
Thanks
@fortified
Lets celebrate 10 years of not taking even 10 minutes to investigate the background of Assange or Wikileaks shall we. Mainstream whistleblowers are not whistleblowers they are controlled opposition. Real whistleblowers die with no mainstream coverage. Spend 10 minutes researching Assanges childhood, something he never talks about. Look into how Wikileaks is funded or the billionaire patrons who support him. Ask yourself why Assange never exposes 911 and actually backs the official story and why he and Snowden have Hollywood movies made about them. You really believe that an all powerful control group would never be clever enough to control the 'leaks' and control alternative narratives?
lol.
Im fully aware of these baseless claims thank you very much.
Thank you for your input.
Don't forget to Follow, Upvote and Resteem. @fortified
Interesting feedback.
I always felt a little weird looking at the videos they post with Julian. they look fishy to me!
He has clearly been coached in public relations he's far too polished for me to buy him as a geeky former hacker. People in the alternative research community are being fooled by a controlled dialectic, Wikileaks, Infowars, Rebel Media , Stefan Molyneaux even the 911 truth movement are all in place to control the narrative away from truth not towards truth. Their arguments are convincing to those of us dissatisfied with society of course, thats the point, but they are in place to lead the narrative away from real truth. Watch these breakdowns of Wikileaks and i guarantee you will be seriously suspicious about Mr Assange.
lol. I knew you'd reply with a You Tube video to back your your baseless claims. You need to take your tinfoil wrapped head out of your ass and do some of your own research yourself rather than believing any old sensational clickbait You Tube bullshit.
Richard Hall is a personal friend of mine moron , he's probably the most famous alternative researcher in the UK and provides evidence for all his accusations, whereas you simply get all your info from mainstream or from alternative mainstream , idiots like you will never know truth because your ego is too big. When Assange took up shelter in Norwich, with whom did he stay? You'll know this as your so well informed?
By the way , if you never use youtube where do you get your information from? Come on lets hear where such a well informed individual gets their information? Every real alternative researcher knows Wikileaks is run by the intelligence services. In about 10 years you may actually catch up with the rest of the community.
followed you and upvoted. follow me back :)
Ok followed, i appreciate that you can have your opinion challenged and not respond with anger but with humility, credit to you 🙏🏻
@fortified got you a $1.67 @minnowbooster upgoat, nice! (Image: pixabay.com)
Want a boost? Click here to read more!
This post has received a 40.00 % upvote from @lovejuice thanks to: @fortified. They have officially sprayed their dank amps all over your post rewards. GOOD TIMES! Vote for Aggroed!