Gotta Hack 'em All: Cracking Vault 7's Pokemon code

The releases of Vault 7 give us an interesting insight into the suppliers of surveillance malware programs. The supplier names, however, are coded so as not to reveal the the original source. Needless to say enough information exists to draw some pretty solid conclusions about who these enigmatic "partners" might actually be.

Above image is of Team Rocket from the Pokemon series (or in this case, the CIA)

Two suppliers we will focus on today are "Anglerfish" and "Peppermint". Anglerfish was responsible for creating numerous Android-specific hacking tools. In an apparent theme, almost all tools relating to remote access of phones, particularly Samsung devices, were named after Pokemon as well as two for obtaining the phone owner's private information. Examples include:

• Dugtrio
• FLAAFY
• Snubull
• Spearrow
• Starmie
• Steelix
• Totodile

While seemingly non-descript as a reference, this is not the only instance where we can find Pokemon-themed, mobile-specific hacking tools being developed and distributed. In 2015 WikiLeaks released an email revealing that Italian surveillance malware vendor, Hacking Team, was working with a program called "Bulbasaur" in 2008.(1)

With a hunch, I decided to look more into the Hacking Team. Deep in WikiLeaks' Italian language files I was able to find an actual reference to the Hacking Team conducting a trial for "cliente CIA" in 2011. The "trial" was a request from the CIA for a tool to perform RMI injection, a Java-based exploit often used for remotely accessing mobile devices.(2)(3)

While originally based in Milan, Italy, Hacking Team established offices in Washington D.C. and Annapolis, Maryland sometime in 2015.(4)

In 2015, as it turns out, Hacking Team's files were hacked themselves and released on WikiLeaks, exposing numerous Hacking Team operations. By this time it was widely reported that Hacking Team was deeply involved in developing Android-specific hacking tools.(5)

In response to the WikiLeaks releases on Hacking Team and the complete blowing of their cover, the Italian government revoked Hacking Team's license to sell software in April of 2016.(6) Little is known of their current operations, but in that same month in 2016 Hacking Team's CEO, David Vincenzetti, expressed strong concern for U.S. national security and the dangers of WikiLeaks and whistleblowers like Edward Snowden.(7)

Another Steemian, @fortified, noticed that in the Vault 7 leaks the CIA's RDB UMBRAGE group reported extensively on Hacking Team's 2015 leaks. This was an intriguing find as UMBRAGE is involved in collecting attack techniques from foreign states and malware companies.(8)

I'm beginning to believe Hacking Team is actually a CIA asset and is likely the "partner" listed as "Anglerfish" in Vault 7 documents. I draw this conclusion not just from these references alone either. More Vault 7 documents suggest perhaps there is a more direct connection between Hacking Team and the CIA.

The "EDG", a Germany-based subgroup of the CIA's CCI Europe Engineering, has a document which credits the CIA as the creators of the Pokemon-themed, Android attack program "Dugtrio" in 2013.(9) In this document, partner "Anglerfish" is mentioned separately as the creators of (the still Pokemon-themed) Spearrow and Starmie later in 2014.

In 2015 Dugtrio, Starmie and Spearrow would all become components of another CIA hacking tool, AngerManagement.(10) This is just one example of some sort of collaboration between Anglerfish and the CIA.

The timing, package names and overall objectives of Anglerfish seem to indicate a strong connection to a still-existing Hacking Team and the CIA. While considered one of the world's most dangerous cyberarms dealers, little is known about them and even less is done to try and stop their proliferation of dangerous and intrusive spyware. It is my assertion that after being kicked out of their home country in 2016, Hacking Team simply resumed operations as a subsidiary to the CIA.

I want to leave you with one final piece of the Pokemon puzzle that may hint at more yet to be uncovered.

Lugia, one of the mythic birds of the Pokemon series, is also a Vault 7 program which targets newer Mobile Station Modem (MSM) mobile phones.(11) MSM devices include popularly used Qualcomm MSM chipsets found in high-end 4G LTE-enabled phones with newer ARM or Krait processors.(12)

Lugia and its sister-program LugiaLight were given to the CIA by a group codenamed "Peppermint".(13) In a document used by the CIA's EDG Mobile group, however, LugiaLight is attributed more specifically to the NSA.(14)

To me this strongly suggests the NSA also colluded with cyberweapons manufacturer Hacking Team to produce Android-specific spyware.

There is still a lot more mystery to be solved in the depths of Vault 7. It remains evident, however, that the CIA was involved in the buying and selling of dangerous spyware programs with equally dangerous organizations.

Many do not understand the implications of this, but in this day and age well-written, stealthy surveillance software is far more profitable than guns, planes and missiles. It seems that the CIA has found this out and are now establishing a dangerous international black market of invisible digital weapons alongside other organizations involved in human rights abuses and mass surveillance.

Welcome to dystopia!