WikiLeaks Vault 7 part VII: Watch out for Scribbles!
Today's Vault 7 release, titled "Scribbles", contains some of the most sensitive CIA documents released to date. Scribbles is described by the CIA itself as a, "batch processing tool for pre-generating watermarks and inserting those watermarks into documents that are apparently being stolen by FIO (foreign intelligence officers) actors." Strongly note the word, "ACTORS".
Furthermore, this document-watermarking preprocessing system can be used to embed "Web beacon"-style tags into documents that are likely to be copied by insiders, whistleblowers, journalists or others.
The released version of Scribbles (v1.0 RC1) is dated March, 1st 2016 and classified SECRET//ORCON/NOFORN until 2066.
The leak itself and documents for Scribbles can be found on WikiLeaks.
Other parts to this series include:
- Part I: The CIA and NyanCat: The hackers and tools of Vault 7's "Year Zero"
- Part II: "Dark Matter" - All your Macintosh are belong to CIA
- Part III: Marble Framework - The CIA's cloaking device for hackers
- Part IV: Grasshopper and more research challenges!
- Part V: HIVE, Longhorn and the CIA's reign of cyberterror
- Part VI: Weeping Angel is listening...
Methods of operation
Scribbles is intended for off-line preprocessing of Microsoft Office documents. For reasons of operational security the user guide demands that "[t]he Scribbles executable, parameter files, receipts and log files should not be installed on a target machine, nor left in a location where it might be collected by an adversary."
According to the documentation, "the Scribbles document watermarking tool has been successfully tested on [...] Microsoft Office 2013 (on Windows 8.1 x64), documents from Office versions 97-2016 (Office 95 documents will not work!) [and] documents that are not be locked forms, encrypted, or password-protected".
The limitation to Microsoft Office documents seems to create problems, however: "If the targeted end-user opens them up in a different application, such as OpenOffice or LibreOffice, the watermark images and URLs may be visible to the end-user. For this reason, always make sure that the host names and URL components are logically consistent with the original content. If you are concerned that the targeted end-user may open these documents in a non-Microsoft Office application, please take some test documents and evaluate them in the likely application before deploying them."
More technical descriptions of Scribble's operations can be found in the User Guide. For instance, here's an example of how XML can be used to configure Scribble.
<Scribble_WatermarkParameters>
<URL_Scheme Value="http"/>
<HostServerNameList Value="watermarks.example.com"/>
<HostRootPathList Value="rootPath1,rootPath2"/>
<HostSubDirsList Value="subDir1,subDir2,subDir3"/>
<HostFileNameList Value="fakeFileName1,fakeFileName2,fakeFileName3"/>
<HostFileExtList Value=".jpg,.png,.gif"/>
<Input__Directory Value=".\InputDir"/>
<Output_Directory Value=".\OutputDir"/>
<Input__WatermarkLog Value="Z:\WORK\Scribbles\Scribbles\bin\Debug\WatermarkLog.tsv"/>
<Output_WatermarkLog Value="Z:\WORK\Scribbles\Scribbles\bin\Debug\WatermarkLog.tsv"/>
</Scribble_WatermarkParameters>
After configuration, several watermark image files are then created. For example, these are a few of the watermarks that would be generated using the parameters in the example above:
http://watermarks.example.com/rootPath1/subDir3/5zfjgj16esmab3rgqz2piejtkiluaxi/fakeFileName3.gif
http://watermarks.example.com/rootPath2/subDir2/ofq44w41g04m1n_vuh6g056ai1a5ecm/fakeFileName1.png
http://watermarks.example.com/rootPath1/subDir2/1e1m6dq4qz7xh1cht5eq2ylqyzpx58pwy/fakeFileName2.jpg
http://watermarks.example.com/rootPath2/subDir3/rae0dbepwt8fygws1h3idt_1-0oq4gz/fakeFileName2.png
After the watermarks are generated, Scribbles can then be executed to watermark all files specified. This leaves each target file with a new, web-beaconing enabled watermark that can be used to track and identify the given file should it ever be leaked.
It would seem, then, that WikiLeaks has released one of the CIA's most sophisticated tools for preventing future leaks and whistleblowers from taking action. It's unknown if the CIA was able to target more than just Microsoft Office files, but that almost certainly was one of their objectives over time.
In addition, the functions outlined in Scribbles display yet another method the CIA can use to try and fake or stage "foreign" cyberattacks. For instance, if Scribbles was ran on a completely innocuous set of files and given to a foreign agent the CIA could then go back and "prove" that the files had been "stolen" from the CIA. The applications for this tool are endless.
Important work! Reshared.
Thanks as always! Today's release was a pretty significant one! Unnerving and ironic to say the least.
This post has been ranked within the top 80 most undervalued posts in the second half of Apr 28. We estimate that this post is undervalued by $2.29 as compared to a scenario in which every voter had an equal say.
See the full rankings and details in The Daily Tribune: Apr 28 - Part II. You can also read about some of our methodology, data analysis and technical details in our initial post.
If you are the author and would prefer not to receive these comments, simply reply "Stop" to this comment.
well, you beat on this ^^
I was doing the general strike in Brazil first, then I wanted to do Wikileaks, and there you are one post earlier then my Brazil one.
I try to be on top of every release. Doesn't hurt to see if I missed anything!
Now they can really blame the Russians for hacking the election... just insert some "scribbles" and presto!!!
Obviously it didn't do too well at stopping leaks :P