You are on page 1of 25

Vault7:CIAHacking

ToolsRevealed

Releases (index.html) Documents (cms/index.html)

Contents

PressRelease
Analysis
Examples
FrequentlyAskedQuestions

PressRelease

Today,Tuesday7March2017,WikiLeaksbeginsitsnewseries
ofleaksontheU.S.CentralIntelligenceAgency.Codenamed
"Vault7"byWikiLeaks,itisthelargesteverpublicationof
confidentialdocumentsontheagency.

Thefirstfullpartoftheseries,"YearZero",comprises8,761
documentsandfilesfromanisolated,highsecuritynetwork
situatedinsidetheCIA'sCenterforCyberIntelligence(files/org
chart.png)inLangley,Virgina.Itfollowsanintroductorydisclosure
lastmonthofCIAtargetingFrenchpoliticalpartiesand
candidatesintheleaduptothe2012presidentialelection
(https://wikileaks.org/ciafranceelections2012).
Recently,theCIAlostcontrolofthemajorityofitshackingarsenal
includingmalware,viruses,trojans,weaponized"zeroday"
exploits,malwareremotecontrolsystemsandassociated
documentation.Thisextraordinarycollection,whichamountsto
morethanseveralhundredmillionlinesofcode,givesits
possessortheentirehackingcapacityoftheCIA.Thearchive
appearstohavebeencirculatedamongformerU.S.government
hackersandcontractorsinanunauthorizedmanner,oneofwhom
hasprovidedWikiLeakswithportionsofthearchive.

"YearZero"introducesthescopeanddirectionoftheCIA'sglobal
coverthackingprogram,itsmalwarearsenalanddozensof"zero
day"weaponizedexploitsagainstawiderangeofU.S.and
Europeancompanyproducts,includeApple'siPhone,Google's
AndroidandMicrosoft'sWindowsandevenSamsungTVs,which
areturnedintocovertmicrophones.

Since2001theCIAhasgainedpoliticalandbudgetary
preeminenceovertheU.S.NationalSecurityAgency(NSA).The
CIAfounditselfbuildingnotjustitsnowinfamousdronefleet,buta
verydifferenttypeofcovert,globespanningforceitsown
substantialfleetofhackers.Theagency'shackingdivisionfreedit
fromhavingtodiscloseitsoftencontroversialoperationstothe
NSA(itsprimarybureaucraticrival)inordertodrawontheNSA's
hackingcapacities.

Bytheendof2016,theCIA'shackingdivision,whichformallyfalls
undertheagency'sCenterforCyberIntelligence(files/org
chart.png)(CCI),hadover5000registeredusersandhad
producedmorethanathousandhackingsystems,trojans,
viruses,andother"weaponized"malware.Suchisthescaleofthe
CIA'sundertakingthatby2016,itshackershadutilizedmore
codethanthatusedtorunFacebook.TheCIAhadcreated,in
effect,its"ownNSA"withevenlessaccountabilityandwithout
publiclyansweringthequestionastowhethersuchamassive
budgetaryspendonduplicatingthecapacitiesofarivalagency
couldbejustified.

InastatementtoWikiLeaksthesourcedetailspolicyquestions
thattheysayurgentlyneedtobedebatedinpublic,including
whethertheCIA'shackingcapabilitiesexceeditsmandated
powersandtheproblemofpublicoversightoftheagency.The
sourcewishestoinitiateapublicdebateaboutthesecurity,
creation,use,proliferationanddemocraticcontrolof
cyberweapons.

Onceasinglecyber'weapon'is'loose'itcanspreadaroundthe
worldinseconds,tobeusedbyrivalstates,cybermafiaand
teenagehackersalike.

JulianAssange,WikiLeakseditorstatedthat"Thereisan
extremeproliferationriskinthedevelopmentofcyber'weapons'.
Comparisonscanbedrawnbetweentheuncontrolledproliferation
ofsuch'weapons',whichresultsfromtheinabilitytocontainthem
combinedwiththeirhighmarketvalue,andtheglobalarmstrade.
Butthesignificanceof"YearZero"goeswellbeyondthechoice
betweencyberwarandcyberpeace.Thedisclosureisalso
exceptionalfromapolitical,legalandforensicperspective."

Wikileakshascarefullyreviewedthe"YearZero"disclosureand
publishedsubstantiveCIAdocumentationwhileavoidingthe
distributionof'armed'cyberweaponsuntilaconsensusemerges
onthetechnicalandpoliticalnatureoftheCIA'sprogramandhow
such'weapons'shouldanalyzed,disarmedandpublished.

Wikileakshasalsodecidedtoredactandanonymisesome
identifyinginformationin"YearZero"forindepthanalysis.These
redactionsincludetenofthousandsofCIAtargetsandattack
machinesthroughoutLatinAmerica,EuropeandtheUnited
States.Whileweareawareoftheimperfectresultsofany
approachchosen,weremaincommittedtoourpublishingmodel
andnotethatthequantityofpublishedpagesin"Vault7"partone
(YearZero)alreadyeclipsesthetotalnumberofpages
publishedoverthefirstthreeyearsoftheEdwardSnowdenNSA
leaks.

Analysis

CIAmalwaretargetsiPhone,Android,
smartTVs
CIAmalwareandhackingtoolsarebuiltbyEDG(Engineering
DevelopmentGroup),asoftwaredevelopmentgroupwithinCCI
(CenterforCyberIntelligence),adepartmentbelongingtothe
CIA'sDDI(DirectorateforDigitalInnovation).TheDDIisoneof
thefivemajordirectoratesoftheCIA(seethisorganizational
chart(files/orgchart.png)oftheCIAformoredetails).

TheEDGisresponsibleforthedevelopment,testingand
operationalsupportofallbackdoors,exploits,malicious
payloads,trojans,virusesandanyotherkindofmalwareusedby
theCIAinitscovertoperationsworldwide.

Theincreasingsophisticationofsurveillancetechniqueshas
drawncomparisonswithGeorgeOrwell's1984,but"Weeping
Angel",developedbytheCIA'sEmbeddedDevicesBranch
(EDB)(cms/space_753667.html),whichinfestssmartTVs,
transformingthemintocovertmicrophones,issurelyitsmost
emblematicrealization.

TheattackagainstSamsungsmartTVs
(cms/page_12353643.html)wasdevelopedincooperationwith
theUnitedKingdom'sMI5/BTSS.Afterinfestation,Weeping
AngelplacesthetargetTVina'FakeOff'mode,sothattheowner
falselybelievestheTVisoffwhenitison.In'FakeOff'modethe
TVoperatesasabug,recordingconversationsintheroomand
sendingthemovertheInternettoacovertCIAserver.
AsofOctober2014theCIAwasalsolookingatinfectingthe
vehiclecontrolsystemsusedbymoderncarsandtrucks
(cms/page_13763790.html).Thepurposeofsuchcontrolisnot
specified,butitwouldpermittheCIAtoengageinnearly
undetectableassassinations.

TheCIA'sMobileDevicesBranch(MDB)developednumerous
attackstoremotelyhackandcontrolpopularsmartphones
(cms/space_3276804.html).Infectedphonescanbeinstructedto
sendtheCIAtheuser'sgeolocation,audioandtext
communicationsaswellascovertlyactivatethephone'scamera
andmicrophone.

DespiteiPhone'sminorityshare(14.5%)oftheglobalsmart
phonemarketin2016,aspecializedunitintheCIA'sMobile
DevelopmentBranchproducesmalwaretoinfest,controland
exfiltratedatafromiPhonesandotherAppleproductsrunning
iOS,suchasiPads(cms/space_2359301.html).CIA'sarsenal
includesnumerouslocalandremote"zerodays"
(cms/page_13205587.html)developedbyCIAorobtainedfrom
GCHQ,NSA,FBIorpurchasedfromcyberarmscontractorssuch
asBaitshop.ThedisproportionatefocusoniOSmaybe
explainedbythepopularityoftheiPhoneamongsocial,political,
diplomaticandbusinesselites.

AsimilarunittargetsGoogle'sAndroidwhichisusedtorunthe
majorityoftheworld'ssmartphones(~85%)includingSamsung,
HTCandSony(cms/space_11763721.html).1.15billionAndroid
poweredphonesweresoldlastyear."YearZero"showsthatasof
2016theCIAhad24"weaponized"Android"zerodays"
(cms/page_11629096.html)whichithasdevelopeditselfand
obtainedfromGCHQ,NSAandcyberarmscontractors.

ThesetechniquespermittheCIAtobypasstheencryptionof
WhatsApp,Signal,Telegram,Wiebo,ConfideandCloackmanby
hackingthe"smart"phonesthattheyrunonandcollectingaudio
andmessagetrafficbeforeencryptionisapplied.

CIAmalwaretargetsWindows,OSx,
Linux,routers
TheCIAalsorunsaverysubstantialefforttoinfectandcontrol
MicrosoftWindowsusers(cms/page_11628612.html)withits
malware.Thisincludesmultiplelocalandremoteweaponized
"zerodays",airgapjumpingvirusessuchas"HammerDrill"
(cms/page_17072172.html)whichinfectssoftwaredistributedon
CD/DVDs,infectorsforremovablemediasuchasUSBs
(cms/page_13762636.html),systemstohidedatainimages
(cms/page_13763247.html)orincovertdiskareas("Brutal
Kangaroo"(cms/page_13763236.html))andtokeepitsmalware
infestationsgoing(cms/page_13763650.html).

ManyoftheseinfectioneffortsarepulledtogetherbytheCIA's
AutomatedImplantBranch(AIB)(cms/space_3276805.html),
whichhasdevelopedseveralattacksystemsforautomated
infestationandcontrolofCIAmalware,suchas"Assassin"and
"Medusa".

AttacksagainstInternetinfrastructureandwebserversare
developedbytheCIA'sNetworkDevicesBranch(NDB)
(cms/space_15204355.html).

TheCIAhasdevelopedautomatedmultiplatformmalwareattack
andcontrolsystemscoveringWindows,MacOSX,Solaris,Linux
andmore,suchasEDB's"HIVE"andtherelated"Cutthroat"and
"Swindle"tools,whicharedescribedintheexamplessection
below.

CIA'hoarded'vulnerabilities("zero
days")
InthewakeofEdwardSnowden'sleaksabouttheNSA,theU.S.
technologyindustrysecuredacommitmentfromtheObama
administrationthattheexecutivewoulddiscloseonanongoing
basisratherthanhoardseriousvulnerabilities,exploits,
bugsor"zerodays"toApple,Google,Microsoft,andotherUS
basedmanufacturers.

Seriousvulnerabilitiesnotdisclosedtothemanufacturersplaces
hugeswathesofthepopulationandcriticalinfrastructureatriskto
foreignintelligenceorcybercriminalswhoindependentlydiscover
orhearrumorsofthevulnerability.IftheCIAcandiscoversuch
vulnerabilitiessocanothers.

TheU.S.government'scommitmenttotheVulnerabilitiesEquities
Process(https://is.gd/vepvep)cameaftersignificantlobbyingby
UStechnologycompanies,whorisklosingtheirshareofthe
globalmarketoverrealandperceivedhiddenvulnerabilities.The
governmentstatedthatitwoulddiscloseallpervasive
vulnerabilitiesdiscoveredafter2010onanongoingbasis.

"YearZero"documentsshowthattheCIAbreachedtheObama
administration'scommitments.Manyofthevulnerabilitiesusedin
theCIA'scyberarsenalarepervasiveandsomemayalready
havebeenfoundbyrivalintelligenceagenciesorcybercriminals.

Asanexample,specificCIAmalwarerevealedin"YearZero"is
abletopenetrate,infestandcontrolboththeAndroidphoneand
iPhonesoftwarethatrunsorhasrunpresidentialTwitteraccounts.
TheCIAattacksthissoftwarebyusingundisclosedsecurity
vulnerabilities("zerodays")possessedbytheCIAbutiftheCIA
canhackthesephonesthensocaneveryoneelsewhohas
obtainedordiscoveredthevulnerability.AslongastheCIAkeeps
thesevulnerabilitiesconcealedfromAppleandGoogle(who
makethephones)theywillnotbefixed,andthephoneswill
remainhackable.

Thesamevulnerabilitiesexistforthepopulationatlarge,including
theU.S.Cabinet,Congress,topCEOs,systemadministrators,
securityofficersandengineers.Byhidingthesesecurityflaws
frommanufacturerslikeAppleandGoogletheCIAensuresthatit
canhackeveryone&mdshattheexpenseofleavingeveryone
hackable.

'Cyberwar'programsareaserious
proliferationrisk
Cyber'weapons'arenotpossibletokeepundereffectivecontrol.

Whilenuclearproliferationhasbeenrestrainedbytheenormous
costsandvisibleinfrastructureinvolvedinassemblingenough
fissilematerialtoproduceacriticalnuclearmass,cyber
'weapons',oncedeveloped,areveryhardtoretain.

Cyber'weapons'areinfactjustcomputerprogramswhichcanbe
piratedlikeanyother.Sincetheyareentirelycomprisedof
informationtheycanbecopiedquicklywithnomarginalcost.

Securingsuch'weapons'isparticularlydifficultsincethesame
peoplewhodevelopandusethemhavetheskillstoexfiltrate
copieswithoutleavingtracessometimesbyusingthevery
same'weapons'againsttheorganizationsthatcontainthem.
Therearesubstantialpriceincentivesforgovernmenthackers
andconsultantstoobtaincopiessincethereisaglobal
"vulnerabilitymarket"thatwillpayhundredsofthousandsto
millionsofdollarsforcopiesofsuch'weapons'.Similarly,
contractorsandcompanieswhoobtainsuch'weapons'
sometimesusethemfortheirownpurposes,obtainingadvantage
overtheircompetitorsinselling'hacking'services.

OverthelastthreeyearstheUnitedStatesintelligencesector,
whichconsistsofgovernmentagenciessuchastheCIAandNSA
andtheircontractors,suchasBoozAllanHamilton,hasbeen
subjecttounprecedentedseriesofdataexfiltrationsbyitsown
workers.
Anumberofintelligencecommunitymembersnotyetpublicly
namedhavebeenarrestedorsubjecttofederalcriminal
investigationsinseparateincidents.

Mostvisibly,onFebruary8,2017aU.S.federalgrandjury
indictedHaroldT.MartinIIIwith20countsofmishandling
classifiedinformation.TheDepartmentofJusticeallegedthatit
seizedsome50,000gigabytesofinformationfromHaroldT.
MartinIIIthathehadobtainedfromclassifiedprogramsatNSA
andCIA,includingthesourcecodefornumeroushackingtools.

Onceasinglecyber'weapon'is'loose'itcanspreadaroundthe
worldinseconds,tobeusedbypeerstates,cybermafiaand
teenagehackersalike.

U.S.ConsulateinFrankfurtisa
covertCIAhackerbase
InadditiontoitsoperationsinLangley,VirginiatheCIAalsouses
theU.S.consulateinFrankfurtasacovertbaseforitshackers
coveringEurope,theMiddleEastandAfrica.

CIAhackersoperatingoutoftheFrankfurtconsulate("Centerfor
CyberIntelligenceEurope"(cms/page_20251151.html)orCCIE)
aregivendiplomatic("black")passportsandStateDepartment
cover.TheinstructionsforincomingCIAhackers
(cms/page_26607630.html)makeGermany'scounterintelligence
effortsappearinconsequential:"BreezethroughGerman
Customsbecauseyouhaveyourcoverforactionstorydownpat,
andalltheydidwasstampyourpassport"

YourCoverStory(forthistrip)
Q:Whyareyouhere?
A:SupportingtechnicalconsultationsattheConsulate.

TwoearlierWikiLeakspublicationsgivefurtherdetailonCIA
approachestocustoms(/ciatravel/)andsecondaryscreening
procedures(/ciatravel/).
OnceinFrankfurtCIAhackerscantravelwithoutfurtherborder
checkstothe25EuropeancountriesthatarepartoftheShengen
openborderareaincludingFrance,ItalyandSwitzerland.

AnumberoftheCIA'selectronicattackmethodsaredesignedfor
physicalproximity.Theseattackmethodsareabletopenetrate
highsecuritynetworksthataredisconnectedfromtheinternet,
suchaspolicerecorddatabase.Inthesecases,aCIAofficer,
agentoralliedintelligenceofficeractingunderinstructions,
physicallyinfiltratesthetargetedworkplace.Theattackeris
providedwithaUSBcontainingmalwaredevelopedfortheCIA
forthispurpose,whichisinsertedintothetargetedcomputer.The
attackertheninfectsandexfiltratesdatatoremovablemedia.For
example,theCIAattacksystemFineDining
(cms/page_20251107.html),provides24decoyapplicationsfor
CIAspiestouse.Towitnesses,thespyappearstoberunninga
programshowingvideos(e.gVLC),presentingslides(Prezi),
playingacomputergame(Breakout2,2048)orevenrunninga
fakevirusscanner(Kaspersky,McAfee,Sophos).Butwhilethe
decoyapplicationisonthescreen,theunderlayingsystemis
automaticallyinfectedandransacked.

HowtheCIAdramaticallyincreased
proliferationrisks
Inwhatissurelyoneofthemostastoundingintelligenceown
goalsinlivingmemory,theCIAstructureditsclassificationregime
suchthatforthemostmarketvaluablepartof"Vault7"the
CIA'sweaponizedmalware(implants+zerodays),Listening
Posts(LP),andCommandandControl(C2)systemsthe
agencyhaslittlelegalrecourse.

TheCIAmadethesesystemsunclassified.
WhytheCIAchosetomakeitscyberarsenalunclassifiedreveals
howconceptsdevelopedformilitaryusedonoteasilycrossover
tothe'battlefield'ofcyber'war'.

Toattackitstargets,theCIAusuallyrequiresthatitsimplants
communicatewiththeircontrolprogramsovertheinternet.IfCIA
implants,Command&ControlandListeningPostsoftwarewere
classified,thenCIAofficerscouldbeprosecutedordismissedfor
violatingrulesthatprohibitplacingclassifiedinformationontothe
Internet.ConsequentlytheCIAhassecretlymademostofits
cyberspying/warcodeunclassified.TheU.S.governmentisnot
abletoassertcopyrighteither,duetorestrictionsintheU.S.
Constitution.Thismeansthatcyber'arms'manufacturesand
computerhackerscanfreely"pirate"these'weapons'iftheyare
obtained.TheCIAhasprimarilyhadtorelyonobfuscationto
protectitsmalwaresecrets.

Conventionalweaponssuchasmissilesmaybefiredatthe
enemy(i.eintoanunsecuredarea).Proximitytoorimpactwith
thetargetdetonatestheordnanceincludingitsclassifiedparts.
Hencemilitarypersonneldonotviolateclassificationrulesby
firingordnancewithclassifiedparts.Ordnancewilllikelyexplode.
Ifitdoesnot,thatisnottheoperator'sintent.

OverthelastdecadeU.S.hackingoperationshavebeen
increasinglydressedupinmilitaryjargontotapintoDepartment
ofDefensefundingstreams.Forinstance,attempted"malware
injections"(commercialjargon)or"implantdrops"(NSAjargon)
arebeingcalled"fires"asifaweaponwasbeingfired.However
theanalogyisquestionable.

Unlikebullets,bombsormissiles,mostCIAmalwareisdesigned
tolivefordaysorevenyearsafterithasreachedits'target'.CIA
malwaredoesnot"explodeonimpact"butratherpermanently
infestsitstarget.Inordertoinfecttarget'sdevice,copiesofthe
malwaremustbeplacedonthetarget'sdevices,givingphysical
possessionofthemalwaretothetarget.Toexfiltratedatabackto
theCIAortoawaitfurtherinstructionsthemalwaremust
communicatewithCIACommand&Control(C2)systemsplaced
oninternetconnectedservers.Butsuchserversaretypicallynot
approvedtoholdclassifiedinformation,soCIAcommandand
controlsystemsarealsomadeunclassified.

Asuccessful'attack'onatarget'scomputersystemismorelikea
seriesofcomplexstockmaneuversinahostiletakeoverbidor
thecarefulplantingofrumorsinordertogaincontroloveran
organization'sleadershipratherthanthefiringofaweapons
system.Ifthereisamilitaryanalogytobemade,theinfestationof
atargetisperhapsakintotheexecutionofawholeseriesof
militarymaneuversagainstthetarget'sterritoryincluding
observation,infiltration,occupationandexploitation.

Evadingforensicsandantivirus
AseriesofstandardslayoutCIAmalwareinfestationpatterns
whicharelikelytoassistforensiccrimesceneinvestigatorsas
wellasApple,Microsoft,Google,Samsung,Nokia,Blackberry,
Siemensandantiviruscompaniesattributeanddefendagainst
attacks.

"TradecraftDO'sandDON'Ts"(cms/page_14587109.html)
containsCIArulesonhowitsmalwareshouldbewrittentoavoid
fingerprintsimplicatingthe"CIA,USgovernment,oritswitting
partnercompanies"in"forensicreview".Similarsecretstandards
covertheuseofencryptiontohideCIAhackerandmalware
communication
(cms/files/NOD%20Cryptographic%20Requirements%20v1.1%20TOP%20SECRET.pdf)
(pdf),describingtargets&exfiltrateddata(cms/files/Codex
Specv1SECRET.pdf)(pdf)aswellasexecutingpayloads
(cms/files/ICESpecv3finalSECRET.pdf)(pdf)andpersisting
(cms/files/PersistedDLLSpecv2SECRET.pdf)(pdf)inthe
target'smachinesovertime.
CIAhackersdevelopedsuccessfulattacksagainstmostwell
knownantivirusprograms.ThesearedocumentedinAVdefeats
(cms/page_2064514.html),PersonalSecurityProducts
(cms/page_13762910.html),DetectinganddefeatingPSPs
(cms/page_7995642.html)andPSP/Debugger/REAvoidance
(cms/page_2621845.html).Forexample,Comodowasdefeated
byCIAmalwareplacingitselfintheWindow's"RecycleBin"
(cms/page_5341269.html).WhileComodo6.xhasa"Gaping
HoleofDOOM"(cms/page_5341272.html).

CIAhackersdiscussedwhattheNSA's"EquationGroup"
hackersdidwrongandhowtheCIA'smalwaremakerscould
avoidsimilarexposure(cms/page_14588809.html).

Examples

TheCIA'sEngineeringDevelopmentGroup(EDG)management
systemcontainsaround500differentprojects(onlysomeofwhich
aredocumentedby"YearZero")eachwiththeirownsubprojects,
malwareandhackertools.

Themajorityoftheseprojectsrelatetotoolsthatareusedfor
penetration,infestation("implanting"),control,andexfiltration.

Anotherbranchofdevelopmentfocusesonthedevelopmentand
operationofListeningPosts(LP)andCommandandControl
(C2)systemsusedtocommunicatewithandcontrolCIAimplants
specialprojectsareusedtotargetspecifichardwarefromrouters
tosmartTVs.

Someexampleprojectsaredescribedbelow,butseethetableof
contents(cms/index.html)forthefulllistofprojectsdescribedby
WikiLeaks'"YearZero".

UMBRAGE
UMBRAGE
TheCIA'shandcraftedhackingtechniquesposeaproblemfor
theagency.Eachtechniqueithascreatedformsa"fingerprint"
thatcanbeusedbyforensicinvestigatorstoattributemultiple
differentattackstothesameentity.

Thisisanalogoustofindingthesamedistinctiveknifewoundon
multipleseparatemurdervictims.Theuniquewoundingstyle
createssuspicionthatasinglemurdererisresponsible.Assoon
onemurderinthesetissolvedthentheothermurdersalsofind
likelyattribution.

TheCIA'sRemoteDevicesBranch(cms/space_753668.html)'s
UMBRAGEgroup(cms/page_2621751.html)collectsand
maintainsasubstantiallibrary(cms/page_2621753.html)of
attacktechniques'stolen'frommalwareproducedinotherstates
includingtheRussianFederation.

WithUMBRAGEandrelatedprojectstheCIAcannotonly
increaseitstotalnumberofattacktypesbutalsomisdirect
attributionbyleavingbehindthe"fingerprints"ofthegroupsthat
theattacktechniqueswerestolenfrom.

UMBRAGEcomponentscoverkeyloggers,passwordcollection,
webcamcapture,datadestruction,persistence,privilege
escalation,stealth,antivirus(PSP)avoidanceandsurvey
techniques.

FineDining
FineDiningcomeswithastandardizedquestionnairei.emenu
thatCIAcaseofficersfillout.Thequestionnaireisusedbythe
agency'sOSB(OperationalSupportBranch
(cms/space_1736706.html))totransformtherequestsofcase
officersintotechnicalrequirementsforhackingattacks(typically
"exfiltrating"informationfromcomputersystems)forspecific
operations.ThequestionnaireallowstheOSBtoidentifyhowto
adaptexistingtoolsfortheoperation,andcommunicatethisto
CIAmalwareconfigurationstaff.TheOSBfunctionsasthe
interfacebetweenCIAoperationalstaffandtherelevanttechnical
supportstaff.

Amongthelistofpossibletargetsofthecollectionare'Asset',
'LiasonAsset','SystemAdministrator','ForeignInformation
Operations','ForeignIntelligenceAgencies'and'Foreign
GovernmentEntities'.Notablyabsentisanyreferenceto
extremistsortransnationalcriminals.The'CaseOfficer'isalso
askedtospecifytheenvironmentofthetargetlikethetypeof
computer,operatingsystemused,Internetconnectivityand
installedantivirusutilities(PSPs)aswellasalistoffiletypesto
beexfiltratedlikeOfficedocuments,audio,video,imagesor
customfiletypes.The'menu'alsoasksforinformationifrecurring
accesstothetargetispossibleandhowlongunobservedaccess
tothecomputercanbemaintained.Thisinformationisusedby
theCIA's'JQJIMPROVISE'software(seebelow)toconfigurea
setofCIAmalwaresuitedtothespecificneedsofanoperation.

Improvise(JQJIMPROVISE)
'Improvise'isatoolsetforconfiguration,postprocessing,payload
setupandexecutionvectorselectionforsurvey/exfiltrationtools
supportingallmajoroperatingsystemslikeWindows(Bartender),
MacOS(JukeBox)andLinux(DanceFloor).Itsconfiguration
utilitieslikeMargaritaallowstheNOC(NetworkOperation
Center)tocustomizetoolsbasedonrequirementsfrom'Fine
Dining'questionairies.

HIVE
HIVEisamultiplatformCIAmalwaresuiteanditsassociated
controlsoftware.Theprojectprovidescustomizableimplantsfor
Windows,Solaris,MikroTik(usedininternetrouters)andLinux
platformsandaListeningPost(LP)/CommandandControl(C2)
infrastructuretocommunicatewiththeseimplants.

TheimplantsareconfiguredtocommunicateviaHTTPSwiththe
webserverofacoverdomaineachoperationutilizingthese
implantshasaseparatecoverdomainandtheinfrastructurecan
handleanynumberofcoverdomains.

EachcoverdomainresolvestoanIPaddressthatislocatedata
commercialVPS(VirtualPrivateServer)provider.Thepublic
facingserverforwardsallincomingtrafficviaaVPNtoa'Blot'
serverthathandlesactualconnectionrequestsfromclients.Itis
setupforoptionalSSLclientauthentication:ifaclientsendsa
validclientcertificate(onlyimplantscandothat),theconnectionis
forwardedtothe'Honeycomb'toolserverthatcommunicateswith
theimplantifavalidcertificateismissing(whichisthecaseif
someonetriestoopenthecoverdomainwebsitebyaccident),
thetrafficisforwardedtoacoverserverthatdeliversan
unsuspiciouslookingwebsite.

TheHoneycombtoolserverreceivesexfiltratedinformationfrom
theimplantanoperatorcanalsotasktheimplanttoexecutejobs
onthetargetcomputer,sothetoolserveractsasaC2(command
andcontrol)serverfortheimplant.

Similarfunctionality(thoughlimitedtoWindows)isprovidedby
theRickBobbyproject.

Seetheclassifieduser(cms/files/UsersGuide.pdf)anddeveloper
(cms/files/DevelopersGuide.pdf)guidesforHIVE.

FrequentlyAsked
Questions

Whynow?
WikiLeakspublishedassoonasitsverificationandanalysiswere
ready.

InFebuarytheTrumpadministrationhasissuedanExecutive
Ordercallingfora"Cyberwar"reviewtobepreparedwithin30
days.

Whilethereviewincreasesthetimelinessandrelevanceofthe
publicationitdidnotplayaroleinsettingthepublicationdate.

Redactions
Names,emailaddressesandexternalIPaddresseshavebeen
redactedinthereleasedpages(70,875redactionsintotal)until
furtheranalysisiscomplete.

1.Overredaction:Someitemsmayhavebeenredactedthat
arenotemployees,contractors,targetsorotherwiserelated
totheagency,butare,forexample,authorsof
documentationforotherwisepublicprojectsthatareused
bytheagency.
2.Identityvs.person:theredactednamesarereplacedby
userIDs(numbers)toallowreaderstoassignmultiple
pagestoasingleauthor.Giventheredactionprocessused
asinglepersonmayberepresentedbymorethanone
assignedidentifierbutnoidentifierreferstomorethanone
realperson.
3.Archiveattachments(zip,tar.gz,...)arereplacedwitha
PDFlistingallthefilenamesinthearchive.Asthearchive
contentisassesseditmaybemadeavailableuntilthenthe
archiveisredacted.
4.Attachmentswithotherbinarycontentarereplacedby
ahexdumpofthecontenttopreventaccidentalinvocation
ofbinariesthatmayhavebeeninfectedwithweaponized
CIAmalware.Asthecontentisassesseditmaybemade
availableuntilthenthecontentisredacted.
5.ThetensofthousandsofroutableIPaddresses
references(includingmorethan22thousandwithinthe
UnitedStates)thatcorrespondtopossibletargets,CIA
covertlisteningpostservers,intermediaryandtestsystems,
areredactedforfurtherexclusiveinvestigation.
6.Binaryfilesofnonpublicoriginareonlyavailableas
dumpstopreventaccidentalinvocationofCIAmalware
infectedbinaries.

OrganizationalChart
Theorganizationalchart(files/orgchart.png)correspondstothe
materialpublishedbyWikiLeakssofar.

SincetheorganizationalstructureoftheCIAbelowthelevelof
Directoratesisnotpublic,theplacementoftheEDGandits
brancheswithintheorgchartoftheagencyisreconstructedfrom
informationcontainedinthedocumentsreleasedsofar.Itis
intendedtobeusedasaroughoutlineoftheinternalorganization
pleasebeawarethatthereconstructedorgchartisincomplete
andthatinternalreorganizationsoccurfrequently.

Wikipages
"YearZero"contains7818webpageswith943attachmentsfrom
theinternaldevelopmentgroupware.Thesoftwareusedforthis
purposeiscalledConfluence,aproprietarysoftwarefrom
Atlassian.Webpagesinthissystem(likeinWikipedia)havea
versionhistorythatcanprovideinterestinginsightsonhowa
documentevolvedovertimethe7818documentsincludethese
pagehistoriesfor1136latestversions.

Theorderofnamedpageswithineachlevelisdeterminedby
date(oldestfirst).Pagecontentisnotpresentifitwasoriginally
dynamicallycreatedbytheConfluencesoftware(asindicatedon
thereconstructedpage).

Whattimeperiodiscovered?
Theyears2013to2016.Thesortorderofthepageswithineach
levelisdeterminedbydate(oldestfirst).

WikiLeakshasobtainedtheCIA'screation/lastmodificationdate
foreachpagebutthesedonotyetappearfortechnicalreasons.
Usuallythedatecanbediscernedorapproximatedfromthe
contentandthepageorder.Ifitiscriticaltoknowtheexact
time/datecontactWikiLeaks.

Whatis"Vault7"
"Vault7"isasubstantialcollectionofmaterialaboutCIAactivities
obtainedbyWikiLeaks.

Whenwaseachpartof"Vault7"
obtained?
Partonewasobtainedrecentlyandcoversthrough2016.Details
ontheotherpartswillbeavailableatthetimeofpublication.

Iseachpartof"Vault7"froma
differentsource?
Detailsontheotherpartswillbeavailableatthetimeof
publication.

Whatisthetotalsizeof"Vault7"?
Theseriesisthelargestintelligencepublicationinhistory.

HowdidWikiLeaksobtaineachpart
of"Vault7"?
SourcestrustWikiLeakstonotrevealinformationthatmighthelp
identifythem.

Isn'tWikiLeaksworriedthattheCIA
willactagainstitsstafftostopthe
series?
No.Thatwouldbecertainlycounterproductive.

HasWikiLeaksalready'mined'allthe
beststories?
No.WikiLeakshasintentionallynotwrittenuphundredsof
impactfulstoriestoencourageotherstofindthemandsocreate
expertiseintheareaforsubsequentpartsintheseries.They're
there.Look.Thosewhodemonstratejournalisticexcellencemay
beconsideredforearlyaccesstofutureparts.

Won'totherjournalistsfindallthe
beststoriesbeforeme?
Unlikely.Thereareveryconsiderablymorestoriesthanthereare
journalistsoracademicswhoareinapositiontowritethem.

Top

WLResearch Torisan Tailsisalive TheCourage Bitcoinusespeer


Communityuser encrypted operatingsystem, Foundationisan topeertechnology
contributed anonymising thatyoucanstart international tooperatewithno
researchbasedon networkthat onalmostany organisationthat centralauthorityor
makesitharderto computerfroma supportsthose banksmanaging
interceptinternet DVD,USBstick, whorisklifeor transactionsand
documents communications, orSDcard.Itaims libertytomake theissuingof
publishedby orseewhere atpreservingyour significant bitcoinsiscarried
WikiLeaks. communications privacyand contributionsto outcollectivelyby
arecomingfromor anonymity. thehistorical thenetwork.
(https://our.wikileaks.org)
goingto. record.
(https://tails.boum.org/) (https://www.bitcoin.org/)
(https://www.torproject.org/) (https://www.couragefound.org/)

(https://www.facebook.com/wikileaks) (https://twitter.com/wikileaks)

You might also like