WikiLeaks Publishes CIA Hacking Tool Designed To "Impersonate" Russia's Kaspersky Lab

Tyler Durden's picture

On September 18th, the US Senate voted to ban the use of products from the Moscow-based cyber security firm Kaspersky Lab by the federal government, citing national security risk. The vote was included as an amendment to an annual defense policy spending bill approved by the Senate on the same day and was written to bar the use of Kaspersky Lab software in government civilian and military agencies.

Alas, according to a new revelation from WikiLeaks this morning, any perceived "national security risk" from Kaspersky could have resulted from the fact that the CIA specifically designed hacking software, code-named 'Hive', which intentionally "impersonated" the Russian cyber security firm so that "if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated."

Here's a summary of the hacking tool posted by WikiLeaks:

Today, 9 November 2017, WikiLeaks publishes the source code and development logs to Hive, a major component of the CIA infrastructure to control its malware.

 

Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention. Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet. Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.

 

The cover domain delivers 'innocent' content if somebody browses it by chance. A visitor will not suspect that it is anything else but a normal website. The only peculiarity is not visible to non-technical users - a HTTPS server option that is not widely used: Optional Client Authentication. But Hive uses the uncommon Optional Client Authentication so that the user browsing the website is not required to authenticate - it is optional. But implants talking to Hive do authenticate themselves and can therefore be detected by the Blot server. Traffic from implants is sent to an implant operator management gateway called Honeycomb (see graphic above) while all other traffic go to a cover server that delivers the insuspicious content for all other users.

 

Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.

Of course, Kaspersky Lab has been producing anti-virus software for 20 years and boasts 400 million customers around the world. Suspected of being involved in cyber espionage, the company's management has maintained that it has been "caught in the middle of a geopolitical fight" and is being "treated unfairly even though the company has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts"...

...this new WikiLeaks revelation would seemingly lend some credence to Kaspersky's conclusion.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Thordoom's picture

So Kaspersky Lab should sue US government ?

chunga's picture

US citizens are the ones that should sue the US gov. Every single one of these frauds in DC, including the "fake news" bashing dotard, continues to ignore Julian Assange and his offer of proving this Russia thing is stupid.

And now every single one of them is ignoring Brazile's references to Seth Rich and election rigging hidden deep inside her FUCKING BEST SELLING BOOK!

Dilly Fucking Dilly!

SoDamnMad's picture

Slightly off key.  I saw pictures of both McCain and Hillary with angle boots, the kind the doc puts on if you break something in your foot or ankle. Could these be to hide monitoring ankle braclets becaus eof inditements?

FoggyWorld's picture

 

Did you read the book?  Donna devotes the last thrid of it to supporting the Russia, Russia, Russia HACK.

Seth Rich is mentioned only in passing as well as one of many in her book dedication.  It seems she really didn't even know him.

And the Awan brothers are completely missing from her What Happened Ver. 2.0   And Julian works for those Russians.

LawsofPhysics's picture

Was thinking the same thing, just more proof that the U.S.S.A. doesn't respect international intellectual property laws any more than China.

I am shocked, just shocked, I tell you.

Laughing.Man's picture

All nations do this.  It's just the US was the first to the do this and screams the loudest, now that others have achieved similar capabilities.

Killdo's picture

I am trying to share this webpage on Facebook but it's showing as Access Denied

Mike Masr's picture

Of course it does. Can't share what the deep state doesn't want people to hear.

Yesterdays excellent ZH story: HuffPo Yanks Article On Russiagate Hysteria By Award Winning Journalist Joe Lauria – So Here It Is

This was also Access Denied on FB.

 

waspwench's picture

Folks are concerned about security on Kaspersky but they use Facebook!   Google and Facebook are the premier spy agencies used by the US govt. to spy on American citizens.

BTW we had endless problems using other computer security outfits.  We switched to Kaspersky and it has been trouble free and very efficient.

 

Volkodav's picture

     KIS is elegant

     Evgene is good guy

Mike Masr's picture

Now they have evidence to present in court and a right to.

TAALR Swift's picture

Just think of the fun the Kaspersky lawyers couyld have during Discovery.

Yog Soggoth's picture

Only those parties responsible.

replaceme's picture

Wow, just wow.  I was trying to explain why I would still use Kapersky to a coworker that was sure they were a KGB front. Talk about caught in the middle, wow again.

saldulilem's picture

So the CIA are the bad guys? Naaaaaah ...

DaBard51's picture

Whom do you trust, against hackers, to defend yourself? 

Russians?  Hungarians?  Chinese?  Koreans?  Pakistani?  Hmmmm....

Choose wisely, young padawan.

 

When nine hundred years old you become, look this good you will not.

Kayman's picture

"The pen is mightier than the sword."  is mine, all mine, Bard you thieving bastard.

Ed Lytton.

 

Automatic Choke's picture

trust nothing.  do backups to offline drives.  keep two sysyems, and don't net connect one if you need security - browse and email on the other, file xfer between systems by dongle or cd only.

Creative_Destruct's picture

"trust nothing.do backups to offline drives"

A good mantra for the hacking age.

Joe A's picture

Create a network with several firewalls, a DMZ and a honeyput to lure and catch hackers.

land_of_the_few's picture

The best programmers are generally Nordic/Slavic or SouthEast Asian. Does that help? :D

https://en.wikipedia.org/wiki/ACM_International_Collegiate_Programming_C...

Volkodav's picture

       Top Coder rankings:

       https://www.topcoder.com/tc?module=AlgoRank

       18 of top 50 Russian schooled

       plus few Ukraines, educated same systems, now changing for worse since coup

       recent results come more Chine, Japan, Taiwan

GeoffreyT's picture

Not saying that the kids in those games aren't half-decent, but being in that competition has far more to do with the need of students from those countries to get their names on the board (plus significant funding from their respective governments so that the entire country is thought of as 'tech competent').

Look at the list, and notice that a bunch of top-1% colleges are not represented: you will not ever convince me that MIT, CalTech or Stanford couldn't put together a team that would thrash any of the top 10 in that table. (To think people accuse me of anti-Americanism!)

Y'know why elite Western institutions don't bother fielding a team? Because having a CompSci degree from those institutions is enough by itself.

The West lost interest in that competition before 2000: that's when Stanford, MIT, Cal Berkeley, CalTech, Melbourne University and the like took it seriously.

Nowadays if you're an elite CompSci student in the West, you have better things to do with your time than play games like that: by the time you've got 3 full years under your belt, you're already in the workforce (or madly trying to pitch your deck to VCs).

waspwench's picture

You can not trust anyone.  

BarnacleBill's picture

Nothing - NOTHING - should surprise us any more!

Neochrome's picture

If you think it's only Kaspersky that is being spoofed as think again. CIA is truly the Scum of the Earth.

MaxThrust's picture

All intellegence agencies in the world are owned and controlled by the "secret government of Oligarchs" in each country.

The leader of any country whether President, Prime Minister or Dictator all answer to the Money Men.

Reaper's picture

All intelligence agencies operate with sleuth.   If the Russians or Chinese hacked, it would appear from elsewhere to come.

turkey george palmer's picture

So now the internet isn't private, aww shucks I  just all bent out of shape now.

hmmmstrange's picture

They were right, it was the "russians".

kochevnik's picture

Russians usually too busy with lives for serious meddling in computers. Sometimes students at institute doing experiments or class project. If linked usually they are architect not worker bee

hound dog vigilante's picture

 

The 'russian hackers' narrative has been slowly constructed by the establishment for years... risk mitigation & control-of-events compells the NSA/CIA/.gov to have false flag narratives 'on the shelf' ready to depoy when needed... which requires years/decades of work & preparation.

 

IMO, the 'russian hacker' narrative was released prematurely by the Clintonista establishment in an attempt to 1) reverse the fatal trajectory of their pre-ordained candidate, HRC, and/or 2) provide a basis upon which a coup/impeachment might be initiated.  I think most people now recognize this rather ham-handed witch hunt for what it is... the swamp's pathetic self-defense tactics.

whatswhat1@yahoo.com's picture

I wouldn't mind using a little bit of exfiltration on some of my neighbors.

Consuelo's picture

 

 

Enter:

Peter King (New York)

The uber-'patriot' who would have the likes of Julian Assange imprisoned and/or executed for ---- you guessed it, treason...   

 

 

whatswhat1@yahoo.com's picture

Shouldn't the CIA just hire the Awan brothers to lead the "misattribute CIA exfiltration of data" program (M-CIA-ED).

land_of_the_few's picture

But the Awans were from the Russian Quarter of Karachi, they simply had baths in black tea and practised singsong-SJW-Jive-talk by watching CNN until they got fluent :P

small axe's picture

The US/CIA is its own worst enemy

Late onset ADHD's picture

yep... tell me something I don't know...

bladrnr_2019's picture

Get a Mac. Would never use a Windows PC.

Laughing.Man's picture

Linux.  Any distro would do.

GeoffreyT's picture

Yes, although there are 40-odd vulns in core USB modules that are awaiting patches (but all of those require physical access to the USB port, so it's actually no biggie [and I'm not being sarcastic]). See https://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ for a reasonable appraisal; of the situation. (And let's stipulate: if those holes exist in Linux, the same or similar vulns almost certainly exist in the closed-source OSes).

I grow (slightly) more suspicious of Ubuntu as time passes; with Unity (a buggy, semi-secure piece of shit), Canonical behaved like Microsludge - foisting a poorly executed UI on its audience as the default. Still, [*]ubuntu users can, if they wish, inspect every line of code in the OS (except for some prop drivers like nVidia and ffmpeg).

Kali Linux is pretty robust - because it's built by, and for, people who know what's up, and a very large number of people whose workflow requires security, use it (and therefore dedicate significant resources to ensuring it's secure).

GeoffreyT's picture

You're kidding, right? iThings are insecure as fuck - they take a so-so kernel and fuck it up to try and make it pretty, so soi-disant 'creatives' don't have to be 'triggered' by badly kerned fonts (the horror!).

Fuck Apple - style-over-substance cunts whose primary job in life is to keep its tech-illiterate sheep in a closed ecosystem that costs 5x as much per GFLOP. The fact that the Mac universe is less configurable than Windows 10 - and that Win 10 caused outrage even among third-decile tech-tards - is the key hint that the iCult is the most domesticated herd in tech.

8 point type is the 'right' default level for a 12.9" iPad and a 13" MacBook why, exactly? Squint away, motherfuckers - the rest of the world understands vh and vw and their UX analogs.

AurorusBorealus's picture

This will undoubtedly make American great again.  Are you tired of winning yet?

wisebastard's picture

if you kick a sleeping dog it might just bite your ass......I guess Russia has been building their military for shits and giggles

frontierland's picture

The name of the CIA Hacking Tool is the Kookspiracy Lab.

Rex Andrus's picture

The shit from WL looks like it was written by quotas when Billary were bombing federal buildings to avoid prosecution for fraud, smuggling, money laundering, rape, treason and shit.

ThePhantom's picture

believers everywhere but nothing to trust....intolerable. things are running away now. the train to the future has left the gates... times just about up. things get weird from here on out.

Youri Carma's picture

Of course we then can assume they not only did this for Kaspersky Lab. Or it could be that I am stupid and they don't need to because the other ones sold us out anyways.

INTEL CPU, FROM SKYLAKE ON, COMPROMIZED

Researchers gain access to Intel Management Engine via usb

How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel Management Engine
https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-...

JTAG in each house: full access via USB
(google trans from Russian) https://tinyurl.com/y8zpjy5r

ORG https://habrahabr.ru/company/pt/blog/341946/

EVOLUTION OF DEBUGGING TOOLS ON INTEL PROCESSORS
https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Where-theres...

JTAG
https://en.wikipedia.org/wiki/JTAG#Debugging

Platform Controller Hub
https://en.wikipedia.org/wiki/Platform_Controller_Hub

CRYPTO JACKING

Security company detects eight million crypto jacking attempts a day

Cryptojacking found on 2496 online stores Tuesday November 7, 2017 in Security
https://gwillem.gitlab.io/2017/11/07/cryptojacking-found-on-2496-stores/

A look into the global drive-by cryptocurrency mining phenomenon
https://blog.malwarebytes.com/cybercrime/2017/11/a-look-into-the-global-...

A look into the global ‘drive by cryptocurrency mining’ phenomenon - October 2017
https://go.malwarebytes.com/rs/805-USG-300/images/Drive-by_Mining_FINAL.pdf

Coin-Hive Blocker
https://chrome.google.com/webstore/detail/coin-hive-blocker/ccagdbjcbhmc...

gwillem/magento-malware-scanner
https://github.com/gwillem/magento-malware-scanner

Mining Blocker
http://mining-blocker.com/

GeoffreyT's picture

MINIX.

You left out MINIX. See http://www.zdnet.com/article/minix-intels-hidden-in-chip-operating-system/

If you're running an Intel chip, your PC has an onboard closed-source OS that you can't get at, running on ring -3 (the deepest level of the architecture - one level below UEFI; three levels below the OS; five levels below programs).

And it's as insecure as fuck: imagine if you installed Windows 3 (i.e., a 1990 OS) and tried to 'tweak' it to be useable as a modern OS (by adding a network stack, IPSEC etc)... the level of security you would wind up with, would be superior to MINIX.

And MINIX has been onboard Intel's chips for nine years; it has its own TCP/IP network stack, a filesystem, device drivers and a fucking web server. It's simply not possible to determine what backdoors might exist in that code (unless you happened to be monitoring traffic at your router at a point in time when a sub-BIOS-level backdoor was operating and nothing else).

 

SixIsNinE's picture

funny, i got out of the closet today an old toshiba 300ct
notebook and turned it on and it booted up fine, to win95

it has a pentium 133mhz with MMX ! 32mb of ram.

wonder if anyone has use for something like that - i may put it up on ebay ... i think they came out late 1990s
pretty cool little design.

and to think people were paying $2500 and up for these.

i remember selling thinkpads in 1995ish for $5,000.
32mb memory sticks for over 1,000
and HP 16MB proprietary boards for over 100,000 !!!