WikiLeaks Publishes CIA Hacking Tool Designed To "Impersonate" Russia's Kaspersky Lab

Tyler Durden's picture

On September 18th, the US Senate voted to ban the use of products from the Moscow-based cyber security firm Kaspersky Lab by the federal government, citing national security risk. The vote was included as an amendment to an annual defense policy spending bill approved by the Senate on the same day and was written to bar the use of Kaspersky Lab software in government civilian and military agencies.

Alas, according to a new revelation from WikiLeaks this morning, any perceived "national security risk" from Kaspersky could have resulted from the fact that the CIA specifically designed hacking software, code-named 'Hive', which intentionally "impersonated" the Russian cyber security firm so that "if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated."

Here's a summary of the hacking tool posted by WikiLeaks:

Today, 9 November 2017, WikiLeaks publishes the source code and development logs to Hive, a major component of the CIA infrastructure to control its malware.

 

Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention. Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet. Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.

 

The cover domain delivers 'innocent' content if somebody browses it by chance. A visitor will not suspect that it is anything else but a normal website. The only peculiarity is not visible to non-technical users - a HTTPS server option that is not widely used: Optional Client Authentication. But Hive uses the uncommon Optional Client Authentication so that the user browsing the website is not required to authenticate - it is optional. But implants talking to Hive do authenticate themselves and can therefore be detected by the Blot server. Traffic from implants is sent to an implant operator management gateway called Honeycomb (see graphic above) while all other traffic go to a cover server that delivers the insuspicious content for all other users.

 

Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.

Of course, Kaspersky Lab has been producing anti-virus software for 20 years and boasts 400 million customers around the world. Suspected of being involved in cyber espionage, the company's management has maintained that it has been "caught in the middle of a geopolitical fight" and is being "treated unfairly even though the company has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts"...

...this new WikiLeaks revelation would seemingly lend some credence to Kaspersky's conclusion.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Youri Carma's picture

Well it's in there somewhere but good that you emphasize that.

"One of the reasons is the transition of this subsystem to a new hardware (x86) and software (modified MINIX as an operating system) architecture." https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-...

Was a Dutch inventor btw who didn't know that Intel used his stuff and wrote a letter to Intel about it.
http://www.cs.vu.nl/~ast/intel/

MINIX — The most popular OS in the world, thanks to Intel
https://www.networkworld.com/article/3236064/servers/minix-the-most-popu...

Juliette's picture

USB has always been a security nightmare. That is why there are BIOS options to turn it off. Doesnt help much if they get physical access to your machine, though.

A. Boaty's picture

Kaspersky = good guys. Good thing this got out because we need people we can trust to protect data.

peippe's picture

CIA has messed up everything else it touched so NOW they pretend to be a Russian entity.

pathetic. Go take over Puerto Rico ya douches.

EDIT: still waiting for Obama to apply for a job at the UN too.

Volkodav's picture

      Kaspersky Free  

      available no cost, is freepay Kaspersky site

 

InternetToughGuy's picture

If I was counsel for Kaspersky, I would be looking into some billion dollar lawsuits against the CIA right now: trademark, interfence with business/contract, defamation...

ah-ooog-ah's picture

trustno1

dude you guessed my password

JailBanksters's picture

The CIA is no better than virus writters and scammers,

except they get paid by US Tax Payers to hack and scam US Tax Payers

It's like your paying car jackers to jack your own car

Lokiban's picture

PsSetLoadImageNotifyRoutine,

http://securityaffairs.co/wordpress/62872/hacking/microsoft-kernel-issue...

How dare Kaspersky fix their backdoor....

whatswhat1@yahoo.com's picture

Back in the days when computer floppy drive discs where as large as a 33 1/3 LP (have I lost anyone yet?), I bought a program which I think was called PC Tools and I was required to return the program because it encrypted my data to a level that the NSA couldn't crack, and they didn't have a built-in back door.

Zorba's idea's picture

Good flash back...the whole purpose of the "world wide web" of things, places and people is to enable the Elites to Backdoor everything imaginable. The "Cloud" technology is likely located at Langley.

Juliette's picture

How Jewish of them!

DeusHedge's picture

I have a dark view about technology

you should too, just the hackers aren't neccessarily the government

redmudhooch's picture

Once again proving the CIA are a pile of utterly useless paranoid delusional psychopaths, what the hell are they so fucking afraid of?

Only in America! Sad! Losers!

Zorba's idea's picture

Ahhh, the great Impersonator...our beloved CIfuckingA. USA! USA! USA!

ThinkAgain's picture

Digital evidence is no evidence at all. It will lose its juridical proof value at fast pace.