Since Wikileaks began releasing classified CIA documents back in March as part of its “Vault 7” series of leaks, purportedly the largest document dump in the agency’s history, it has publicly unveiled programs with innocent sounding names like “Marble”, “Scribbles” and “Archimedes” that the agency employs to help execute its operations, or to cover its tracks.
On Thursday, the group released the 19th installment in its series by publishing a series of documents detailing how the agency uses a custom-designed hacking exploit called “Dumbo” to destroy, or manufacture, evidence during field operations, according to a Wikileaks press release.
The CIA filed a request that such a tool back in 2012, according to a powerpoint presentations describing what capabilities it would need.
In a field guide for the tool, dated July 2015, the agency says “the intelligence community has identified a need…for a capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a PAG deployment.”
Once installed on a computer running the Windows operating system via a thumb drive, Dumbo identifies webcams and microphones and stops them from recording. The program notifies its operator of any files that were actively being written so that they can be corrupted or deleted, according to the field manual.
“Dumbo works by discovering which processes have access to the physical camera device and uses that information to corrupt video files. In some instances, programs emulate a camera input to other programs; such is the case with Fujitsu’s YouCam.exe. When this occurs, YouCam.exe will have control of the actual webcam, and feed input to other processes that record images to files as needed. In this scenario, Dumbo will suspend YouCam.exe but will not be able to detect the other processes to which YouCam.exe is feeding images. Although the camera will not be able to record additional frames, Dumbo will not be able to corrupt files that were written to prior, as it is unaware of the processes writing the video files. If the operator sees a process using the camera device, but Dumbo detects no files being written, the operator should manually search for video files.
In some instances, video recording software has the ability to detect it is not responding, and will restart itself; such is the case with iSpy.exe. When Dumbo detects a process using a camera device, it also claims control of the device. If the recording software were to restart itself, it would no longer be able to access the camera until Dumbo exits. In the case of iSpy,although the program may restart, it will be unable to record any additional frames; it will appear as if it was unable to access the camera, due to it already being in use.”
According to the documents, Dumbo is programmed to operate on 32bit Windows XP, Windows Vista, and newer versions of the Windows operating system, but won’t work with 64bit Windows XP, or Windows versions prior to XP. More dumps are expected in the coming weeks. Wikileaks published a link to its press release, as well as the document cache, in the tweet below.