WikiLeaks Publishes CIA Hacking Tool Designed To "Impersonate" Russia's Kaspersky Lab

On September 18th, the US Senate voted to ban the use of products from the Moscow-based cyber security firm Kaspersky Lab by the federal government, citing national security risk. The vote was included as an amendment to an annual defense policy spending bill approved by the Senate on the same day and was written to bar the use of Kaspersky Lab software in government civilian and military agencies.

Alas, according to a new revelation from WikiLeaks this morning, any perceived "national security risk" from Kaspersky could have resulted from the fact that the CIA specifically designed hacking software, code-named 'Hive', which intentionally "impersonated" the Russian cyber security firm so that "if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated."

Here's a summary of the hacking tool posted by WikiLeaks:

Today, 9 November 2017, WikiLeaks publishes the source code and development logs to Hive, a major component of the CIA infrastructure to control its malware.


Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention. Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet. Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.


The cover domain delivers 'innocent' content if somebody browses it by chance. A visitor will not suspect that it is anything else but a normal website. The only peculiarity is not visible to non-technical users - a HTTPS server option that is not widely used: Optional Client Authentication. But Hive uses the uncommon Optional Client Authentication so that the user browsing the website is not required to authenticate - it is optional. But implants talking to Hive do authenticate themselves and can therefore be detected by the Blot server. Traffic from implants is sent to an implant operator management gateway called Honeycomb (see graphic above) while all other traffic go to a cover server that delivers the insuspicious content for all other users.


Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.

Of course, Kaspersky Lab has been producing anti-virus software for 20 years and boasts 400 million customers around the world. Suspected of being involved in cyber espionage, the company's management has maintained that it has been "caught in the middle of a geopolitical fight" and is being "treated unfairly even though the company has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts"...

...this new WikiLeaks revelation would seemingly lend some credence to Kaspersky's conclusion.


caconhma yomutti2 Thu, 11/09/2017 - 16:43 Permalink

CIA is not in a spy business. It is an out-of-control Crime/Terrorism Inc. with its own agenda.The USA is in a deep shit both domestically and internationally. We have no coherent policies. We do not have even a country when our leaders have a multi-citizenship and swear their allegiance to foreign countries hostile to the USA.As for low-life Trump, he is a total failure as a US President. It appears that Trump (with Kushner assistance) is seeing himself as a salesman for the WallStreet and US MIC.

In reply to by yomutti2

PT caconhma Fri, 11/10/2017 - 00:30 Permalink

What?  You mean the CIA can arrange the ones and zeroes in any order they like???  The real question is why are they the only ones who can do this?  Yeah, I know.  Encryption stuff.  But that is why hackers hack.  You need to know fine details but sometimes you don't need to know everything.  Sometimes there are work-arounds.I have zero surprise that the technocrats can order the ones and zeroes any way they like.  This is their "gun" that the little people do not have.  Little people on computers are like real people with no 2A.

In reply to by caconhma

ConnectingTheDots Thought Processor Fri, 11/10/2017 - 10:35 Permalink

I stopped using anti-virus software by US companies several years ago since I was concerned that these companies were "requested" to install backdoors in their products by the US alpabet soup agencies.How sad, that I trusted a Russian company more than I trusted US companies becasue I felt the chance of being spied on was less.I eventually ditched Windows because it is known to have government installed backdoors and switched to Linux where at least there is a community of people who check the open source code for exploits.I was very pleasantly surprised how easy the learning curve was to transition from Windows to Linux Mint and the computers actually ran much faster without all the Windows bloatware.Taking this one step further, any corporate executive who entrusts their corporate data to "the cloud" should have their heads examined and be fired for gross negligence and incompetence.

In reply to by Thought Processor

Money Boo Boo WTFRLY Thu, 11/09/2017 - 14:10 Permalink

The Jews aren't the arbitors of all dirty shit pulled by Last time I checked Cheney wasn't a Jew. Clintons aren't Jews. Obama's not a Jew. Drumpf isnt Jewish. The MIC and Joint Chiefs and JSOC aren't Jews. Point Being Made:  You're a fucking retard

In reply to by WTFRLY

WTFRLY Money Boo Boo Thu, 11/09/2017 - 14:26 Permalink

Please, they are all card carrying Zionists that are down with the Greater Israel plan and more. Stop cutting it up into pieces like someone else is doing it or this is a random piile of shit the world has landed itself in. No they are all Jews per se, and I don't hate regular Jews, but these cryptojoo Zionists? Fuck all of them, period. Stop being naive about where the shit comes from and why. Everything from mass surveillance to the terrorism, war zones, economic fuckery and worse, it all ties back to them. Fuck you if you don't wanna address it. Just keep being mad at the random Muslim terrorist or SJW, keep bleating on at them. That's really helping.

In reply to by Money Boo Boo

Joe Mama 3 WTFRLY Thu, 11/09/2017 - 15:16 Permalink

I'm wit ya playa. They were not kicked outta every country in Europe for nuttin !!!!!!!!!!!!! Blood Libel, Occultism disguised as a Judism, mouth ta dick circumsision, DANCING ISRALIES.........  dont git me wrong, mitt romney wears magic underwear, the mutherfucker wears magic underwear, the bushes are sick devils, i'm gonna say it. 9/11 was an inside job and the zionist state had something to do wit it, i'm gonna say it. there should be no sacred cows here. nothing is untouchable, especially if it it done wit taxpayer funds hot of the fake presses !!!!!!!!!!    My disgust at all the V.A. spending and disabled vet payouts is not tasteful to some, but it should be discussed. If ya cant handle unfortunate truths, take ya ass back to 

In reply to by WTFRLY

finametrics Money Boo Boo Thu, 11/09/2017 - 17:25 Permalink

what an incredible imbecile. the blame is not on the "jews" per se, but it is and has always been on the talmudist zionists and their false god satan. why is it that the jews have a history of always being kicked out of every country they squat in? the answer is quite factual. a few bad talmudist apples engaging in usury that ruin it for everyone else, including their own kin. along the way, they pick up and hire prostitutes like the clinton's who'll gladly sell their ass for some cookies. dont take my word for it, read it from the grandfather of jew history who writes about it: also

In reply to by Money Boo Boo

Yog Soggoth Money Boo Boo Thu, 11/09/2017 - 18:07 Permalink

aangirfan: Hillary Clinton: The First Jewish Woman President? You almost had the first jewess president in history. In their culture, as with other tribes, it is matrilineal succession rather than patriarchal. What is surprising is that you are on a financial news website and never expected any of the commentaters would be at least part jewish, married into, or worked extensively with those that you obviously know nothing about.

In reply to by Money Boo Boo

IH8OBAMA Solosides Thu, 11/09/2017 - 13:57 Permalink

What a stupid comment.Putting a backdoor into Kaspersky software would be a perfect way for Russia to gain control of millions of computers should hostilities of any kind break out.  There is no reason to take that risk as it is highly likely to be a real threat. Your comments are making me consider making the change sooner.

In reply to by Solosides

vulcanraven IH8OBAMA Thu, 11/09/2017 - 14:35 Permalink

"Putting a backdoor into Kaspersky software would be a perfect way for Russia to gain control of millions of computers should hostilities of any kind break out." >Doesn't realize that this is exactly what the US intelligence community is already doing to its own citizens.

In reply to by IH8OBAMA

RedDwarf IH8OBAMA Thu, 11/09/2017 - 14:29 Permalink

"I've been using Kaspersky on my computers.  I decided months ago that when it comes up for renewal I'll switch to something US made just because at some point it might become compromised."If you are using anything but an open source anti-virus, you can assume there is a backdoor designed by teh company at the behest of the parent government.  It doesn't matter if said software is from the USA or Russia.

In reply to by IH8OBAMA

TAALR Swift Blue Steel 309 Thu, 11/09/2017 - 18:01 Permalink

Ah, but Norton has a "Pre-Black-Friday" sale.  Regular $70. Now $20.Better hurry and get that NSA/CIA backdoor installed at a discount.  They don't pay you.  You pay them. Remember:   i.  You're #1, you're Exceptional   ii.  Salute the flag and Support the Troops   iii. Pray to your deity (that caused the natural disaster, to help the victims your deity created)   iv. Pay your taxes   v.  Max your 401k and IRA contributions p.s. We have always been at war with Eurasia

In reply to by Blue Steel 309

GeoffreyT IH8OBAMA Thu, 11/09/2017 - 17:22 Permalink

You would be better advised to switch off Fox News and wait until Kaspersky opens its source.Kaspersky has has said it intends to do this (to an extent) in Q1 of 2018, permitting source code review by a selected group of tech-competent reviewers.If the group is not good enough, the FOSS community will scream it from the rooftops - so Kaspersky is unlikely to want to reputational damage that would happen if they only chose 'safe hands' for the review.None of that will be on Fox News, because to be on that network you have to be a bloviating tech-illiterate blowhard, just like the audience.

In reply to by IH8OBAMA

Winston Churchill GeoffreyT Thu, 11/09/2017 - 19:27 Permalink

Not that  it matters if you truly are tech literate, the problems go far deeperthan operating systems and programs on them.We already know about spywarebuilt into drive firmware.I'm convinced that bios on every computer has similar problems.Very odd that only one company dominates in writing it,unless someone is sudsidizingloss leading for a whole different reason.

In reply to by GeoffreyT