The Vault 7 leaks continue to flow thick and fast from WikiLeaks, shedding more and more light on the hacking and infiltration capabilities of the CIA. The latest batch details the OutlawCountry project which finds the CIA targeting Linux systems.
With Linux-based operating systems usually lauded for their impenetrability, news of a possible chink in the armour will undoubtedly cause concern. With OutlawCountry, it seems the CIA was able to redirect network traffic from a target machine to an agency-controlled machine for infiltration.
There are, perhaps obviously, a number of prerequisites to allow the CIA's method to work -- although the documentation does not actually reveal how the malware is actually installed. The prerequisites include: the target machine needs to be running a compatible 64-bit version of CentOS/RHEL 6.x (kernel version 2.6.32), shell access is required by the operator, and the target must have a "nat" netfilter table.
News of the latest addition to Vault 7 was shared on Twitter by WikiLeaks:
WikiLeaks explains a little about the latest hacking tool:
OutlawCountry allows for the redirection of all outbound network traffic on the target computer to CIA controlled machines for ex- and infiltration purposes. The malware consists of a kernel module that creates a hidden netfilter table on a Linux target; with knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from a user or even system administrator.
The installation and persistence method of the malware is not described in detail in the document; an operator will have to rely on the available CIA exploits and backdoors to inject the kernel module into a target operating system. OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain.