WikiLeaks: CIA source code leak shows agency impersonating Kaspersky
Following on from its Vault 7 series of leaks relating to CIA hacking tools, WikiLeaks has kicked off a new series -- Vault 8. The purpose of this latest series is to reveal the source code of previously exposed hacking and surveillance tools, and the first release relates to Hive.
The tool itself is interesting enough, serving as backbone to the CIA's malware operations, but there's more. What's intriguing about the first leak in the Vault 8 series is that it seems to show the agency impersonating Kaspersky, by making use of a fake certificate for the anti-virus company.
See also:
- Kaspersky says it accidentally obtained secret NSA files from a US computer
- Kaspersky's new 'global transparency initiative' aims to rebuild trust by submitting source code for review
- WikiLeaks: CIA's CouchPotato tool grabs footage from remote video streams
WikiLeaks explains the purpose and limitations of Vault 8: "This publication will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components. Source code published in this series contains software designed to run on servers controlled by the CIA. Like WikiLeaks' earlier Vault7 series, the material published by WikiLeaks does not contain 0-days or similar security vulnerabilities which could be repurposed by others."
It then goes on to describe the purpose of Hive, and provides links to the Hive repository as well as the Hive Commit History. It also provides a brief description of the purpose of the tool:
Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention. Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet. Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.
The source code for Hive is certainly interesting, but the use of fake certificates relating to Kaspersky labs is particularly interesting. The discovery is certain to raise a few questions, such as whether the US government -- which has banned the use of Kaspersky software on its computers -- has been trying to use the Russia security firm as a scapegoat for some time.
You can check through the Hive documents over on WikiLeaks' Vault 8 page.