Wikileaks has been at the forefront of exposing how the Central Intelligence Agency through the leaks of what has become to known as Vault 7 documents. In their latest release, Wikileaks exposes how the CIA is able to hack into computers, even if they are not connected to the internet.
In eleven new documents published by Wikileaks, there is an explanation of a piece of software known as “Brutal Kangaroo.” This software suite is used to target “air-gapped” computers by using internet-connected networks within the same organization.
Quartz explains how it all works:
Brutal Kangaroo works by creating a digital path from an attacker to an air-gapped computer and back. The process begins when a hacker remotely infects an internet-connected computer in the organization or facility being targeted. Once it has infected that first computer, what the documents refer to as the “primary host,” Brutal Kangaroo waits. It can’t spread to other systems until someone plugs a USB thumb drive into that first one.
Once someone does, malware specific to the make and model of the thumb drive is copied onto it, hiding in modified LNK files that Microsoft Windows uses to render desktop icons, and in DLL files that contain executable programs. From this point, Brutal Kangaroo will spread further malware to any system that thumb drive is plugged into. And those systems will infect every drive that’s plugged into them, and so on, and the idea is that eventually one of those drives will be plugged into the air-gapped computer.
The major flaw in the concept of isolating sensitive computers is that the air gap around them can only be maintained if no one ever needs to copy files onto or off of them. But even for specialized systems, there are always updates and patches to install, and information that has to be fed in or pulled out. It’s common knowledge among IT specialists that external hard drives are an obvious target for anyone seeking to break the air gap, and precautions are presumably taken in facilities with diligent IT specialists. Those precautions, however, can be subverted with exploitations of obscure vulnerabilities, and sometimes mistakes simply happen.
If a thumb drive infected with Brutal Kangaroo is plugged into an air-gapped computer, it immediately copies itself onto it. If a user tries to browse the contents of the infected drive on that computer, it will trigger additional malware that will collect data from the computer. As users continue plugging the drive into connected and disconnected computers, a relay is formed, ultimately creating a slow path back to the hacker, through which data copied from the air-gapped computer will be delivered if everything goes according to plan.
The targeting of “air-gapped” computers is not something new. Stuxnet, another malware that was reportedly developed by the US and Israel to sabotage Iran’s nuclear program, also had “air-gapped” computers in its sights.
According to the New York Times in 2012, “President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.”
“Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet,” the report continued. “Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.”
Stuxnet allegedly took out 1,000 of 5,000 centrifuges Iran had at the time to purify uranium.
Judging by a recent court filing, at least some of the CIA files Wikileaks published earlier this month are genuine, because the government pushed back against having them admitted in court due to the documents’ classified content.
“The government is not able to declare non-government records as classified, unless they are taking ownership of the records themselves,” Bradley P. Moss, a national security attorney, told Motherboard in an email.
Strangely, the court filing was made in a largely unrelated case involving the FBI’s own hacking capabilities. In February 2015, the FBI took over a dark web child pornography site called Playpen, and deployed a network investigative technique—a piece of malware—in an attempt to identify the site’s users.
That investigation has led to hundreds of arrests, but also dozens of contentious court cases across the US. Defense teams have battled over the legality of the warrant used to authorize the hacking operation, as well as access to the source code of the exploit used to hack their clients’ computers.
In this case, federal public defender Colin Fieman wanted to admit some of the Wikileaks documents into court. The idea was to bolster his argument that even with a forensic examination of the defendant’s computer, it would not be possible to see whether someone else planted child pornography on the machine, because the exhibits may show the US government has “the ability to hack into a computer without leaving any trace,” the court filing, written by District Judge Robert J. Bryan, reads.
Whether or not that argument actually holds water is largely irrelevant, as the government did not want the Wikileaks documents included in the case at all.
And why would they not want it included? More than likely it would be confirmed that the documents are authentic and would expose the criminal activity of the central government.
Let this be a lesson, no computer is safe.
Former Intelligence Agent Steve Pieczenik said that the Vault 7 documents are aimed at taking down the CIA, which in all honesty have shown themselves to be more of a threat to the national security of the united States than any foreign power is.