Wikileaks continues to reveal the extent of the CIA’s hacking and surveillance operations. On March 31, the whistleblower organization released source code from the CIA’s “Marble Framework” — a tool designed to trick forensic investigators into thinking malware attacks came from elsewhere.
Releasing this information could actually provide security professionals with information to uncover CIA hacking activities, previously hidden.
The source code release does not contain any actual vulnerabilities or exploits, only the obfuscation tools.
The Russians/Chinese/Iranians Did it — Or Did They?
The initial batch of “Vault 7” releases last month referred to techniques whereby CIA hacking, if discovered, could appear to originate from a foreign source.
The Marble Framework uses an algorithm called “WARBL” to obfuscate, or write over text fragments in the CIA’s malware code. Anything that might reveal the malware’s originator gets covered by a foreign language and/or characters.
ArsTechnica reported that the Marble Framework includes a C++ application called Marbler, which could scramble or cover existing text strings and binary objects using a number of techniques.
Any previous forensic investigator examining the malware code would find “revealing” passages of Chinese, Farsi, Russian, Arabic or Korean text — conveniently, languages used by the US’s main adversaries.
According to Wikileaks, this is equivalent to US operatives covertly supplying weapons to insurgent allies by covering over the English-language instructions. If captured, the weapons’ origin is then less clear.
Even better, the obfuscation tools could make it look like someone had attempted to conceal the foreign language text as well. This might fool even the investigators who looked deeper,
Revealing such techniques now is pertinent to current events, with almost daily media revelations that “Russians hacked” participants in the 2016 Presidential election campaigns. However, the accusers have so far revealed few details as to why they suspect the Russians of doing so, or evidence that it happened to any significant degree.
Other Wikileaks CIA Revelations
Earlier last month, Wikileaks also revealed documentation for the CIA’s “Dark Matter” hacking tools. This set of intrusion attacks specifically targeted Apple computers and iOS devices, residing in the machines’ firmware. Developed by the CIA’s Embedded Development Branch (EDB), the malware could not be removed even with a clean install of the operating system.
To use these firmware tools, Wikileaks speculated, the CIA would have to intercept Apple’s supply chain at some stage to infect machines before they were even delivered to customers. It’s possible they intercepted deliveries of any hardware leaving the United States.
Wikileaks’ teased its much anticipated “Vault 7” release for weeks with intriguing photos of historic hidden storage facilities. Calling it the largest-ever release of confidential CIA documents, the organization began with over 8,000 documents giving an overview of the intelligence agency’s clandestine hacking activities.
To give an idea of the hacking program’s extent, Wikileaks said: “the CIA’s hacking division, which formally falls under the agency’s Center for Cyber Intelligence (CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other ‘weaponized’ malware. Such is the scale of the CIA’s undertaking that by 2016, its hackers had utilized more code than that used to run Facebook.”
Wikileaks likely has more information on CIA activities to release in the near future.
Will the latest revelations prompt a strategic re-think for both the CIA and forensics experts? Let’s hear your thoughts.
Image via Pixabay