Coding tips and tricks from the Wikileaks CIA data dump
The internet is still reeling from Wikileaks’ latest data dump. We take a look to see what developers can learn from the CIA’s hacking tools. I’m not saying this will help you become Q, but it sure can’t hurt.
Well, it looks like NASA isn’t the only US federal agency to share their code with the general public. Thanks to the latest data file dump from Wikileaks, over 8000 CIA files were published on Tuesday to what some might suggest as suspicious timing.
Wikileaks describes this as the largest ever publication of confidential documents on the agency. The data dump amounts to thousands of pages full of the software tools and best practices used by the CIA’s hackers. “Vault 7” is only the first in a series.
The data dump marks a change of pace for the organization. Wikileaks editors redacted many lines of code on harmful malware and programs to render the malicious programs unusable. They stated that for now they will not release the actual code “until a consensus emerges on the technical and political nature of the C.I.A.’s program and how such ‘weapons’ should be analyzed, disarmed and published.”
The files focus mainly on the CIA’s Engineering Development Group (EDG), the organization responsible for developing the tools used to hack into devices for the Company. According to Wikileaks, the EDG is “responsible for the development, testing and operational support of all backdoors, exploits, malicious payloads, trojans, viruses and any other kind of malware used by the CIA in its covert operations world-wide.”
Basically, they’re the Q Division.
No one is particularly shocked that America’s premier spy agency is, well, spying on people. It’s kind of in the job description. Also, unlike other intelligence agencies (shout out to all our friends listening in at the NSA!), the CIA isn’t interested in blanket surveillance. They target particular people and their tools are designed for monitoring specific targets. So, silver lining, I’m probably not being bugged by the CIA!
What can developers learn from this?
Politics aside, Vault 7 is a treasure trove of the CIA’s best practices and software. It shows a valuable insight in the mind of the world’s spyiest* hackers.
However, it is important to note how dated some of these documents are. The tradecraft described below was criticized by the CIA’s own internal hackers. In 2013, one user commented, “A lot of the basic tradecraft suggestions on that page seem flawed.” Someone replied, “Honestly, that stuff is probably already dated.” And that was four years ago.
Here’s what we learned.
No BSODs, please
Developers in the Applied Engineering Department (AED) were warned against creating any programs that would make the target’s computer malfunction. The CIA is a clandestine intelligence agency; anything that brings attention to the malware is a bad idea.
The AED documents are a laundry list of do’s and don’ts.
- “DO NOT perform operations that will cause the target computer to be unresponsive to the user (e.g. CPU spikes, screen flashes, screen ‘freezing’, etc.”
- “DO NOT perform Disk I/O operations that will cause the system to become unresponsive to the user or alerting to a System Administrator
- “DO have a configurable maximum size limit and/or output file count for writing… output files.”
- “DO NOT generate crashdump files, coredump files, ‘Blue’ screens, Dr Watson or other dialog pop-ups and/or other artifacts in the event of a program crash.”
All of these commandments are meant to prevent a sysadmin from noticing the malware or allow forensics to tie it back to the CIA. Which is a fairly reasonable point, because they are a bunch of government spies.
Killroy was here
The EDG is explicit in its instruction to CIA hackers to avoid leaving calling cards. In fact, a lot of their best practices were ways to avoid implicating the agency or the United States. Again, reasonable.
- Leave timestamps that would implicate the US (I.E. general EST working hours)
- Leave data in binary files that would implicate the CIA or one of their contractors
- Use any CIA code names in the binary files
- Use dirty words (l33t or otherwise)
Redmond and Cupertino need to update their OS
The CIA’s hackers have a lot of programs for attacking the two most popular operating systems. The UMBRAGE team focused on Microsoft. Their tools included keystroke loggers, antivirus avoidance mechanisms, and other applications. Egregious weaknesses include gaping holes in Control Panel, as well as use Windows library files and Windows Theme files as launchpads for malware.
Apple isn’t much safer either, although it seems that their code is considerably more difficult to hack than Microsoft’s. The system can be resilient, but there’s a whole list of malware that could be slipped into the OS. For instance, the CIA’s internal hackers were able to get at the kernel, create zombie programs, and even hide spying software by storing them on the EFI system partition.
One assumes that there are some frantic meetings in Richmond and Cupertino this week as Microsoft and Apple engineers try to close these gaping security flaws. I would expect a software update sometime soon!
Can you hear me now?
Initial reports on the data dump suggested that privacy applications like Signal and WhatsApp were vulnerable to the CIA’s hackers. It seems that this was a little exaggerated; a closer examination shows that the CIA still hasn’t cracked Whisper System’s encrypted chat protocol.
If they want to listen in on your conversations, they’re going to have to bug you the old fashioned way by physically compromising your devices. That’s a high-risk move, so the CIA is going to save that for particularly high-value information targets. The vast majority of us are fine.
Your iPhone and Android aren’t completely safe, though. Android in particular is vulnerable. While the majority of these programs are meant to allow malware to gain control of your Android device, some allow remote access on phones that are running Android 4.4 or lower. (But again, this list is three years old, so they could have easily upgraded their code in the intervening years.)
The same goes for the iPhone hacks; while some of the security bugs were fixed by Apple in recent iOS updates, there are still some workarounds.
Not all of the documents were full of terrible codes meant to destroy the internet as we know it. Some of the lighter leaks included one user’s favorite Japanese style emoji’s and games, or even a discussion on how the CIA could avoid this style of document hack.
There’s a lot of information in this archive. I highly recommend going through the archive yourself, if only to familiarize yourself with the CIA’s do’s and don’ts of hacking. It might not help if you want to get a job at Langley or MI-6, but it certainly can’t hurt.