CIA’s ‘Star Wars’ tools can steal passwords, intercept data from secure networks
‘BothanSpy’ and ‘Gryfalcon’ projects are designed to intercept and exfiltrate SSH (Secure Shell) protocol credentials. Once the CIA has access to SSH credentials on a given network, it allows it to see what passwords and usernames are being used, as well as allowing the CIA to access data sent over the network, from personal emails to important documents.
What is SSH?
SSH is a protocol for operating network services securely, allowing for secure remote login from one computer to another. It’s often used in corporate networks or private organizations for secure access, file transfer and managing computer networks.
BothanSpy is the CIA implant that targets the SSH client program Xshell on Microsoft Windows.
According to a secret 2015 CIA document, BothanSpy is developed by the Engineering Development Group (EDG), the division responsible for creating the CIA’s hacking tools. Version 1.0 was created in March 2015.
It steals user credentials for all active SSH sessions, which could be usernames, passwords or data.
BothanSpy allows the CIA to save the stolen credentials in an encrypted file to be removed at a later time, or it can exfiltrate the stolen credentials to a server controlled by the agency. This way the BothanSpy never touches the target system’s disk so can’t be traced.
“BothanSpy takes a very paranoid approach when collecting credential information,” the document explains. “However, there is always some risk (no matter how small it may be) to using BothanSpy against an untested/unofficial version of Xshell.”
The creator of the BothanSpy user manual appears to be a fan of the Star Wars franchise. Bothan are a species in Star Wars which steal information about the Death Star for the Rebel Alliance.
The manual features Star Wars references under ‘Known Issues’ and ‘Troubleshooting.’
“It does not destroy the Death Star, nor does it detect traps laid by The Emperor to destroy Rebel fleets,” are some of the issues listed.
In Troubleshooting, it says, “I went to destroy the Death Star with the information obtained by BothanSpy, but The Empire's entire Star Ship fleet warped in, and the shield generators are not down on the Death Star, what gives?” The answer given is, “I told you it would be a trap, that’s on you.”
‘Gryfalcon’ targets Linux platforms, such as ubuntu and suse. Linux is seen as a more secure platform, but the CIA is able to penetrate its network too.
It not only captures user logins, but it has the ability to “execute commands on behalf of the legitimate user,” a user guide from November 2013 explains.
It is a library loaded onto the OpenSSH of Linux platforms and contains an application that compresses, encrypts and stores data in a file on the Linux platform.
A third party application is needed to transfer the “captured keystrokes” and data from the Linux platform to a CIA listening post. (A listening post is used to monitor devices hacked with the CIA’s malware implants. They can be physical or virtual and stored on a CIA computer server.)
Gyrfalcon is a type of bird, and not Star Wars-inspired.