Skip to main content

WikiLeaks Docs Reveal How The CIA Targets Windows Users

WikiLeaks published new documents from what it calls the Vault 7 trove describing how the CIA targets Windows users. The files pertain mostly to Grasshopper, a framework used to build custom installation executables, and the agency's use of the Carberp malware in its Stolen Goods persistence mechanism. This leak puts the spotlight on another of the CIA's internal tools and on how it repurposes public malware to suit its own purposes.

Grasshopper's user guide explains that it was used to build and execute custom malware. Operators could use various installers, target devices based on what version of Windows they use or what antivirus software is installed, and decide if the malware should create a log file when it's run. This would theoretically improve the agency's chances of compromising their target while reducing the odds of getting caught or affecting other people.

It's kind of like the spying equivalent to Build-A-Bear Workshop. The CIA gathered installers, payloads, and persistence mechanisms so operators could put them together as if they were children making a custom stuffed animal instead of spies designing malware for specific targets. Operators could also customize Grasshopper itself if they wanted to use a particular tool or needed more control over the malware they were trying to build.

One of those persistence mechanisms--tools used to help malware evade detection by security tools and remain on a target machine--was called Silent Goods. Here's what the Silent Goods user manual has to say about its origins:

The components were taken from malware known as Carberp, a suspected Russian rootkit used by organized crime. The source of Carberp was published online, and has allowed AED\RDB to easily 'borrow' components as needed from the malware. Most of Carberp was not used in Stolen Goods 2, specifically all the Bot net/Communications components. The persistence method, and parts of the installer, were taken and modified to fit our needs. All components taken from Carberp were carefully analyzed for hidden functionality, backdoors, vulnerabilities, etc. A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified.

This kind of source code theft is common among malware creators. Few build everything from scratch--most take someone else's work and customize or improve it to suit their own purposes. Many others simply use off-the-shelf malware instead of even attempting to code something themselves. Stolen Goods shows that the CIA is no different. If something works, it works, and the intelligence agency has no qualms about repurposing it.

You can find out more about Grasshopper and Stolen Goods in WikiLeaks' latest release from the Vault 7 trove. The organization previously revealed how the CIA tries to work around end-to-end encrypted communications tools, bypasses Windows antivirus software, and considers the possibility of assassination via remote car hack.

Don't worry, all the car makers with whom we spoke assured us that you probably won't be killed by hackers, and antivirus companies have patched up vulnerabilities revealed in the Vault 7 documents. Companies like Cisco have also been digging through WikiLeaks' materials to find critical security flaws that the organization didn't highlight in its own blog posts.

The documents published today appear to have been written between 2012 and 2014. Not all of them were dated--the Grasshopper user guide has no date, for example, although the admin guide says it was published in December 2013. Microsoft and other security companies may have already addressed the vulnerabilities exploited by the framework and its components.

We reached out to Microsoft for comment on these latest files, and a Microsoft spokesperson stated:

Our investigation confirmed that the information released on April 7 does not impact modern systems. For the best defense against security threats, we recommend Windows 10, which is updated automatically by default.

  • Tech_TTT
    Right !!

    well MS , I have the feeling that your whole updating system is the spy how about that?
    Reply
  • ssdpro
    I guess it would mean something if it affected a modern system. But I guess they don't care to target modern systems. They are taking a look at the buffoon (in Yemen) that runs Windows XP or Windows 7 on a Core 2 Duo because "Windows 10 sux". There's another reason to join the rest of us in the 21st Century.
    Reply
  • Martell1977
    Nothing surprising here, in fact I kind of expected that the government was doing these things. I'm actually glad to see that they are re-purposing existing software instead of wasting a bunch of money to come up with their own that is just a duplicate of what is already there.
    Reply
  • cordes85
    its just hte same as every week there is an update on your iphone and when you look at what is the update you just get '(bug fixes)' how many bugs can there be, everytime my computer, phone or anything goes slow i know its not because of the components, i just type on the keynpsrd 'gchq or nsa can you stop spying' cant they do it at sleep time when i wont care?!
    Reply
  • troy_38
    you people understand wikileaks is basically the Russian FSB/GRU, huh?
    Reply
  • Tech_TTT
    19537216 said:
    you people understand wikileaks is basically the Russian FSB/GRU, huh?

    wikileak is a CIA project. FACT :)
    Reply
  • troy_38
    19537270 said:
    19537216 said:
    you people understand wikileaks is basically the Russian FSB/GRU, huh?

    wikileak is a CIA project. FACT :)

    Enjoy them rubles.
    Reply
  • Tech_TTT
    19537274 said:
    19537270 said:
    19537216 said:
    you people understand wikileaks is basically the Russian FSB/GRU, huh?

    wikileak is a CIA project. FACT :)

    Enjoy them rubles.

    They only leak what they allow you to know ... but the big deal is threatening world leaders to stay in place or Wiki leaks will expose their secrets without USA being a suspect :)

    and the other more important thing , once people trust wiki leaks ? they can tell any Lie they wish and people will believe it ...

    want to bet?

    let me ask you , where are the "leaks" about 911 ? or about "Israel" ?
    Reply
  • therealduckofdeath
    Who would have guessed, refusing to update your software makes your computer vulnerable to attacks?
    Reply
  • alextheblue
    19537552 said:
    Who would have guessed, refusing to update your software makes your computer vulnerable to attacks?
    Judging by the recurring posts I see on Windows/Microsoft articles, I think you'll find a vocal few actually have no idea this might be the case. Nay, some might even be offended at the deepest level by the mere suggestion that Win10 might be more secure than an out of date Win7 install. There could be protests and rioting if you keep up this written violence. Some even postulate that the updates in 10 are secretly ways to better spy on you.

    Nevermind the fact that there are levels to which you can dial down telemetry (even the useful kind) and disable digital assistants. With a little tweaking you can even disable all the telemetry/logging - even the most harmless basic Win9x-era offline userland logging. Just run Spy Disabler. It's practically a paranoid person's dream. Then I don't have to read the same posts about a subset of the telemetry Google has been collecting (and selling) for a decade.

    Speaking of which, with Android the only way to shut that stuff down would be to cook a custom ROM or use a trusted one that might be good... and with iOS good luck.
    Reply