The CIA’s cozy malware relationship with defense contractor revealed

New documents released as part of the CIA hacking Vault7 series by Wikileaks contains evidence of the CIA’s relationship with defense contractor Raytheon’s Blackbird Technologies.
Raytheon specializes in homeland security and defense technology. The company is also involved in weapons manufacturing, and is the company behind the Tomahawk missiles that were fired into Syria under orders from U.S. President Donald Trump.
The documents reveal that Blackbird Technologies was reporting to the spy agency’s Remote Development Branch’s UMBRAGE group about malware thought to have come from foreign governments, like Russia and China.

According to WikiLeaks’ Year Zero release, the CIA can hide its own fingerprints from its hacking exploits and attribute blame to other countries such as Russia and China.

The trail from Blackbird Technologies to the CIA starts in 2014, shortly after Raytheon purchased the company. At the time, Blackbird said that it would “expand its special operations capabilities in tactical intelligence, surveillance and reconnaissance, secure tactical communications and cybersecurity.”

Blackbird Technologies was a cyber security and surveillance company that supplied equipment for covert “tagging, tracking and locating” and counted US Special Operations Command as one of its biggest customers.

In an article posted on RT, it was reported that In 2011, a retired special operator described Blackbird Technologies’ work as being “heavily weighted towards the dark side.”

The documents included are assessments of malware, partly based on public documents from security researchers and private companies. Blackbird recommended whether the CIA should use the malware to develop its own projects.


NfLog  – Remote Access Tool by Samurai Panda

A September 2015 report on a new variant of the NfLog Remote Access Tool (RAT) – a tool which allows an intruder administrative control over a target – IsSpace used by SAMURAI PANDA, details how the malware credited to the Chinese hacking group Samurai Panda targets C2 servers to sniff user credentials.

On systems with a Windows Firewall “it will attempt to enumerate the basic authorization username and password used for most proxy authentications using HTTP.”

If NfLog sees a user has administrative privileges, it will attempt to give itself increased permissions.

HTTPBrowser by Emissary Panda

Another September 2015 document details a new variant of the HTTPBrowser Remote Access Tool used by Emissary Panda, thought to be another Chinese hacking group.

The RAT is deployed through an “unknown initial attack vector,” the document reads. It contains a self-extracting zip file which includes three files used to deploy the malware.

It captures keystrokes and writes them to a file. The document describes the RAT’s use of clear text as an indication of its“low level of sophistication” and says there are no new techniques worthy of a PoC.

Regin – Stealthy Surveillance

Reign is described as being a “very sophisticated malware sample” which has been observed in operation since 2013, but the September 2015 document adds it may have been in use since 2008. The complex malware has been linked to GCHQ and NSA.

The “target surveillance and data collection” malware has six stages of implementation.

The report’s author appears impressed by Reign, which it commends for its “striking” modular architecture and “flexibility”and impressive stealthiness.

Reign allows for tailored attacks for different targets and has the ability to “hide itself from discovery.”

The report notes that it doesn’t contain details on how aspects of Reign are implemented. “We assume bad actors have valid certs [for driver signing] but it’s not clear from the report,” it says.

Reign was discovered by Symantec, which described it as a trojan data collection tool that can take “screenshots and [take] control of the mouse’s point-and-click functions, steal passwords, monitor network traffic,” and scan for deleted files.

Symantec found it was likely created by a nation state.

HammerToss – Stealthy Tactics by Russians

A September 2015 report details HammerToss, a “suspected Russian State-sponsored malware” which leverages Twitter accounts, GitHub and cloud storage to “orchestrate command and control functions.”

HammerToss uses an algorithm to create Twitter accounts each day. When an attacker creates the account, the hacker posts a URL and hashtag, which sends the malware to a Github image that’s downloaded and contains commands.

Gamker Trojan

Gamker is described as an information stealing Trojan which steals information using simple decryption and injects itself into a different process.

Trojan malware is often disguised as regular software. Its self-code injection ensures nothing is written to disk. The report doesn’t say who is suspected of creating Gamker.

Leave a Reply

Your email address will not be published.