Featured post

Quick Reference Resource Introduction: WikiLeaks CIA Vault 7 Leaks

This series covers links to and analysis of each of the WikiLeaks CIA Vault 7 leaks including:

  1. The WikiLeaks pages;
  2. The associated CIA documents – Specification Documents, Systems Requirements, Installation Guides, User Guides, User Manuals, Test Plans, Tactics Documents, Slides and so on;
  3. Links to external references and sources including The Hacker News (Twitter @TheHackersNews), HackRead (Twitter @HackRead), and Pierluigi Paganini at “Security Affairs”; 
  4. Analysis by other third party publications of each leak;
  5. General comments, notes, and links added by AirGap Anonymity Collective as each leak and its previous deployment is more clearly understood;
  6. How these posts will evolve over time:
    1. The first post will be a generic description of each leak including 1-3 above; 
    2. Content will be added over time and date-stamped to include:
      1. Articles, external resources, and commentary that augment the knowledge base with respect to the basic content of each leak; 
      2. Advice on counter-measures / new research; 
      3. Analysis and examples of the subsequent deployment (in the original form or altered) of these hacking tools by cyber criminals, cyber terrorists, state actors, hackers, and others;
      4. Other information that does not emanate from generic or main stream media sources; 

These documents are marked with various security classifications. To understand what these classifications mean see Understanding NSA / INR Security Classifications on Intelligence Assessments;

Posts in this series to date:

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #14 – OutlawCountry;

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #15 – BothanSpy & Gyrfalcon;

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #16 – HighRise;

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #17 – Imperial: Achilles, SeaPea, & Aeris

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #18 – UCL / Raytheon

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #19 – Dumbo

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #20 – CouchPotato

All third party content is explicitly acknowledged and content or imagery that has been altered or amended for ease of use is clearly marked.  

ENDS

Lyrics for a Surveillance Society – The Hacking Suite for Governmental Interception

Lyrics by Hacking Team. Music by Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Oman, Saudi Arabia, Sudan, and several United States agencies including the DEA, FBI and Department of Defense.

Criminals and terrorists rely on mobile phones, tablets, lap tops and computers equipped with universal end-to-end encryption to hide their activity. Their secret communications and encrypted files can be critical to investigating, preventing and prosecuting crime. Hacking Team provides law enforcement an effective, easy-to-use solution. Law enforcement and intelligence communities worldwide rely on Hacking Team in their mission to keep citizens safe. The job has never been more challenging or more important.

You have new challenges today

Sensitive data is transmitted over encrypted channels

Often the information you want is not transmitted at all

Your target may be outside your monitoring domain

Is passive monitoring enough?

You need more ….

You want to look through your target’s eyes

You have to hack your target

While your target is …. Browsing the web, Exchanging documents, Receiving SMS, Crossing the borders

You have to hit many different platforms – Windows, OS X, Linux, Android, iOS, Blackberry, Windows Phone, Symbian

You have to overcome encryption and capture relevant data – Skype & Voice Calls, Social Media, Target Location, Messaging, Relationship, Audio & Video

Being stealth and untraceable

Immune to protection systems

Hidden collection infrastructure

Deployed all over your country

Up to hundreds of thousands of targets

All managed from a single place

Exactly what we do

Remote Control System – Galileo – The Hacking Suite for Governmental Interception

Hacking Team – Rely On Us

ENDS

Does anyone have experience of “KAYMERA MOBILE THREAT DEFENSE SUITE”

We are looking at this platform in parallel with the SaltDNA app which I previously posted about.

Kaymera has a pre-installed secured Android OS with integrated high-end security components to detect, prevent and protect against all mobile security threats without compromising on functionality or usability. A contextual, risk-based app uses a range of indicators to identify a risk in real-time and apply the right security measure so mitigation is performed only when needed and appropriate. Their Cyber Command Centre framework manages and enforces organization-specific permissions, security protocols and device policies. Monitors risk level, threat activities and security posture per device and deploys countermeasures.

The company is run by Omri Lavie (NSO Group of Pegagus spying platform fame) and his co-entrepreneur Shalev Hulio also founded Kaymera.

They are ostensibly solving the exact problems that NSO Group created with a super-secure phone for government officials. The CEO of Kaymera is Avi Rosen, former head of RSA’s Online Threats Managed Services group. The Kaymera offices are next door to NSO Group.

Any thoughts welcome.

ENDS.

Using Stylometry DHS have id’d Bitcoin creator Nakamoto with help from NSA PRISM & MUSCULAR programs

Allegedly using word surveillance and stylometry the effort took less than a month. Apparently using encryption and complex obfuscation methods is not a defence when the “seeker” has access to trillions of writing samples from a billion or so people across the globe.

By taking Satoshi’s texts and finding the 50 most common words, the NSA was able to break down his text into 5,000 word chunks and analyse each to find the frequency of those 50 words. This would result in a unique 50-number identifier for each chunk. The NSA then placed each of these numbers into a 50-dimensional space and flatten them into a plane using principal components analysis. The result is a ‘fingerprint’ for anything written by Satoshi that could easily be compared to any other writing.

It is worth noting that the original post is littered with comments that request more details on the source of the information that informed the post or some other such proof of the veracity of the claims being made but the author declared in response:

Many readers have asked that I provide third party citations to ‘prove’ the NSA identified Satoshi using stylometry. Unfortunately, I cannot as I haven’t read this anywhere else — hence the reason I wrote this post. I’m not trying to convince the reader of anything, instead my goal is to share the information I received and make the reader aware of the possibility that the NSA can easily determine the authorship of any email through the use of their various sources, methods, and resources.

Many readers have asked who Satoshi is and I’ve made it clear that information wasn’t shared with me. Based on my conversation I got the impression (never confirmed) that he might have been more than one person. This made me think that perhaps the Obama administration was right that Bitcoin was created by a state actor. One person commented on this post that Satoshi was actually four people. Again, I have no idea.

If it is true then “The moral of the story? You can’t hide on the internet anymore. Your sentence structure and word use is MORE unique than your own fingerprint. If an organization, like the NSA, wants to find you [sic] they will.

Full story by Alexander Muse is on Medium.

ENDS

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #20 – CouchPotato

CouchPotato enabled CIA agents to remotely use the tool to stealthily collect RTSP/H.264 video streams (RTSP/H.264: Real Time Streaming Protocol is a network control protocol designed for use in entertainment and communication systems and is a control mechanism for streaming media servers).

The tool provided CIA operatives with a number of options:

  • Collect the media stream as a video file (AVI);
  • Capture still images (JPG) of frames from the media stream;
    • This function was capable of being triggered only when there was change (threshold setting) in the pixel count from the previous capture;

The tool uses FFmpeg to encode and decode video and images and Real Time Streaming Protocol connectivity. The CouchPotato tool works stealthily without leaving any evidence on the attacked systems facilitated by ICE v3 “Fire and Collect” loader.

This is an in-memory code execution (ICE) technique that runs malicious code without the module code being written to the disk.

Neither Wikileaks, nor the leaked user guide explains how the agency penetrates the attacked systems, but as many CIA malware, exploits and hacking tools have already leaked in the Vault 7 publications, the agency has probably used CouchPotato in combination with other tools.” – TAD Group

The 10th August 2017 WikiLeaks release overview:

“Today, August 10th 2017, WikiLeaks publishes the the User Guide for the CoachPotato project of the CIA. CouchPotato is a remote tool for collection against RTSP/H.264 video streams. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame. It utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity. CouchPotato relies on being launched in an ICE v3 Fire and Collect compatible loader.”

One document was published alongside this release:

CouchPotato v1.0 — User Guide

Previous and subsequent Vault 7 WikiLeaks CIA document dump synopses are available via the Quick Reference Resource: WikiLeaks CIA Vault 7 Leaks

ENDS 

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #18 – UCL / Raytheon

In November 2014, Raytheon announced its acquisition of Blackbird Technologies. This acquisition expanded Raytheon’s special operations capabilities in several areas including:

  • Tactical Intelligence
  • Surveillance and reconnaissance
  • Secure tactical communications
  • Cybersecurity

Raytheon stated that their existing capabilities were now augmented by the Blackbird Technologies acquisition “across a broad spectrum of globally dispersed platforms and communications networks”. Blackbird Technologies was synergistic with Raytheon’s existing expertise and capabilities specifically in the areas of:

  • Sensors
  • Communications
  • Command & Control

This document dump contains suggested PoC’s for malware attack vectors. Raytheon Blackbird Technologies acted as a “kind of “technology scout” for the Remote Development Branch (RDB) of the CIA”.

They analysed malware attacks in the public domain and then gave the CIA recommendations for malware projects. These suggestions by RBT to the CIA were in line with the agencies stated objectives. These malware recommendations benefitted from data derived from “test deployments” in the field by other malware actors. Weaknesses in legacy deployments were assessed and designed out in the CIA versions.

The 19th July 2017 WikiLeaks release overview:

Today, July 19th 2017, WikiLeaks publishes documents from the CIA contractor Raytheon Blackbird Technologies for the “UMBRAGE Component Library” (UCL) project. The documents were submitted to the CIA between November 21st, 2014 (just two weeks after Raytheon acquired Blackbird Technologies to build a Cyber Powerhouse) and September 11th, 2015. They mostly contain Proof-of-Concept ideas and assessments for malware attack vectors – partly based on public documents from security researchers and private enterprises in the computer security field. Raytheon Blackbird Technologies acted as a kind of “technology scout” for the Remote Development Branch (RDB) of the CIA by analysing malware attacks in the wild and giving recommendations to the CIA development teams for further investigation and PoC development for their own malware projects.

Forty One (41) documents accompanied this release:

  1. 11 September, 2015 (S//NF) CSIT 15083 — HTTPBrowser
  2. 11 September, 2015 (S//NF) CSIT 15085 — NfLog
  3. 11 September, 2015 (S//NF) Symantec — Regin – Stealthy Surveillance
  4. 11 September, 2015 (S//NF) FireEye — HammerToss – Stealthy Tactics
  5. 11 September, 2015 (S//NF) VB — Gamker
  6. 4 September, 2015 (S//NF) SentinelOne – Rombertik
  7. 4 September, 2015 (S//NF) FireEye – Window into Russian Cyber Ops
  8. 4 September, 2015 (S//NF) MalwareBytes — HanJuan Drops New Tinba
  9. 4 September, 2015 (S//NF) Cisco — Rombertik
  10. 4 September, 2015 (S//NF) RSA — Terracotta VPN
  11. 28 August, 2015 (S//NF) Dell SecureWorks — Sakula
  12. 28 August, 2015 (S//NF) CSIT 15078 — Skipper Implant
  13. 28 August, 2015 (S//NF) Symantec — Evolution of Ransomware
  14. 28 August, 2015 (S//NF) CSIT 15079 — Cozy Bear
  15. 28 August, 2015 (U) McAfee DLL Hijack — PoC Report
  16. 28 August, 2015 (U) HeapDestroy – DLL Rootkit — PoC Report
  17. 21 August, 2015 (S//NF) TW — WildNeutron
  18. 21 August, 2015 (S//NF) NMehta — Theories on Persistence
  19. 21 August, 2015 (S//NF) CERT-EU — Kerberos Golden Ticket
  20. 21 August, 2015 (S//NF) VB Dridex 2015 — Dridex
  21. 14 August, 2015 (S//NF) Symantec — Black Vine
  22. 14 August, 2015 (S//NF) CSIR 15005 — Stalker Panda
  23. 14 August, 2015 (S//NF) CSIT 15016 — Elirks RAT
  24. 14 August, 2015 (S//NF) Eset — Liberpy
  25. 14 August, 2015 (S//NF) Eset — Potao
  26. 7 August, 2015 (U) Sinowal Web Form Scraping — PoC Report
  27. 7 August, 2015 (S//NF) MIRcon — Something About WMI
  28. 7 August, 2015 (U) PoC Report — Anti-Debugging and Anti-Emulation
  29. 7 August, 2015 (S//NF) SY 2015 — Butterfly Attackers
  30. 7 August, 2015 (S//NF) Symantec — ZeroAccess Indepth
  31. 7 August, 2015 (S//NF) CI 2015 — PlugX 7.0
  32. 7 August, 2015 (U) Mimikatz Password Scanning Analysis — PoC Report
  33. 7 August, 2015 (S//NF) TrendMicro — Understanding WMI Malware
  34. 4 August, 2015 (S//NF) CanSecWest 2013 — DEP/ASLR Bypass Without ROP/JIT
  35. 26 June, 2015 (U) Software Restriction Policy: A/V Disable — PoC Report
  36. 26 June, 2015 (U) WMI Persistence Proof of Concept — Supplemental Report
  37. 29 May, 2015 (U) Mimikatz PoC Report
  38. 29 May, 2015 (U) Pony / Fareit PoC Report
  39. 26 January, 2015 (U) SIRIUS Pique Proof-of-Concept Delivery — User-Mode DKOM — Final PoC Report
  40. 29 December, 2014 (U) SIRIUS Pique Proof-of-Concept Delivery — Direct Kernel Object Manipulation (DKOM) — Interim PoC Report
  41. 21 November, 2014 (U) Direct Kernel Object Manipulasiton (DKOM) — Proof-of-Concept (PoC) Outline 21 November, 2014

Previous and subsequent Vault 7 WikiLeaks CIA document dump synopses are available via the Quick Reference Resource: WikiLeaks CIA Vault 7 Leaks

ENDS 

 

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #19 – Dumbo

Dumbo is a capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a PAG deployment. The PAG (Physical Access Group) is a special branch within the CCI (Center for Cyber Intelligence); its task is to gain and exploit physical access to target computers in CIA field operations. *

Vault7 Projects - Images - AAC Dumbo - PAG

The 3rd August 2017 WikiLeaks release overview:

Today, August 3rd 2017 WikiLeaks publishes documents from the Dumbo project of the CIA. Dumbo is a capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a PAG deployment. The PAG (Physical Access Group) is a special branch within the CCI (Center for Cyber Intelligence); its task is to gain and exploit physical access to target computers in CIA field operations. Dumbo can identify, control and manipulate monitoring and detection systems on a target computer running the Microsoft Windows operating sytem. It identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks. All processes related to the detected devices (usually recording, monitoring or detection of video/audio/network streams) are also identified and can be stopped by the operator. By deleting or manipulating recordings the operator is aided in creating fake or destroying actual evidence of the intrusion operation. Dumbo is run by the field agent directly from an USB stick; it requires administrator privileges to perform its task. It supports 32bit Windows XP, Windows Vista, and newer versions of Windows operating system. 64bit Windows XP, or Windows versions prior to XP are not supported.

Log Excerpt:

Vault7 Projects - Images - AAC Dumbo - LOG

Eight documents were also published alongside this release:

Dumbo v3.0 — Field Guide

Dumbo v3.0 — User Guide

Dumbo v2.0 — Field Guide

Dumbo v2.0 — User Guide

Dumbo v1.0 — TDR Briefing

Dumbo v1.0 — User Guide

Dumbo Epione v1.0 — TDR Briefing

Dumbo Epione v1.0 — User Guide

Previous and subsequent Vault 7 WikiLeaks CIA document dump synopses are available via the Quick Reference Resource: WikiLeaks CIA Vault 7 Leaks

ENDS 

Hacking EirGrid: NCSC MiA, GCHQ Inertia, US Data Centres, & Creating Backdoors to UK/EU Grid

This post was first published by me on Peerlyst on 7th August 2017.

This hack took place last April (2017) but the details are only emerging now. Hackers compromised EirGrid’s routers at Vodafone’s Direct Internet Access (DIA) service at Shotton, Wales. The MITM “virtual wire tap” then intercepted unencrypted messages between EirGrid and SONI (EirGrid NI). Firmware and files were copied from the compromised router devices but there is no estimate as to the scale of the breach or the magnitude of the data that was stolen.

The Role of NCSC & GCHQ

An informed source has confirmed to AirGap Anonymity Collective that this hack was going on for some time before it was “detected” and before EirGrid were informed – that was already reported.

However, the same source is also of the opinion that the UK’s National Cyber Security Centre – part of GCHQ – instructed Vodafone not to tell EirGrid of the breach – while they tried to ascertain who the perpetrators were (understandable) but that this was for an unreasonably extended period of time.

The source is not clear on what portion of the estimated nine weeks of the hack overlapped with GCHQ’s attempts to identify the hackers.

Where was Ireland’s National Cyber Security Centre while all of this was going on?

The Irish National Cyber Security Centre (NCSC) & Computer Security Incident Response Team (CSIRT)

Formally established in 2015. Together with the (CSIRT), they have responsibility for Ireland’s national cyber security defences. They say:

“The global cybersecurity threat landscape continues to pose an immense challenge. As part of wider efforts to address these security threats, the Directive on Security of Network and Information Systems (NIS Directive) was approved in July 2016. Member States have until May 2018 to implement the NIS Directive, with both the NCSC and CSIRT playing a critical role in this regard.”

Seán Kyne – Minister of State for Community Development, Natural Resources & Digital Development – discussed the NCSC’s objectives, and offered his thoughts on the nature of the digital security threat to the public and private sector alike in a press conference last month.

INCSC

EirGrid & UK Energy Policy

The UK has become increasingly reliant on off-shore wind farms and it’s power needs are augmented by the purchase of power generated in the Irish Midlands. Irish supplied power is key to the UK meeting its projected 2020 energy needs. The Irish supply is seeking to generate circa 3GW for the UK market.

The Irish national grid is managed by a company called EirGrid. They took over the Irish national grid in 2006 from ESB (the Electricity Supply Board). They own all of the physical electricity transmission assets in the country (about 7000kms of cable (fact check)).

As such, they run a monopoly and nearly all of the large independent generators (Airtricity, Synergen (70% EirGrid) Viridian and others) connect to the transmission system and utilise it to transport their power to all regions and abroad. They also operate the wholesale power market and operate (and own) the 500 MW East–West Interconnector, linking the Irish power system to Great Britain’s grid.

Last month the operator was awarded over €20 million by the EU to fund research into the deployment of renewable energy. Ireland’s own target, set out by the European Union, is to secure 40% of its electricity from renewable sources by 2020.

“We won’t have enough renewable energy left over to export to the UK without completing some specific projects, such as the proposed Midlands development,” according to Fintan Slye (EirGrid CEO). “There are sufficient renewable projects in train to meet the 2020 targets, but it’ll still be challenging. There are 2,000MW connected across the island – we need to get that to over 4,000MW by 2020.”

The EU is also funding a France-Ireland power link (that bypasses the UK) via an undersea cable as an “obvious solution” to Ireland’s energy reliance on a post-Brexit United Kingdom.

Motives – All Those Data Centres in Ireland & A BackDoor to the EU/UK Grids 

IE DCs

Extract from EirGrid Group All-Island Generation Capacity Statement 2016-2025:

“2.2(d) Data Centres in IrelandA key driver for electricity demand in Ireland for the next number of years is the connection of large data centres.Whether connecting directly to the transmission system or to the distribution network, there is presently about 250 MVA of installed data centres in Ireland. Furthermore, there are connection offers in place (or in the connection process) for approximately a further 600 MVA. At present, there are enquires for another 1,100 MVA. This possibility of an additional 1700 MVA of demand is significant in the context of a system with a peak demand in 2014/15 of about 4700 MW (where it would add 35%). In forecasting future demand, we need to appreciate that data centres normally have a flat demand profile.”

Culprits

Lots but the most likely candidate for this hack is Russia – why? Because I cast lots, sacrificed a chicken, and got my Tarot cards read. And also …

Irish energy networks being targeted by hackers – Hackers have targeted Irish energy networks amid warnings over the potential impact of intensifying cyber attacks on crucial infrastructure. Senior engineers at the Electricity Supply Board (ESB), which supplies both Northern Ireland and the Republic, were sent personalised emails containing malicious software by a group linked to Russia’s GRU intelligence agency, reported.
Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid – It was 3:30 p.m. last December 23, and residents of the Ivano-Frankivsk region of Western Ukraine were preparing to end their workday and head home through the cold winter streets. Inside the Prykarpattyaoblenergo control center, which distributes power to the region’s residents, operators too were nearing the end of their shift.
Ukraine power cut ‘was cyber-attack’ – BBC News – A power cut that hit part of the Ukrainian capital, Kiev, in December has been judged a cyber-attack by researchers investigating the incident. The blackout lasted just over an hour and started just before midnight on 17 December. The cyber-security company Information Systems Security Partners (ISSP) has linked the incident to a hack and blackout in 2015 that affected 225,000.
Hackers targeting UK energy grid, GCHQ warns – Hackers may have compromised Britain’s energy grid, GCHQ has said as it warned that cyber criminals are targeting the country’s energy sector. The security agency said industrial control systems may have already been the victim of attacks by nation state hackers.

 

ENDS