Tag Archives: Surveillance & Reconniassance

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #18 – UCL / Raytheon

In November 2014, Raytheon announced its acquisition of Blackbird Technologies. This acquisition expanded Raytheon’s special operations capabilities in several areas including:

  • Tactical Intelligence
  • Surveillance and reconnaissance
  • Secure tactical communications
  • Cybersecurity

Raytheon stated that their existing capabilities were now augmented by the Blackbird Technologies acquisition “across a broad spectrum of globally dispersed platforms and communications networks”. Blackbird Technologies was synergistic with Raytheon’s existing expertise and capabilities specifically in the areas of:

  • Sensors
  • Communications
  • Command & Control

This document dump contains suggested PoC’s for malware attack vectors. Raytheon Blackbird Technologies acted as a “kind of “technology scout” for the Remote Development Branch (RDB) of the CIA”.

They analysed malware attacks in the public domain and then gave the CIA recommendations for malware projects. These suggestions by RBT to the CIA were in line with the agencies stated objectives. These malware recommendations benefitted from data derived from “test deployments” in the field by other malware actors. Weaknesses in legacy deployments were assessed and designed out in the CIA versions.

The 19th July 2017 WikiLeaks release overview:

Today, July 19th 2017, WikiLeaks publishes documents from the CIA contractor Raytheon Blackbird Technologies for the “UMBRAGE Component Library” (UCL) project. The documents were submitted to the CIA between November 21st, 2014 (just two weeks after Raytheon acquired Blackbird Technologies to build a Cyber Powerhouse) and September 11th, 2015. They mostly contain Proof-of-Concept ideas and assessments for malware attack vectors – partly based on public documents from security researchers and private enterprises in the computer security field. Raytheon Blackbird Technologies acted as a kind of “technology scout” for the Remote Development Branch (RDB) of the CIA by analysing malware attacks in the wild and giving recommendations to the CIA development teams for further investigation and PoC development for their own malware projects.

Forty One (41) documents accompanied this release:

  1. 11 September, 2015 (S//NF) CSIT 15083 — HTTPBrowser
  2. 11 September, 2015 (S//NF) CSIT 15085 — NfLog
  3. 11 September, 2015 (S//NF) Symantec — Regin – Stealthy Surveillance
  4. 11 September, 2015 (S//NF) FireEye — HammerToss – Stealthy Tactics
  5. 11 September, 2015 (S//NF) VB — Gamker
  6. 4 September, 2015 (S//NF) SentinelOne – Rombertik
  7. 4 September, 2015 (S//NF) FireEye – Window into Russian Cyber Ops
  8. 4 September, 2015 (S//NF) MalwareBytes — HanJuan Drops New Tinba
  9. 4 September, 2015 (S//NF) Cisco — Rombertik
  10. 4 September, 2015 (S//NF) RSA — Terracotta VPN
  11. 28 August, 2015 (S//NF) Dell SecureWorks — Sakula
  12. 28 August, 2015 (S//NF) CSIT 15078 — Skipper Implant
  13. 28 August, 2015 (S//NF) Symantec — Evolution of Ransomware
  14. 28 August, 2015 (S//NF) CSIT 15079 — Cozy Bear
  15. 28 August, 2015 (U) McAfee DLL Hijack — PoC Report
  16. 28 August, 2015 (U) HeapDestroy – DLL Rootkit — PoC Report
  17. 21 August, 2015 (S//NF) TW — WildNeutron
  18. 21 August, 2015 (S//NF) NMehta — Theories on Persistence
  19. 21 August, 2015 (S//NF) CERT-EU — Kerberos Golden Ticket
  20. 21 August, 2015 (S//NF) VB Dridex 2015 — Dridex
  21. 14 August, 2015 (S//NF) Symantec — Black Vine
  22. 14 August, 2015 (S//NF) CSIR 15005 — Stalker Panda
  23. 14 August, 2015 (S//NF) CSIT 15016 — Elirks RAT
  24. 14 August, 2015 (S//NF) Eset — Liberpy
  25. 14 August, 2015 (S//NF) Eset — Potao
  26. 7 August, 2015 (U) Sinowal Web Form Scraping — PoC Report
  27. 7 August, 2015 (S//NF) MIRcon — Something About WMI
  28. 7 August, 2015 (U) PoC Report — Anti-Debugging and Anti-Emulation
  29. 7 August, 2015 (S//NF) SY 2015 — Butterfly Attackers
  30. 7 August, 2015 (S//NF) Symantec — ZeroAccess Indepth
  31. 7 August, 2015 (S//NF) CI 2015 — PlugX 7.0
  32. 7 August, 2015 (U) Mimikatz Password Scanning Analysis — PoC Report
  33. 7 August, 2015 (S//NF) TrendMicro — Understanding WMI Malware
  34. 4 August, 2015 (S//NF) CanSecWest 2013 — DEP/ASLR Bypass Without ROP/JIT
  35. 26 June, 2015 (U) Software Restriction Policy: A/V Disable — PoC Report
  36. 26 June, 2015 (U) WMI Persistence Proof of Concept — Supplemental Report
  37. 29 May, 2015 (U) Mimikatz PoC Report
  38. 29 May, 2015 (U) Pony / Fareit PoC Report
  39. 26 January, 2015 (U) SIRIUS Pique Proof-of-Concept Delivery — User-Mode DKOM — Final PoC Report
  40. 29 December, 2014 (U) SIRIUS Pique Proof-of-Concept Delivery — Direct Kernel Object Manipulation (DKOM) — Interim PoC Report
  41. 21 November, 2014 (U) Direct Kernel Object Manipulasiton (DKOM) — Proof-of-Concept (PoC) Outline 21 November, 2014

Previous and subsequent Vault 7 WikiLeaks CIA document dump synopses are available via the Quick Reference Resource: WikiLeaks CIA Vault 7 Leaks

ENDS