BigBrother -

Projekty  CyberWeapons  CyberMalware

Projekty

PRISM

PRISM (krycí jméno, anglicky doslova hranol) nebo také US-948XN (oficiální název operace) je tajný bezpečnostní program Národní bezpečnostní agentury Spojených států amerických fungující od roku 2007 a zaměřený na sledování elektronické komunikace. Je provozován na základě zákona o zahraničním zpravodajství a dohledu (FISA) pod dohledem federálního soudu pro dohled nad zpravodajskými službami v zahraničí (FISC).

ECHELON

Echelon je obecně používaný název pro systém prostředků určených k zachycování a zpracování komunikace vedené přes komunikační satelity. Systém Echelon je součástí rozsáhlého dohledového systému s názvem Smlouva o bezpečnosti UK-USA (též UKUSA) podepsané v roce 1947.

Frenchelon

Frenchelon je přezdívka daná francouzskému signál zpravodajského systému, v odkazu na jeho anglo-americký protějšek ECHELON .

SORM

SORM (Rus: Система Оперативно-Розыскных Мероприятий, doslova "Systém pro operativně pátrací činnosti") je technický systém pro vyhledávání a dohledu v internetu. Ruský zákon prošel v roce 1995 umožňuje FSB, aby sledovat telefonní a internetové komunikace.

NATGRID

National Intelligence Grid nebo NATGRID je integrovaný zpravodajský síť spojující databáze základních bezpečnostních agentur vlády Indie shromažďovat komplexní vzory inteligence, které lze snadno přistupovat pomocí zpravodajských agentur. To byl poprvé navržen v následku teroristických útoků na Bombaj v roce 2008 a byl ještě zavést od roku 2014.

Great Canon

Velká Cannon Číny je útok nástroj, který se používá ke spuštění Distributed Denial-of-service útokům na internetových stránkách o zachycení obrovské množství webového provozu , jejich přesměrováním na cílené internetové stránky.

Big China Firewall

Velký čínský firewall je pokus regulovat internet v pevninské Číně . Je hlavním nástrojem k dosažení Internet cenzuru v Číně . Tyto předpisy CCP patří kriminalizaci určité on-line řeč a činnosti, blokování z pohledu vybraných webových stránek a filtrování klíčových slov ven z vyhledávání zahájených z počítačů umístěných v pevninské Číně.

CyberWeapons

Hive

Today, 9 November 2017, WikiLeaks publishes the source code and development logs to Hive, a major component of the CIA infrastructure to control its malware

Hive

Angelfire

Today, August 31st 2017, WikiLeaks publishes documents from the Angelfire project of the CIA. Angelfire is an implant comprised of five components: Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS, and the Windows Transitory File system. Like previously published CIA projects (Grasshopper and AfterMidnight) in the Vault7 series, it is a persistent framework that can load and execute custom implants on target computers running the Microsoft Windows operating system (XP or Win7).

Angelfire

ExpressLane

Today, August 24th 2017, WikiLeaks publishes secret documents from the ExpressLane project of the CIA. These documents show one of the cyber operations the CIA conducts against liaison services -- which includes among many others the National Security Agency (NSA), the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI)

ExpressLane

CouchPotato

Today, August 10th 2017, WikiLeaks publishes the the User Guide for the CoachPotato project of the CIA. CouchPotato is a remote tool for collection against RTSP/H.264 video streams. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame. It utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity. CouchPotato relies on being launched in an ICE v3 Fire and Collect compatible loader.

CouchPotato

Dumbo

Today, August 3rd 2017 WikiLeaks publishes documents from the Dumbo project of the CIA. Dumbo is a capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a PAG deployment. The PAG (Physical Access Group) is a special branch within the CCI (Center for Cyber Intelligence); its task is to gain and exploit physical access to target computers in CIA field operations. Dumbo can identify, control and manipulate monitoring and detection systems on a target computer running the Microsoft Windows operating sytem.

Dumbo

Imperial

Today, July 27th 2017, WikiLeaks publishes documents from the Imperial project of the CIA. Achilles is a capability that provides an operator the ability to trojan an OS X disk image (.dmg) installer with one or more desired operator specified executables for a one-time execution. Aeris is an automated implant written in C that supports a number of POSIX-based systems (Debian, RHEL, Solaris, FreeBSD, CentOS). It supports automated file exfiltration, configurable beacon interval and jitter, standalone and Collide-based HTTPS LP support and SMTP protocol support - all with TLS encrypted communications with mutual authentication. It is compatible with the NOD Cryptographic Specification and provides structured command and control that is similar to that used by several Windows implants. SeaPea is an OS X Rootkit that provides stealth and tool launching capabilities. It hides files/directories, socket connections and/or processes. It runs on Mac OSX 10.6 and 10.7.

Imperial

UCL / Raytheon

Today, July 19th 2017, WikiLeaks publishes documents from the CIA contractor Raytheon Blackbird Technologies for the "UMBRAGE Component Library" (UCL) project. The documents were submitted to the CIA between November 21st, 2014 (just two weeks after Raytheon acquired Blackbird Technologies to build a Cyber Powerhouse) and September 11th, 2015. They mostly contain Proof-of-Concept ideas and assessments for malware attack vectors - partly based on public documents from security researchers and private enterprises in the computer security field. Raytheon Blackbird Technologies acted as a kind of "technology scout" for the Remote Development Branch (RDB) of the CIA by analysing malware attacks in the wild and giving recommendations to the CIA development teams for further investigation and PoC development for their own malware projects.

UCL / Raytheon

Highrise

Today, July 13th 2017, WikiLeaks publishes documents from the Highrise project of the CIA. HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3. It provides a redirector function for SMS messaging that could be used by a number of IOC tools that use SMS messages for communication between implants and listening posts. HighRise acts as a SMS proxy that provides greater separation between devices in the field ("targets") and the listening post (LP) by proxying "incoming" and "outgoing" SMS messages to an internet LP. Highrise provides a communications channel between the HighRise field operator and the LP with a TLS/SSL secured internet communication.

Highrise

BothanSpy

Today, July 6th 2017, WikiLeaks publishes documents from the BothanSpy and Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors.

BothanSpy

OutlawCountry

Today, June 30th 2017, WikiLeaks publishes documents from the OutlawCountry project of the CIA that targets computers running the Linux operating system. OutlawCountry allows for the redirection of all outbound network traffic on the target computer to CIA controlled machines for ex- and infiltration purposes. The malware consists of a kernel module that creates a hidden netfilter table on a Linux target; with knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from an user or even system administrator.

OutlawCountry

Elsa

Today, June 28th 2017, WikiLeaks publishes documents from the ELSA project of the CIA. ELSA is a geo-location malware for WiFi-enabled devices like laptops running the Micorosoft Windows operating system. Once persistently installed on a target machine using separate CIA exploits, the malware scans visible WiFi access points and records the ESS identifier, MAC address and signal strength at regular intervals. To perform the data collection the target machine does not have to be online or connected to an access point; it only needs to be running with an enabled WiFi device. If it is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp. The collected access point/geo-location information is stored in encrypted form on the device for later exfiltration. The malware itself does not beacon this data to a CIA back-end; instead the operator must actively retrieve the log file from the device - again using separate CIA exploits and backdoors.

Elsa

Brutal Kangaroo

Today, June 22nd 2017, WikiLeaks publishes documents from the Brutal Kangaroo project of the CIA. Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives. Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables.

Brutal Kangaroo

Cherry Blossom

CherryBlossom provides a means of monitoring the Internet activity of and performing software exploits on Targets of interest. In particular, CherryBlossom is focused on compromising wireless networking devices, such as wireless routers and access points (APs), to achieve these goals. Such Wi-Fi devices are commonly used as part of the Internet infrastructure in private homes, public spaces (bars, hotels or airports), small and medium sized companies as well as enterprise offices. Therefore these devices are the ideal spot for "Man-In-The-Middle" attacks, as they can easily monitor, control and manipulate the Internet traffic of connected users. By altering the data stream between the user and Internet services, the infected device can inject malicious content into the stream to exploit vulnerabilities in applications or the operating system on the computer of the targeted user.

Cherry
Blossom

Pandemic

Today, June 1st 2017, WikiLeaks publishes documents from the "Pandemic" project of the CIA, a persistent implant for Microsoft Windows machines that share files (programs) with remote users in a local network. "Pandemic" targets remote users by replacing application code on-the-fly with a trojaned version if the program is retrieved from the infected machine. To obfuscate its activity, the original file on the file server remains unchanged; it is only modified/replaced while in transit from the pandemic file server before being executed on the computer of the remote user. The implant allows the replacement of up to 20 programs with a maximum size of 800 MB for a selected list of remote users (targets).

Pandemic

Athena

Today, May 19th 2017, WikiLeaks publishes documents from the "Athena" project of the CIA. "Athena" - like the related "Hera" system - provides remote beacon and loader capabilities on target computers running the Microsoft Windows operating system (from Windows XP to Windows 10). Once installed, the malware provides a beaconing capability (including configuration and task handling), the memory loading/unloading of malicious payloads for specific tasks and the delivery and retrieval of files to/from a specified directory on the target system. It allows the operator to configure settings during runtime (while the implant is on target) to customize it to an operation.

Athena

AfterMidnight

"AfterMidnight" allows operators to dynamically load and execute malware payloads on a target machine. The main controller disguises as a self-persisting Windows Service DLL and provides secure execution of "Gremlins" via a HTTPS based Listening Post (LP) system called "Octopus". Once installed on a target machine AM will call back to a configured LP on a configurable schedule, checking to see if there is a new plan for it to execute. If there is, it downloads and stores all needed components before loading all new gremlins in memory. "Gremlins" are small AM payloads that are meant to run hidden on the target and either subvert the functionality of targeted software, survey the target (including data exfiltration) or provide internal services for other gremlins. The special payload "AlphaGremlin" even has a custom script language which allows operators to schedule custom tasks to be executed on the target machine.

AfterMidnight

Archimedes

Today, May 5th 2017, WikiLeaks publishes "Archimedes", a tool used by the CIA to attack a computer inside a Local Area Network (LAN), usually used in offices. It allows the re-directing of traffic from the target computer inside the LAN through a computer infected with this malware and controlled by the CIA. This technique is used by the CIA to redirect the target's computers web browser to an exploitation server while appearing as a normal browsing session.

Archimedes

Scribbles

Today, April 28th 2017, WikiLeaks publishes the documentation and source code for CIA's "Scribbles" project, a document-watermarking preprocessing system to embed "Web beacon"-style tags into documents that are likely to be copied by Insiders, Whistleblowers, Journalists or others. The released version (v1.0 RC1) is dated March, 1st 2016 and classified SECRET//ORCON/NOFORN until 2066. Scribbles is intended for off-line preprocessing of Microsoft Office documents. For reasons of operational security the user guide demands that "[t]he Scribbles executable, parameter files, receipts and log files should not be installed on a target machine, nor left in a location where it might be collected by an adversary."

Scribbles

Weeping Angel

Today, April 21st 2017, WikiLeaks publishes the User Guide for CIA's "Weeping Angel" tool - an implant designed for Samsung F Series Smart Televisions. Based on the "Extending" tool from the MI5/BTSS, the implant is designed to record audio from the built-in microphone and egress or store the data. The classification marks of the User Guide document hint that is was originally written by the british MI5/BTSS and later shared with the CIA. Both agencies collaborated on the further development of the malware and coordinated their work in Joint Development Workshops.

Weeping
Angel

Hive

Today, April 14th 2017, WikiLeaks publishes six documents from the CIA's HIVE project created by its "Embedded Development Branch" (EDB). HIVE is a back-end infrastructure malware with a public-facing HTTPS interface which is used by CIA implants to transfer exfiltrated information from target machines to the CIA and to receive commands from its operators to execute specific tasks on the targets. HIVE is used across multiple malware implants and CIA operations. The public HTTPS interface utilizes unsuspicious-looking cover domains to hide its presence.

Hive

Grasshopper

Grasshopper is provided with a variety of modules that can be used by a CIA operator as blocks to construct a customized implant that will behave differently, for example maintaining persistence on the computer differently, depending on what particular features or capabilities are selected in the process of building the bundle. Additionally, Grasshopper provides a very flexible language to define rules that are used to "perform a pre-installation survey of the target device, assuring that the payload will only [be] installed if the target has the right configuration". Through this grammar CIA operators are able to build from very simple to very complex logic used to determine, for example, if the target device is running a specific version of Microsoft Windows, or if a particular Antivirus product is running or not.

Grasshopper

Marble Framework

Today, March 31st 2017, WikiLeaks releases Vault 7 "Marble" -- 676 source code files for the CIA's secret anti-forensic Marble Framework. Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA. Marble does this by hiding ("obfuscating") text fragments used in CIA malware from visual inspection. This is the digital equivallent of a specalized CIA tool to place covers over the english language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA. Marble forms part of the CIA's anti-forensics approach and the CIA's Core Library of malware code. It is "[D]esigned to allow for flexible and easy-to-use obfuscation" as "string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop."

Marble Framework

Dark Matter

Today, March 23rd 2017, WikiLeaks releases Vault 7 "Dark Matter", which contains documentation for several CIA projects that infect Apple Mac firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA's Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain 'persistence' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware. mong others, these documents reveal the "Sonic Screwdriver" project which, as explained by the CIA, is a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting" allowing an attacker to boot its attack software for example from a USB stick "even when a firmware password is enabled". The CIA's "Sonic Screwdriver" infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.

Dark Matter

CyberMalware

AR20-232A : MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN USA
AR20-216A : MAR-10292089-1.v1 – Chinese Remote Access Trojan: TAIDOOR USA
AR20-198C : MAR-10296782-3.v1 – WELLMAIL USA
AR20-198A : MAR-10296782-1.v1 – SOREFANG USA
AR20-198B : MAR-10296782-2.v1 – WELLMESS USA
AR20-133P : MIFR-10121050-1.v2 USA
AR20-133O : MIFR-10079683-1.v2 USA
AR20-133N : MIFR-10079682-1.v2 USA
AR20-133M : MIFR-10077745-1.v2 USA
AR20-133L : MIFR-10056799-1.v2 USA
AR20-133K : MIFR-10050855-1.v2 USA
AR20-133J : MIFR-10027371-1.v2 USA
AR20-133I : MIFR-00435108-1.v2 USA
AR20-133H : MAR-10285677-3.v1 USA
AR20-133G : MAR-10285677-2.v1 USA
AR20-133F : MAR-10238137-1.v2 USA
AR20-133A : MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE USA
AR20-133B : MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE USA
AR20-133C : MAR-10288834-3.v1 – North Korean Trojan: PEBBLEDASH USA
AR20-133E : MAR-10211350-1.v2 USA
AR20-133D : MAR-10160323-1.v2 USA
AR20-045G : MAR-10135536-8.v4 – North Korean Trojan: HOPLIGHT USA
AR20–045B : MAR-10265965-2.v1 – North Korean Trojan: SLICKSHOES USA
AR20-045C : MAR-10265965-3.v1 – North Korean Trojan: CROWDEDFLOUNDER USA
AR20-045D : MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT USA
AR20–045B : MAR-10265965-2.v1 – North Korean Trojan: SLICKSHOES USA
AR20-045A : MAR-10265965-1.v1 – North Korean Trojan: BISTROMATH USA
AR20-045G : MAR-10135536-8.v4 – North Korean Trojan: HOPLIGHT USA
AR19-304A : MAR-10135536-8 – North Korean Trojan: HOPLIGHT USA
AR20-045E : MAR-10271944-2.v1 – North Korean Trojan: ARTFULPIE USA
AR20-045D : MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT USA
AR20-045C : MAR-10265965-3.v1 – North Korean Trojan: CROWDEDFLOUNDER USA
AR20–045B : MAR-10265965-2.v1 – North Korean Trojan: SLICKSHOES USA
AR20-045A : MAR-10265965-1.v1 – North Korean Trojan: BISTROMATH USA
AR20-045F : MAR-10271944-3.v1 – North Korean Trojan: BUFFETLINE USA
AR19-304A : MAR-10135536-8 – North Korean Trojan: HOPLIGHT USA
AR19-252A : MAR-10135536-10 – North Korean Trojan: BADCALL USA
AR19-252B : MAR-10135536-21 – North Korean Proxy Malware: ELECTRICFISH USA
AR19-133A : Microsoft Office 365 Security Observations USA
AR19-129A : MAR-10135536-21 – North Korean Tunneling Tool: ELECTRICFISH USA
AR19-100A : MAR-10135536-8 – North Korean Trojan: HOPLIGHT USA
AR18-352A : Quasar Open-Source Remote Administration Tool USA
AR18-337C : MAR-10158513.r1.v1 – SamSam3 USA
AR18-337B : MAR-10166283.r1.v1 – SamSam2 USA
AR18-337A : MAR-10219351.r1.v2 – SamSam1 USA
AR18-337D : MAR-10164494.r1.v1 – SamSam4 USA
AR18-312A : JexBoss – JBoss Verify and EXploitation Tool USA
AR18-275A : MAR-10201537 – HIDDEN COBRA FASTCash-Related Malware USA
MAR-10135536-17 – North Korean Trojan: KEYMARBLE USA
MAR-10135536-12 – North Korean Trojan: TYPEFRAME USA
MAR-10135536-3 - HIDDEN COBRA RAT/Worm USA