It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Exactly, apparently liberals think Russians are herp-derps when it comes to hacking.
originally posted by: andrew778
a reply to: DJW001
You're delusional. I don't read ATS very often because of idiotic statements made by complete fools. It's sad that this site is attracting people like you. It's so obvious Russia had nothing to do with this and the people who continually push that they did are the same people who are ruining this world.
originally posted by: theultimatebelgianjoke
a reply to: TrueBrit
In case someone suggests the Russians hacked the CIA :
Former CIA Deputy Director Mike Morell: CIA leak 'absolutely' an 'inside job'
originally posted by: theultimatebelgianjoke
Your neo-McCarthyism has reached pathological levels.
7 April, 2017
Today, April 7th 2017, WikiLeaks releases Vault 7 "Grasshopper" -- 27 documents from the CIA's Grasshopper framework, a platform used to build customized malware payloads for Microsoft Windows operating systems.
Grasshopper is provided with a variety of modules that can be used by a CIA operator as blocks to construct a customized implant that will behave differently, for example maintaining persistence on the computer differently, depending on what particular features or capabilities are selected in the process of building the bundle. Additionally, Grasshopper provides a very flexible language to define rules that are used to "perform a pre-installation survey of the target device, assuring that the payload will only [be] installed if the target has the right configuration". Through this grammar CIA operators are able to build from very simple to very complex logic used to determine, for example, if the target device is running a specific version of Microsoft Windows, or if a particular Antivirus product is running or not.
Grasshopper allows tools to be installed using a variety of persistence mechanisms and modified using a variety of extensions (like encryption). The requirement list of the Automated Implant Branch (AIB) for Grasshopper puts special attention on PSP avoidance, so that any Personal Security Products like 'MS Security Essentials', 'Rising', 'Symantec Endpoint' or 'Kaspersky IS' on target machines do not detect Grasshopper elements.
One of the persistence mechanisms used by the CIA here is 'Stolen Goods' - whose "components were taken from malware known as Carberp, a suspected Russian organized crime rootkit." confirming the recycling of malware found on the Internet by the CIA. "The source of Carberp was published online, and has allowed AED/RDB to easily steal components as needed from the malware.". While the CIA claims that "[most] of Carberp was not used in Stolen Goods" they do acknowledge that "[the] persistence method, and parts of the installer, were taken and modified to fit our needs", providing a further example of reuse of portions of publicly available malware by the CIA, as observed in their analysis of leaked material from the italian company "HackingTeam".
The documents WikiLeaks publishes today provide an insights into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers, providing directions for those seeking to defend their systems to identify any existing compromise
Today, April 14th 2017, WikiLeaks publishes six documents from the CIA's HIVE project created by its "Embedded Development Branch" (EDB).
HIVE is a back-end infrastructure malware with a public-facing HTTPS interface which is used by CIA implants to transfer exfiltrated information from target machines to the CIA and to receive commands from its operators to execute specific tasks on the targets. HIVE is used across multiple malware implants and CIA operations. The public HTTPS interface utilizes unsuspicious-looking cover domains to hide its presence.
Anti-Virus companies and forensic experts have noticed that some possible state-actor malware used such kind of back-end infrastructure by analyzing the communication behaviour of these specific implants, but were unable to attribute the back-end (and therefore the implant itself) to operations run by the CIA. In a recent blog post by Symantec, that was able to attribute the "Longhorn" activities to the CIA based on the Vault 7, such back-end infrastructure is described:
For C&C servers, Longhorn typically configures a specific domain and IP address combination per target. The domains appear to be registered by the attackers; however they use privacy services to hide their real identity. The IP addresses are typically owned by legitimate companies offering virtual private server (VPS) or webhosting services. The malware communicates with C&C servers over HTTPS using a custom underlying cryptographic protocol to protect communications from identification.
The documents from this publication might further enable anti-malware researchers and forensic experts to analyse this kind of communication between malware implants and back-end servers used in previous illegal activities.