WikiLeaks’ “Vault 7” release appears to confirm that the U.S. National Security Agency (NSA) was behind the threat actor tracked as the “Equation Group.” Documents also show that the Central Intelligence Agency (CIA) learned from the NSA’s mistakes after its activities were exposed by security researchers.
Files allegedly obtained from a high-security CIA network provide details on the intelligence agency’s vast hacking capabilities. One of the files made available by WikiLeaks contains a discussion thread titled “What did Equation do wrong, and how can we avoid doing the same?”
The operations of the Equation Group and its links to the NSA were detailed by Kaspersky Lab in February 2015, and the discussion made public by WikiLeaks was initiated a few days later.
Participants in the discussion pointed out that one of the NSA’s biggest mistakes was that its tools shared code, including custom cryptography, giving researchers the data needed to connect different malware to the same group.
“The ‘custom’ crypto is more of NSA falling to its own internal policies/standards which came about in response to prior problems,” one user wrote.
In addition to using the same custom cryptographic algorithm, the CIA identified several other mistakes made by the NSA, including the reuse of exploits, use of internal tool names in the code, and the use of a unique mutex.
“All their tools shared code. The custom RC5 was everywhere. The techniques for positive ID (hashing) was used in the same way in multiple tools across generations,” another user said.
“The shared code appears to be the largest single factor is allowing [Kaspersky Lab] to tie all these tools together. The acquisition and use of C&C domains was probably number 2 on the list, and I'm sure the [Computer Operations Group] infrastructure people are paying attention to this.”
The Vault 7 files show that in addition to learning from the NSA’s mistakes, the CIA “borrowed” techniques from in-the-wild malware and tools, including Shamoon, UpClicker and the Nuclear exploit kit.
Security firms have started assessing the impact of the exposed hacking capabilities. WikiLeaks has not released any exploits, which makes it difficult to determine exactly what the CIA programs are capable of. However, at first sight, the intelligence agency’s tools don’t appear to be very sophisticated.