Security Experts:

WikiLeaks Releases CIA Tool Used to Impede Malware Attribution

WikiLeaks has released information and source code for a framework allegedly used by the U.S. Central Intelligence Agency (CIA) to make analysis of its tools and attribution more difficult.

The whistleblower organization on Friday made public 676 source code files of the Marble Framework. According to WikiLeaks, version 1.0 of the framework was released in 2015, and the CIA has continued using it during 2016.

Files that appear to be part of the official Marble Framework documentation describe it as a framework “designed to allow for flexible and easy-to-use obfuscation when developing tools.” These types of techniques have been used by many malware developers to hinder researchers.

The first round of Vault 7 files released by WikiLeaks showed that the CIA learned from the NSA’s mistakes after the intelligence agency’s Equation Group was exposed by security researchers. CIA employees apparently determined that the use of custom cryptography was one of the NSA’s biggest mistakes, as it allowed researchers to link different pieces of malware to the same developer.

The Marble framework allows obfuscation of a tool using a random technique to prevent forensics investigators and security vendors from linking it to a specific developer. Marble users can also select the algorithm they want to use or configure the application to omit certain algorithms.

Charles R. Smith, CEO of Softwar Inc, pointed out that Marble leverages the Bouncy Castle cryptography APIs.

During its analysis of the Marble source code, WikiLeaks identified test examples written in Chinese, Russian, Korean, Arabic and Farsi, which suggests that the agency may have used the framework to trick investigators into believing that its tools were developed by individuals speaking one of these languages.

CIA obfuscation tool source code

“This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion,” WikiLeaks said. “But there are other possibilities, such as hiding fake error messages.”

The source code files made available by WikiLeaks also include a deobfuscation tool.

WikiLeaks has offered to share the exploits it has obtained with tech firms, but many companies have not agreed to the organization’s conditions. U.S. officials also hinted that using the leaked information could have legal repercussions.

While the available information has led to the discovery of some zero-day vulnerabilities, cybersecurity vendors and other tech companies determined that many of the flaws have already been patched. Last week, WikiLeaks published files focusing on Mac and iPhone exploits, but Apple claimed most of the security holes had been addressed.

The CIA has refused to comment on the authenticity of the leaked documents. However, the agency pointed out that its mission is to collect intelligence from overseas entities, and claimed that it does not spy on individuals in the U.S.

Related: Industry Reactions to CIA Hacking Tools

Related: Security Firms Assess Impact of CIA Leaks

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.