Documents published by WikiLeaks on Thursday provide details on a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to hack routers and access points.
Dubbed CherryBlossom, the tool is described by its developers as a system designed for monitoring a target’s Internet activity and delivering software exploits via wireless networking devices. WikiLeaks said the tool was developed and implemented by the CIA with the help of a US-based nonprofit research center called SRI International.
The leaked documents show that the tool has been under development since at least 2006 and at one point it worked on roughly 200 device models from more than 20 vendors, including 3Com, Accton, Cisco, Ambit, AMIT, Asus, Apple, Breezecom, D-Link, Gemtek, Global Sun, Linksys, Orinoco, Planet Tec, Senao, US Robotics and Z-Com.
The main component of CherryBlossom is Flytrap, the implant deployed on the targeted device. Documentation made available by WikiLeaks shows that this implant can be delivered through several methods. One method involves a tool called Claymore, which allows users to remotely deliver a firmware update containing the implant.
The implant can also be delivered via the targeted device’s firmware upgrade functionality, a method that requires knowledge of the administrator password and wireless security credentials. Flytrap can also be deployed using a specialized wireless upgrade package that works on some devices that don’t allow wireless firmware updates, and via physical access to the targeted router – typically via the supply chain.
Once the implant is in place, it communicates with a command and control (C&C) server dubbed CherryTree. Flytrap is controlled via a web-based user interface named CherryWeb.
Users can instruct the implant to harvest email addresses, VoIP numbers and chat usernames, copy network traffic, redirect the browser, proxy the victim’s network connection, and execute other applications.
WikiLeaks has been publishing CIA files, which are part of a leak dubbed “Vault 7,” nearly every week since March 23. The tools exposed by the whistleblower organization include ones designed for replacing legitimate files with malware, hacking Samsung smart TVs, MitM tools, a framework used to make malware attribution and analysis more difficult, and a platform for creating custom malware installers.
Symantec and Kaspersky have found links between the tools exposed by Wikileaks and the malware used by a cyber espionage group tracked as “Longhorn” and “The Lamberts.”
Related Reading: If the CIA Isn’t Secure, Who Is?
Related Reading: Industry Reactions to CIA Hacking Tools

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Critical TorchServe Flaws Could Expose AI Infrastructure of Major Companies
- Cybersecurity M&A Roundup: 28 Deals Announced in September 2023
- Companies Address Impact of Exploited Libwebp Vulnerability
- Number of Internet-Exposed ICS Drops Below 100,000: Report
- Unpatched Exim Vulnerabilities Expose Many Mail Servers to Attacks
- Recently Patched TeamCity Vulnerability Exploited to Hack Servers
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- NIST Publishes Final Version of 800-82r3 OT Security Guide
Latest News
- Synqly Joins Race to Fix Security, Infrastructure Product Integrations
- ZDI Discusses First Automotive Pwn2Own
- Critical TorchServe Flaws Could Expose AI Infrastructure of Major Companies
- US Executives Targeted in Phishing Attacks Exploiting Flaw in Indeed Job Platform
- Actor Tom Hanks Warns of Ad With AI Imposter
- Network, Meet Cloud; Cloud, Meet Network
- Dozens of Malicious NPM Packages Steal User, System Data
- Motel One Discloses Ransomware Attack Impacting Customer Data
