Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

CIA Router Hacking Tool Exposed by WikiLeaks

Documents published by WikiLeaks on Thursday provide details on a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to hack routers and access points.

Documents published by WikiLeaks on Thursday provide details on a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to hack routers and access points.

Dubbed CherryBlossom, the tool is described by its developers as a system designed for monitoring a target’s Internet activity and delivering software exploits via wireless networking devices. WikiLeaks said the tool was developed and implemented by the CIA with the help of a US-based nonprofit research center called SRI International.

The leaked documents show that the tool has been under development since at least 2006 and at one point it worked on roughly 200 device models from more than 20 vendors, including 3Com, Accton, Cisco, Ambit, AMIT, Asus, Apple, Breezecom, D-Link, Gemtek, Global Sun, Linksys, Orinoco, Planet Tec, Senao, US Robotics and Z-Com.

The main component of CherryBlossom is Flytrap, the implant deployed on the targeted device. Documentation made available by WikiLeaks shows that this implant can be delivered through several methods. One method involves a tool called Claymore, which allows users to remotely deliver a firmware update containing the implant.

The implant can also be delivered via the targeted device’s firmware upgrade functionality, a method that requires knowledge of the administrator password and wireless security credentials. Flytrap can also be deployed using a specialized wireless upgrade package that works on some devices that don’t allow wireless firmware updates, and via physical access to the targeted router – typically via the supply chain.

Once the implant is in place, it communicates with a command and control (C&C) server dubbed CherryTree. Flytrap is controlled via a web-based user interface named CherryWeb.

CherryBlossom CIA hacking tool

Users can instruct the implant to harvest email addresses, VoIP numbers and chat usernames, copy network traffic, redirect the browser, proxy the victim’s network connection, and execute other applications.

WikiLeaks has been publishing CIA files, which are part of a leak dubbed “Vault 7,” nearly every week since March 23. The tools exposed by the whistleblower organization include ones designed for replacing legitimate files with malware, hacking Samsung smart TVs, MitM tools, a framework used to make malware attribution and analysis more difficult, and a platform for creating custom malware installers.

Advertisement. Scroll to continue reading.

Symantec and Kaspersky have found links between the tools exposed by Wikileaks and the malware used by a cyber espionage group tracked as “Longhorn” and “The Lamberts.”

Related Reading: If the CIA Isn’t Secure, Who Is?

Related Reading: Industry Reactions to CIA Hacking Tools

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.