Security Experts:

CIA Tools for Stealing SSH Credentials Exposed by WikiLeaks

WikiLeaks has published documents detailing BothanSpy and Gyrfalcon, tools allegedly used by the U.S. Central Intelligence Agency (CIA) to steal SSH credentials from Windows and Linux systems.

A document dated March 2015 describes BothanSpy as a tool that steals credentials for active SSH sessions from Xshell, an SSH, telnet, and rlogin terminal emulator for Windows.

Using a mode dubbed by its developers “Fire and Collect,” BothanSpy collects SSH credentials and sends them to the attacker’s server without writing any data to the compromised machine’s disk. If the mode “Fire and Forget” is used, the stolen credentials are written to a file on the disk.

The other tool, Gyrfalcon 2.0, described in a document dated November 2013, is designed to steal SSH credentials from the OpenSSH client on Linux platforms.

Gyrfalcon is a library loaded into the OpenSSH client process address space. It collects OpenSSH session traffic, including usernames and passwords, compresses and encrypts the data, and stores it in a file. A third-party application is required to exfiltrate the file.

The documentation for Gyrfalcon 2.0 informed users that they must have a thorough understanding of the Linux/UNIX command line interface, and they must know standard procedures for masking their activity within certain shells.

Over the past months, as part of a leak dubbed “Vault 7,” WikiLeaks has described several tools allegedly used by the CIA. The list includes tools designed for redirecting traffic on Linux systems (OutlawCountry), spreading malware on an organization’s network (Pandemic), locating people via their device’s Wi-Fi (Elsa), hacking routers and access points (Cherry Blossom), and accessing air-gapped networks (Brutal Kangaroo).

WikiLeaks has also exposed tools designed for replacing legitimate files with malware, hacking smart TVs, launching MitM attacks, making malware attribution and analysis more difficult, and creating custom malware installers.

Researchers have found links between the tools detailed by Wikileaks and the malware used by a cyber espionage actor named “Longhorn” and “The Lamberts.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.