Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

CIA Tools for Stealing SSH Credentials Exposed by WikiLeaks

WikiLeaks has published documents detailing BothanSpy and Gyrfalcon, tools allegedly used by the U.S. Central Intelligence Agency (CIA) to steal SSH credentials from Windows and Linux systems.

WikiLeaks has published documents detailing BothanSpy and Gyrfalcon, tools allegedly used by the U.S. Central Intelligence Agency (CIA) to steal SSH credentials from Windows and Linux systems.

A document dated March 2015 describes BothanSpy as a tool that steals credentials for active SSH sessions from Xshell, an SSH, telnet, and rlogin terminal emulator for Windows.

Using a mode dubbed by its developers “Fire and Collect,” BothanSpy collects SSH credentials and sends them to the attacker’s server without writing any data to the compromised machine’s disk. If the mode “Fire and Forget” is used, the stolen credentials are written to a file on the disk.

The other tool, Gyrfalcon 2.0, described in a document dated November 2013, is designed to steal SSH credentials from the OpenSSH client on Linux platforms.

Gyrfalcon is a library loaded into the OpenSSH client process address space. It collects OpenSSH session traffic, including usernames and passwords, compresses and encrypts the data, and stores it in a file. A third-party application is required to exfiltrate the file.

The documentation for Gyrfalcon 2.0 informed users that they must have a thorough understanding of the Linux/UNIX command line interface, and they must know standard procedures for masking their activity within certain shells.

Over the past months, as part of a leak dubbed “Vault 7,” WikiLeaks has described several tools allegedly used by the CIA. The list includes tools designed for redirecting traffic on Linux systems (OutlawCountry), spreading malware on an organization’s network (Pandemic), locating people via their device’s Wi-Fi (Elsa), hacking routers and access points (Cherry Blossom), and accessing air-gapped networks (Brutal Kangaroo).

WikiLeaks has also exposed tools designed for replacing legitimate files with malware, hacking smart TVs, launching MitM attacks, making malware attribution and analysis more difficult, and creating custom malware installers.

Researchers have found links between the tools detailed by Wikileaks and the malware used by a cyber espionage actor named “Longhorn” and “The Lamberts.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...