Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

“Vault 7” Leak Shows CIA Learned From NSA Mistakes

WikiLeaks’ “Vault 7” release appears to confirm that the U.S. National Security Agency (NSA) was behind the threat actor tracked as the “Equation Group.” Documents also show that the Central Intelligence Agency (CIA) learned from the NSA’s mistakes after its activities were exposed by security researchers.

WikiLeaks’ “Vault 7” release appears to confirm that the U.S. National Security Agency (NSA) was behind the threat actor tracked as the “Equation Group.” Documents also show that the Central Intelligence Agency (CIA) learned from the NSA’s mistakes after its activities were exposed by security researchers.

Files allegedly obtained from a high-security CIA network provide details on the intelligence agency’s vast hacking capabilities. One of the files made available by WikiLeaks contains a discussion thread titled “What did Equation do wrong, and how can we avoid doing the same?”

The operations of the Equation Group and its links to the NSA were detailed by Kaspersky Lab in February 2015, and the discussion made public by WikiLeaks was initiated a few days later.

Participants in the discussion pointed out that one of the NSA’s biggest mistakes was that its tools shared code, including custom cryptography, giving researchers the data needed to connect different malware to the same group.

“The ‘custom’ crypto is more of NSA falling to its own internal policies/standards which came about in response to prior problems,” one user wrote.

In addition to using the same custom cryptographic algorithm, the CIA identified several other mistakes made by the NSA, including the reuse of exploits, use of internal tool names in the code, and the use of a unique mutex.

“All their tools shared code. The custom RC5 was everywhere. The techniques for positive ID (hashing) was used in the same way in multiple tools across generations,” another user said.

“The shared code appears to be the largest single factor is allowing [Kaspersky Lab] to tie all these tools together. The acquisition and use of C&C domains was probably number 2 on the list, and I’m sure the [Computer Operations Group] infrastructure people are paying attention to this.”

The Vault 7 files show that in addition to learning from the NSA’s mistakes, the CIA “borrowed” techniques from in-the-wild malware and tools, including Shamoon, UpClicker and the Nuclear exploit kit.

Security firms have started assessing the impact of the exposed hacking capabilities. WikiLeaks has not released any exploits, which makes it difficult to determine exactly what the CIA programs are capable of. However, at first sight, the intelligence agency’s tools don’t appear to be very sophisticated.

Related: “Shadow Brokers” Claim Hack of NSA-Linked Equation Group

Related: Over 840,000 Cisco Devices Affected by NSA-Linked Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...