Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

WikiLeaks Details Malware Made by CIA and U.S. Security Firm

WikiLeaks has published documents detailing another spy tool allegedly used by the U.S. Central Intelligence Agency (CIA). The latest files describe “Athena,” a piece of malware whose developers claim it works on all versions of Windows.

WikiLeaks has published documents detailing another spy tool allegedly used by the U.S. Central Intelligence Agency (CIA). The latest files describe “Athena,” a piece of malware whose developers claim it works on all versions of Windows.

Documents apparently created between September 2015 and February 2016 describe Athena as an implant that can be used as a beacon and for loading various payloads into memory. The tool also allows its operator to plant and fetch files to or from a specified location on the compromised system.

A leaked diagram shows that Athena can be loaded onto the targeted computer by an asset, a remote operator, or via the supply chain. The implant is said to work on all versions of Windows from XP through 10, including Windows Server 2008 and 2012, on both x86 and x64 architectures.

While WikiLeaks has not made available the actual Athena tool, experts pointed out that the leaked documents include information on file and registry changes made by the implant, which can be useful for determining if a system has been compromised.

The documents also show that Athena was developed in collaboration with Siege Technologies, a U.S.-based company that provides offensive-driven cybersecurity solutions. The firm was acquired last year by Nehemiah Security.

WikiLeaks pointed to an email stolen from Italian spyware maker Hacking Team in which Siege Technologies founder Jason Syversen says he’s “more comfortable working on electronic warfare.”

Since March 8, when it first announced the Vault 7 files focusing on the CIA’s hacking capabilities, WikiLeaks has regularly published documents describing various implants allegedly used by the agency. The latest leaks have focused on Windows hacking tools, including for man-in-the-middle (MitM) attacks on the LAN, for hampering malware attribution and analysis, and creating custom malware installers.

Many of the tech companies whose tools are targeted by the Vault 7 exploits claimed their latest products are not affected. Only Cisco admitted finding a critical vulnerability that had exposed many of the company’s switches.

The Vault 7 files and the exploits leaked by the hacker group called Shadow Brokers, including ones used in the recent WannaCry ransomware attacks, have once again brought exploit stockpiling by governments into the spotlight.

“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” said Microsoft president and chief legal officer Brad Smith.

In response to concerns over the stockpiling of exploits, a group of U.S. lawmakers last week proposed a new bill, the “Protecting Our Ability to Counter Hacking Act of 2017” (PATCH Act), which aims to help find a balance between national security needs and public safety.

Related: WikiLeaks CIA Files Linked to Espionage Group

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.