Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

WikiLeaks Releases CIA Tool Used to Impede Malware Attribution

WikiLeaks has released information and source code for a framework allegedly used by the U.S. Central Intelligence Agency (CIA) to make analysis of its tools and attribution more difficult.

WikiLeaks has released information and source code for a framework allegedly used by the U.S. Central Intelligence Agency (CIA) to make analysis of its tools and attribution more difficult.

The whistleblower organization on Friday made public 676 source code files of the Marble Framework. According to WikiLeaks, version 1.0 of the framework was released in 2015, and the CIA has continued using it during 2016.

Files that appear to be part of the official Marble Framework documentation describe it as a framework “designed to allow for flexible and easy-to-use obfuscation when developing tools.” These types of techniques have been used by many malware developers to hinder researchers.

The first round of Vault 7 files released by WikiLeaks showed that the CIA learned from the NSA’s mistakes after the intelligence agency’s Equation Group was exposed by security researchers. CIA employees apparently determined that the use of custom cryptography was one of the NSA’s biggest mistakes, as it allowed researchers to link different pieces of malware to the same developer.

The Marble framework allows obfuscation of a tool using a random technique to prevent forensics investigators and security vendors from linking it to a specific developer. Marble users can also select the algorithm they want to use or configure the application to omit certain algorithms.

Charles R. Smith, CEO of Softwar Inc, pointed out that Marble leverages the Bouncy Castle cryptography APIs.

During its analysis of the Marble source code, WikiLeaks identified test examples written in Chinese, Russian, Korean, Arabic and Farsi, which suggests that the agency may have used the framework to trick investigators into believing that its tools were developed by individuals speaking one of these languages.

CIA obfuscation tool source code

“This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion,” WikiLeaks said. “But there are other possibilities, such as hiding fake error messages.”

Advertisement. Scroll to continue reading.

The source code files made available by WikiLeaks also include a deobfuscation tool.

WikiLeaks has offered to share the exploits it has obtained with tech firms, but many companies have not agreed to the organization’s conditions. U.S. officials also hinted that using the leaked information could have legal repercussions.

While the available information has led to the discovery of some zero-day vulnerabilities, cybersecurity vendors and other tech companies determined that many of the flaws have already been patched. Last week, WikiLeaks published files focusing on Mac and iPhone exploits, but Apple claimed most of the security holes had been addressed.

The CIA has refused to comment on the authenticity of the leaked documents. However, the agency pointed out that its mission is to collect intelligence from overseas entities, and claimed that it does not spy on individuals in the U.S.

Related: Industry Reactions to CIA Hacking Tools

Related: Security Firms Assess Impact of CIA Leaks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.