Security Experts:

Connect with us

Hi, what are you looking for?



WikiLeaks Releases CIA Tool Used to Impede Malware Attribution

WikiLeaks has released information and source code for a framework allegedly used by the U.S. Central Intelligence Agency (CIA) to make analysis of its tools and attribution more difficult.

WikiLeaks has released information and source code for a framework allegedly used by the U.S. Central Intelligence Agency (CIA) to make analysis of its tools and attribution more difficult.

The whistleblower organization on Friday made public 676 source code files of the Marble Framework. According to WikiLeaks, version 1.0 of the framework was released in 2015, and the CIA has continued using it during 2016.

Files that appear to be part of the official Marble Framework documentation describe it as a framework “designed to allow for flexible and easy-to-use obfuscation when developing tools.” These types of techniques have been used by many malware developers to hinder researchers.

The first round of Vault 7 files released by WikiLeaks showed that the CIA learned from the NSA’s mistakes after the intelligence agency’s Equation Group was exposed by security researchers. CIA employees apparently determined that the use of custom cryptography was one of the NSA’s biggest mistakes, as it allowed researchers to link different pieces of malware to the same developer.

The Marble framework allows obfuscation of a tool using a random technique to prevent forensics investigators and security vendors from linking it to a specific developer. Marble users can also select the algorithm they want to use or configure the application to omit certain algorithms.

Charles R. Smith, CEO of Softwar Inc, pointed out that Marble leverages the Bouncy Castle cryptography APIs.

During its analysis of the Marble source code, WikiLeaks identified test examples written in Chinese, Russian, Korean, Arabic and Farsi, which suggests that the agency may have used the framework to trick investigators into believing that its tools were developed by individuals speaking one of these languages.

CIA obfuscation tool source code

“This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion,” WikiLeaks said. “But there are other possibilities, such as hiding fake error messages.”

The source code files made available by WikiLeaks also include a deobfuscation tool.

WikiLeaks has offered to share the exploits it has obtained with tech firms, but many companies have not agreed to the organization’s conditions. U.S. officials also hinted that using the leaked information could have legal repercussions.

While the available information has led to the discovery of some zero-day vulnerabilities, cybersecurity vendors and other tech companies determined that many of the flaws have already been patched. Last week, WikiLeaks published files focusing on Mac and iPhone exploits, but Apple claimed most of the security holes had been addressed.

The CIA has refused to comment on the authenticity of the leaked documents. However, the agency pointed out that its mission is to collect intelligence from overseas entities, and claimed that it does not spy on individuals in the U.S.

Related: Industry Reactions to CIA Hacking Tools

Related: Security Firms Assess Impact of CIA Leaks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...