WikiLeaks S earch S ho p D o na te S ub m i t

L e a k s Ne ws A b o ut P a r tne r s

Vault7:Projects

ThispublicationseriesisaboutspecificprojectsrelatedtotheVault7mainpublication.

Releases Documents

AllReleases
Athena19May,2017

AfterMidnight12May,2017

Archimedes5May,2017

Scribbles28April,2017

WeepingAngel21April,2017

Hive14April,2017

Grasshopper7April,2017

MarbleFramework31March,2017

DarkMatter23March,2017

Athena
19May,2017

Today,May19th2017,WikiLeakspublishesdocumentsfromthe"Athena" LeakedDocuments
projectoftheCIA."Athena"liketherelated"Hera"systemprovides
Athenav1.0UserGuide
remotebeaconandloadercapabilitiesontargetcomputersrunningthe
MicrosoftWindowsoperatingsystem(fromWindowsXPtoWindows10).

Onceinstalled,themalwareprovidesabeaconingcapability(including AthenaTechnology

Overview
configurationandtaskhandling),thememoryloading/unloadingofmalicious
payloadsforspecifictasksandthedeliveryandretrievaloffilesto/froma Athena(Design)
specifieddirectoryonthetargetsystem.Itallowstheoperatortoconfigure
settingsduringruntime(whiletheimplantisontarget)tocustomizeittoan Athena(Demo)
WikiLeaks
operation.
S earch S ho p D o na te S ub m i t

Athena(Design/Engine)
LAccordingtothedocumentation(seeAthenaTechnologyOverview),the
e a k s Ne ws A b o ut P a r tne r s
malwarewasdevelopedbytheCIAincooperationwithSiegeTechnologies,
aselfproclaimedcybersecuritycompanybasedinNewHampshire,US.On Seemore
theirwebsite,SiegeTechnologiesstatesthatthecompany"...focuseson
leveragingoffensivecyberwartechnologiesandmethodologiesto
developpredictivecybersecuritysolutionsforinsurance,governmentand
othertargetedmarkets.".OnNovember15th,2016NehemiahSecurity
announcedtheacquisitionofSiegeTechnologies.

InanemailfromHackingTeam(publishedbyWikiLeakshere),Jason
Syversen,founderofSiegeTechnologieswithabackgroundincryptography
andhacking,"...saidhesetouttocreatetheequivalentofthemilitarysso
calledprobabilityofkillmetric,astatisticalanalysisofwhetheranattackis
likelytosucceed.'Ifeelmorecomfortableworkingonelectronicwarfare,'
hesaid.'Itsalittledifferentthanbombsandnuclearweaponsthatsa
morallycomplexfieldtobein.Nowinsteadofbombingthingsandhaving
collateraldamage,youcanreallyreduceciviliancasualties,whichisawin
foreverybody.'"

AfterMidnight
12May,2017

Today,May12th2017,WikiLeakspublishes"AfterMidnight"and"Assassin", LeakedDocuments
twoCIAmalwareframeworksfortheMicrosoftWindowsplatform.
AfterMidnightv1.0Users
Guide
"AfterMidnight"allowsoperatorstodynamicallyloadandexecutemalware

payloadsonatargetmachine.Themaincontrollerdisguisesasaself
AlphaGremlinv0.1.0
persistingWindowsServiceDLLandprovidessecureexecutionof UsersGuide

"Gremlins"viaaHTTPSbasedListeningPost(LP)systemcalled
AfterMidnightDiagrams
"Octopus".OnceinstalledonatargetmachineAMwillcallbacktoa
configuredLPonaconfigurableschedule,checkingtoseeifthereisanew
planforittoexecute.Ifthereis,itdownloadsandstoresallneeded Assassinv1.4Users
Guide
componentsbeforeloadingallnewgremlinsinmemory."Gremlins"are
smallAMpayloadsthataremeanttorunhiddenonthetargetandeither Assassinv1.3Users
subvertthefunctionalityoftargetedsoftware,surveythetarget(including Guide

dataexfiltration)orprovideinternalservicesforothergremlins.Thespecial
Seemore
 payload"AlphaGremlin"evenhasacustomscriptlanguagewhichallows
WikiLeaks S earch
operatorstoschedulecustomtaskstobeexecutedonthetargetmachine.
S ho p D o na te S ub m i t

L"Assassin"isasimilarkindofmalwareitisanautomatedimplantthat
e a k s Ne ws A b o ut P a r tne r s
providesasimplecollectionplatformonremotecomputersrunningthe
MicrosoftWindowsoperatingsystem.Oncethetoolisinstalledonthetarget,
theimplantisrunwithinaWindowsserviceprocess."Assassin"(justlike
"AfterMidnight")willthenperiodicallybeacontoitsconfiguredlistening
post(s)torequesttaskinganddeliverresults.Communicationoccursover
oneormoretransportprotocolsasconfiguredbeforeorduringdeployment.
The"Assassin"C2(CommandandControl)andLP(ListeningPost)
subsystemsarereferredtocollectivelyas"TheGibson"andallowoperators
toperformspecifictasksonaninfectedtarget..

Archimedes
5May,2017

Today,May5th2017,WikiLeakspublishes"Archimedes",atoolusedbythe LeakedDocuments
CIAtoattackacomputerinsideaLocalAreaNetwork(LAN),usuallyusedin
Archimedes1.0User
offices.Itallowstheredirectingoftrafficfromthetargetcomputerinsidethe
Guide
LANthroughacomputerinfectedwiththismalwareandcontrolledbythe
Archimedes1.3
CIA.ThistechniqueisusedbytheCIAtoredirectthetarget'scomputers

Addendum
webbrowsertoanexploitationserverwhileappearingasanormalbrowsing
session. Archimedes1.2
Addendum
Thedocumentillustratesatypeofattackwithina"protectedenvironment"as
thethetoolisdeployedintoanexistinglocalnetworkabusingexisting Archimedes1.1
Addendum
machinestobringtargetedcomputersundercontrolandallowingfurther
exploitationandabuse. FulcrumUserManual
v0.62

Seemore

Scribbles
28April,2017

Today,April28th2017,WikiLeakspublishesthedocumentationandsource LeakedDocuments
codeforCIA's"Scribbles"project,adocumentwatermarkingpreprocessing
 systemtoembed"Webbeacon"styletagsintodocumentsthatarelikelyto
WikiLeaks S earch
becopiedbyInsiders,Whistleblowers,Journalistsorothers.Thereleased
S ho p D o na te S ub m i t
Scribblesv1.0RC1User
version(v1.0RC1)isdatedMarch,1st2016andclassified Guide
LSECRET//ORCON/NOFORNuntil2066.
e a k s Ne ws A b o ut P a r tne r s

ScribblesisintendedforofflinepreprocessingofMicrosoftOffice Scribbles(Source
documents.Forreasonsofoperationalsecuritytheuserguidedemandsthat Code)

"[t]heScribblesexecutable,parameterfiles,receiptsandlogfilesshouldnot
Scribblesv1.0RC1
beinstalledonatargetmachine,norleftinalocationwhereitmightbe IVVRRChecklist
collectedbyanadversary."
Scribblesv1.0RC1
ReadinessReview
Accordingtothedocumentation,"theScribblesdocumentwatermarkingtool
Worksheet
hasbeensuccessfullytestedon[...]MicrosoftOffice2013(onWindows8.1
x64),documentsfromOfficeversions972016(Office95documentswillnot
work!)[andd]ocumentsthatarenotbelockedforms,encrypted,or
passwordprotected".ButthislimitationtoMicrosoftOfficedocuments
seemstocreateproblems:"Ifthetargetedenduseropensthemupina
differentapplication,suchasOpenOfficeorLibreOffice,thewatermark
imagesandURLsmaybevisibletotheenduser.Forthisreason,always
makesurethatthehostnamesandURLcomponentsarelogicallyconsistent
withtheoriginalcontent.Ifyouareconcernedthatthetargetedendusermay
openthesedocumentsinanonMicrosoftOfficeapplication,pleasetake
sometestdocumentsandevaluatetheminthelikelyapplicationbefore
deployingthem."

Securityresearchesandforensicexpertswillfindmoredetailedinformation
onhowwatermarksareappliedtodocumentsinthesourcecode,whichis
includedinthispublicationasazippedarchive.

WeepingAngel
21April,2017

Today,April21st2017,WikiLeakspublishestheUserGuideforCIA's LeakedDocuments
"WeepingAngel"toolanimplantdesignedforSamsungFSeriesSmart
ExtendingUserGuide
Televisions.Basedonthe"Extending"toolfromtheMI5/BTSS,theimplantis
designedtorecordaudiofromthebuiltinmicrophoneandegressorstore
thedata.

TheclassificationmarksoftheUserGuidedocumenthintthatiswas
originallywrittenbythebritishMI5/BTSSandlatersharedwiththeCIA.Both
 agenciescollaboratedonthefurtherdevelopmentofthemalwareand
WikiLeaks
coordinatedtheirworkinJointDevelopmentWorkshops.
S earch S ho p D o na te S ub m i t

L e a k s Ne ws A b o ut P a r tne r s

Hive
14April,2017

Today,April14th2017,WikiLeakspublishessixdocumentsfromtheCIA's LeakedDocuments
HIVEprojectcreatedbyits"EmbeddedDevelopmentBranch"(EDB).
UsersGuide

HIVEisabackendinfrastructuremalwarewithapublicfacingHTTPS

interfacewhichisusedbyCIAimplantstotransferexfiltratedinformation
DevelopersGuide
fromtargetmachinestotheCIAandtoreceivecommandsfromits

operatorstoexecutespecifictasksonthetargets.HIVEisusedacross
DevelopersGuide
multiplemalwareimplantsandCIAoperations.ThepublicHTTPSinterface
(Figures)
utilizesunsuspiciouslookingcoverdomainstohideitspresence.
HiveBeacon
AntiViruscompaniesandforensicexpertshavenoticedthatsomepossible Infrastructure
stateactormalwareusedsuchkindofbackendinfrastructurebyanalyzing
HiveInfrastructure
thecommunicationbehaviourofthesespecificimplants,butwereunableto
Installationand
attributethebackend(andthereforetheimplantitself)tooperationsrunby ConfigurationGuide
theCIA.InarecentblogpostbySymantec,thatwasabletoattributethe
Seemore
"Longhorn"activitiestotheCIAbasedontheVault7,suchbackend
infrastructureisdescribed:

ForC&Cservers,Longhorntypicallyconfiguresaspecificdomain
andIPaddresscombinationpertarget.Thedomainsappeartobe
registeredbytheattackershowevertheyuseprivacyservicesto
hidetheirrealidentity.TheIPaddressesaretypicallyownedby
legitimatecompaniesofferingvirtualprivateserver(VPS)or
webhostingservices.ThemalwarecommunicateswithC&Cservers
overHTTPSusingacustomunderlyingcryptographicprotocolto
protectcommunicationsfromidentification.

Thedocumentsfromthispublicationmightfurtherenableantimalware
researchersandforensicexpertstoanalysethiskindofcommunication
betweenmalwareimplantsandbackendserversusedinpreviousillegal
activities.

Grasshopper
7April,2017
 Today,April7th2017,WikiLeaksreleasesVault7"Grasshopper"27
WikiLeaks S earch
documentsfromtheCIA'sGrasshopperframework,aplatformusedtobuild LeakedDocuments
S ho p D o na te S ub m i t

customizedmalwarepayloadsforMicrosoftWindowsoperatingsystems. Grasshopperv1_1
L e a k s Ne ws A b o ut P a r tne r s AdminGuide
GrasshopperisprovidedwithavarietyofmodulesthatcanbeusedbyaCIA

operatorasblockstoconstructacustomizedimplantthatwillbehave Grasshopperv2_0_2

UserGuide
differently,forexamplemaintainingpersistenceonthecomputerdifferently,
dependingonwhatparticularfeaturesorcapabilitiesareselectedinthe StolenGoods2_1
processofbuildingthebundle.Additionally,Grasshopperprovidesavery UserGuide
flexiblelanguagetodefinerulesthatareusedto"performapreinstallation
GHModuleNullv2_0
surveyofthetargetdevice,assuringthatthepayloadwillonly[be]installedif UserGuide
thetargethastherightconfiguration".ThroughthisgrammarCIAoperators
areabletobuildfromverysimpletoverycomplexlogicusedtodetermine, GHModuleBuffalo
Bamboov1_0
forexample,ifthetargetdeviceisrunningaspecificversionofMicrosoft UserGuide
Windows,orifaparticularAntivirusproductisrunningornot.
Seemore

Grasshopperallowstoolstobeinstalledusingavarietyofpersistence
mechanismsandmodifiedusingavarietyofextensions(likeencryption).
TherequirementlistoftheAutomatedImplantBranch(AIB)for
GrasshopperputsspecialattentiononPSPavoidance,sothatanyPersonal
SecurityProductslike'MSSecurityEssentials','Rising','Symantec
Endpoint'or'KasperskyIS'ontargetmachinesdonotdetectGrasshopper
elements.

OneofthepersistencemechanismsusedbytheCIAhereis'StolenGoods'
whose"componentsweretakenfrommalwareknownasCarberp,a
suspectedRussianorganizedcrimerootkit."confirmingtherecyclingof
malwarefoundontheInternetbytheCIA."ThesourceofCarberpwas
publishedonline,andhasallowedAED/RDBtoeasilystealcomponentsas
neededfromthemalware.".WhiletheCIAclaimsthat"[most]ofCarberp
wasnotusedinStolenGoods"theydoacknowledgethat"[the]persistence
method,andpartsoftheinstaller,weretakenandmodifiedtofitourneeds",
providingafurtherexampleofreuseofportionsofpubliclyavailablemalware
bytheCIA,asobservedintheiranalysisofleakedmaterialfromtheitalian
company"HackingTeam".

ThedocumentsWikiLeakspublishestodayprovideaninsightsintothe
processofbuildingmodernespionagetoolsandinsightsintohowtheCIA
maintainspersistenceoverinfectedMicrosoftWindowscomputers,
providingdirectionsforthoseseekingtodefendtheirsystemstoidentifyany
existingcompromise
 WikiLeaks S earch S ho p D o na te S ub m i t
MarbleFramework
L31March,2017
e a k s Ne ws A b o ut P a r tne r s

Today,March31st2017,WikiLeaksreleasesVault7"Marble"676source LeakedDocuments
codefilesfortheCIA'ssecretantiforensicMarbleFramework.Marbleis
MarbleFramework
usedtohamperforensicinvestigatorsandantiviruscompaniesfrom
(SourceCode)
attributingviruses,trojansandhackingattackstotheCIA.

Marbledoesthisbyhiding("obfuscating")textfragmentsusedinCIA
malwarefromvisualinspection.Thisisthedigitalequivallentofaspecalized
CIAtooltoplacecoversovertheenglishlanguagetextonU.S.produced
weaponssystemsbeforegivingthemtoinsurgentssecretlybackedbythe
CIA.

MarbleformspartoftheCIA'santiforensicsapproachandtheCIA'sCore
Libraryofmalwarecode.Itis"[D]esignedtoallowforflexibleandeasyto
useobfuscation"as"stringobfuscationalgorithms(especiallythosethat
areunique)areoftenusedtolinkmalwaretoaspecificdeveloperor
developmentshop."

TheMarblesourcecodealsoincludesadeobfuscatortoreverseCIAtext
obfuscation.Combinedwiththerevealedobfuscationtechniques,apattern
orsignatureemergeswhichcanassistforensicinvestigatorsattribute
previoushackingattacksandvirusestotheCIA.Marblewasinuseatthe
CIAduring2016.Itreached1.0in2015.

ThesourcecodeshowsthatMarblehastestexamplesnotjustinEnglishbut
alsoinChinese,Russian,Korean,ArabicandFarsi.Thiswouldpermita
forensicattributiondoublegame,forexamplebypretendingthatthespoken
languageofthemalwarecreatorwasnotAmericanEnglish,butChinese,but
thenshowingattemptstoconcealtheuseofChinese,drawingforensic
investigatorsevenmorestronglytothewrongconclusion,butthereare
otherpossibilities,suchashidingfakeerrormessages.

TheMarbleFrameworkisusedforobfuscationonlyanddoesnotcontain
anyvulnerabiltiesorexploitsbyitself.

DarkMatter
23March,2017
 Today,March23rd2017,WikiLeaksreleasesVault7"DarkMatter",which
WikiLeaks S earch
containsdocumentationforseveralCIAprojectsthatinfectAppleMac LeakedDocuments
S ho p D o na te S ub m i t

firmware(meaningtheinfectionpersistseveniftheoperatingsystemisre SonicScrewdriver
L e a k s Ne ws A b o ut P a r tne r s
installed)developedbytheCIA'sEmbeddedDevelopmentBranch(EDB).

ThesedocumentsexplainthetechniquesusedbyCIAtogain'persistence'
DerStarkev1.4
onAppleMacdevices,includingMacsandiPhonesanddemonstratetheir
useofEFI/UEFIandfirmwaremalware.
DerStarkev1.4RC1
Amongothers,thesedocumentsrevealthe"SonicScrewdriver"project IVVRRChecklist
which,asexplainedbytheCIA,isa"mechanismforexecutingcodeon
DarkSeaSkiesv1.0
peripheraldeviceswhileaMaclaptopordesktopisbooting"allowingan TestPlanProcedures
attackertobootitsattacksoftwareforexamplefromaUSBstick"evenwhen
afirmwarepasswordisenabled".TheCIA's"SonicScrewdriver"infectoris
storedonthemodifiedfirmwareofanAppleThunderbolttoEthernet
FDOS_1_0_FINAL_freedos_setup_odin
adapter.
Seemore
"DarkSeaSkies"is"animplantthatpersistsintheEFIfirmwareofanApple
MacBookAircomputer"andconsistsof"DarkMatter","SeaPea"and
"NightSkies",respectivelyEFI,kernelspaceanduserspaceimplants.

Documentsonthe"Triton"MacOSXmalware,itsinfector"DarkMallet"and
itsEFIpersistentversion"DerStarke"arealsoincludedinthisrelease.
WhiletheDerStarke1.4manualreleasedtodaydatesto2013,otherVault7
documentsshowthatasof2016theCIAcontinuestorelyonandupdate
thesesystemsandisworkingontheproductionofDerStarke2.0.

AlsoincludedinthisreleaseisthemanualfortheCIA's"NightSkies1.2"a
"beacon/loader/implanttool"fortheAppleiPhone.Noteworthyisthat
NightSkieshadreached1.2by2008,andisexpresslydesignedtobe
physicallyinstalledontofactoryfreshiPhones.i.etheCIAhasbeeninfecting
theiPhonesupplychainofitstargetssinceatleast2008.

WhileCIAassetsaresometimesusedtophysicallyinfectsystemsinthe
custodyofatargetitislikelythatmanyCIAphysicalaccessattackshave
infectedthetargetedorganization'ssupplychainincludingbyinterdicting
mailordersandothershipments(opening,infecting,andresending)leaving
theUnitedStatesorotherwise.

MediaPartners
DERSPIEGELGermany

LAREPUBBLICAItaly
 LIBERATIONFrance
WikiLeaks S earch S ho p D o na te S ub m i t
MEDIAPARTFrance

LExpertOrganizations
e a k s Ne ws A b o ut P a r tne r s

Top

WLResearch Torisanencrypted Tailsisalive TheCourage Bitcoinusespeerto

Communityuser anonymisingnetwork operatingsystem, Foundationisan peertechnologyto
contributedresearch thatmakesitharder thatyoucanstarton international operatewithno
basedondocuments tointerceptinternet almostanycomputer organisationthat centralauthorityor
publishedby communications,or fromaDVD,USB supportsthosewho banksmanaging
WikiLeaks. seewhere stick,orSDcard.It risklifeorlibertyto transactionsandthe
communicationsare aimsatpreserving makesignificant issuingofbitcoinsis
comingfromorgoing yourprivacyand contributionstothe carriedout
to. anonymity. historicalrecord. collectivelybythe
network.