A recent
release from WikiLeaks received almost no traction in the
global mainstream media, however, this release provides us with an inside look
at how the Central Intelligence Agency uses its own malware to impersonate a
key Russian cybersecurity company. This subject is
particularly pertinent given Washington's obsession with all things Russian
since the alleged hacking of the 2016 U.S. presidential election.
According to the documents released by
Wikileaks, "Hive" is a major component of the CIA's
infrastructure to control its malware which is used to hack, record and even control modern hi-tech equipment globally. Here is a description of Hive:
"Hive solves a
critical problem for the malware operators at the CIA. Even the most
sophisticated malware implant on a target computer is useless if there is no
way for it to communicate with its operators in a secure manner that does not
draw attention. Using Hive even if an implant is
discovered on a target computer, attributing it to the CIA is difficult by just
looking at the communication of the malware with other servers on the internet. Hive provides
a covert communications platform for a whole range of CIA malware to send
exfiltrated information to CIA servers and to receive new instructions from
operators at the CIA.
Hive can serve multiple operations
using multiple implants on target computers. Each operation anonymously
registers at least one cover domain (e.g.
"perfectly-boring-looking-domain.com") for its own use. The server
running the domain website is rented from commercial hosting providers as a VPS
(virtual private server) and its software is customized according to CIA
specifications. These servers are the public-facing side of the CIA back-end
infrastructure and act as a relay for HTTP(S) traffic over a VPN connection to
a "hidden" CIA server called 'Blot'." (my bold)
The cover domain that is browsed by
anyone surfing the web will deliver "innocent content" to the user
who will not suspect that the website is abnormal. The Hive
source code allows the CIA's malware to mask itself under false security
certificates that impersonate public companies making users think that the
extraction of their information was being undertaken by an impersonated
company.
Here is another quote from Wikileaks:
"Digital certificates for the
authentication of implants are generated by the CIA impersonating existing
entities. The three examples included in the source code build a fake
certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending
to be signed by Thawte Premium Server CA, Cape Town. In this
way, if the target organization looks at the network traffic coming out of its
network, it is likely to misattribute the CIA exfiltration of data to
uninvolved entities whose identities have been impersonated." (my bold)
In the WikiLeaks documents we find this:
If you look at the text eleven lines from the top you will find the words "Kaspersky Laboratory", the Russia-based security company and purveyor of one of the world's most popular anti-virus products. By using these fake
digital certificates to authenticate the implants, the CIA is able to make it
look like Russia-based Kaspersky Laboratory is the party that is responsible for the exfiltration (extraction) of data.
According to the Hive 2.9.1 User's Guide, a self-delete function
was added to Hive to ensure that any version of a Hive implant that lies
dormant for a predetermined amount of time effectively destroys itself, leaving
behind only a .config file and a .log file in the /var directory.
While all of this may seem rather
unimportant in the grand scheme of Washington, it is important to remember that
the House Science Committee recently held a hearing in October 2017 on the risk
of Kaspersky products to the U.S. government as shown here:
...and sent the following letter regarding request for
information on the federal government's use of Kaspersky products in July 2017:
Here's what the Department of Homeland Security
had to say about Kaspersky and the removal of Kaspersky products from the computers of federal agencies on September 13, 2017 because they posed a risk to the "integrity and security of federal information systems":
So, basically, Kaspersky has been found
guilty of being a security risk to the United States government at the same
time as at least one arm of the U.S. security branch is using Kaspersky as a
mask for its own snooping malware.
Interesting times we live in, aren't they? It's like the paranoia of the 1950s McCarthy era all over again.
Posts
Big government tends to slowly expand and encroach upon the rights of the people for the so-called greater good. Anyone who doesn't believe that countries use psychological warfare and propaganda to sway the opinions of people both in and outside of their country should be considered naive. To many people America is more than a little hypocritical when they criticize other countries for trying to gain influence considering our history of meddling in the affairs of other countries.
ReplyDeleteAmericans have every reason to be concerned and worried considering revelations of just how big the government intelligent agencies have grown since 9-11 and how unlimited their spying and surveillance operations have become. The article below explores this growth and questions whether we have lost control.
http://brucewilds.blogspot.com/2017/04/psychological-warfare-and-propaganda.html
Hard to tell who is the larger danger to the world. CIA or FSB. I quit using Kaspersky years ago. One could go off line and even off grid to be "safe". But then the question arises safe from what or do do what?
ReplyDeleteYou hit the nail on the head. How can one be safe in this world of no privacy where government intrusion is the order of the day? It's beyond me.
DeleteOh it is the CIA, no doubt.
Delete