How the CIA gained access to air-gapped computers

A new WikiLeaks release of documents believed to have been stolen from the CIA show the intelligence agency’s capability to infect air-gapped computers and networks via booby-trapped USB sticks.

cia acccess air-gapped computers

The Brutal Kangaroo project

The agency would start by infecting an Internet-connected computer inside the target organizations with malware, which would infect inserted USB sticks with another piece of malware. If such a USB is ultimately inserted in the air-gapped computer, it will get infected with exfiltration/survey malware.

“The Brutal Kangaroo project consists of the following components: Drifting Deadline is the thumbdrive infection tool, Shattered Assurance is a server tool that handles automated infection of thumbdrives (as the primary mode of propagation for the Brutal Kangaroo suite), Broken Promise is the Brutal Kangaroo postprocessor (to evaluate collected information) and Shadow is the primary persistence mechanism (a stage 2 tool that is distributed across a closed network and acts as a covert command-and-control network,” WikiLeaks summarized.

The exploited vulnerabilities

“The primary execution vector used by infected thumbdrives is a vulnerability in the Microsoft Windows operating system that can be exploited by hand-crafted link files that load and execute programs (DLLs) without user interaction,” they added.

“Older versions of the tool suite used a mechanism called EZCheese that was a 0-day exploit until March 2015; newer versions seem use a similar, but yet unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system.”

A Microsoft official told Ars Technica that none of these mechanism work on supported versions of Windows anymore (if they have the latest patches).

“Microsoft didn’t say when it patched the vulnerabilities exploited by Lachesis and RiverJack,” noted Dan Goodin, but pointed out that earlier this month Microsoft patched a critical vulnerability that allowed .LNK files stored on removable drives and remote shares to execute malicious code. “Microsoft said in its advisory that the vulnerability was being actively exploited but didn’t elaborate.”