WikiLeaks is starting a new series of leaks, dubbed Vault 8, containing source code and materials allegedly stolen from the CIA.
The Vault 8 leaks will ostensibly cover “source code and analysis for CIA software projects including those described in the Vault 7 series,” released to “enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components.”
The first portion of the leaks, released on Thursday, contains source code and development logs of Hive, a covert communications platform that allows CIA malware implants to communicate with its operators in a secure manner.
“Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet,” WikiLeaks says.
“Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.”
Eugene Kaspersky reacted quickly, and said that after investigating the report, the can confirm that the Kaspersky certificates are fake, and that their “customers, private keys and services are safe and unaffected.”
Security researcher Martijn Grooten noted that the choice of using a fake Kaspersky certificate was probably just down to the fact that it is a widely used name:
TL;DR The CIA needed a client certificate to authenticate its C&C comms, couldn't link it to CIA and used "Kaspersky", probably just because they needed a widely used name. No CA hacking or crypto breaking involved. Clever stuff, but not shocking. Not targeted against Kaspersky. https://t.co/t618JucBFS
— Martijn Grooten (@martijn_grooten) November 9, 2017
The leak sparked some worry with infosec defenders, but The Register’s Shaun Nichols says that while the leaked source could be repurposed by malware authors, “there are tons of other examples out there they could crib from,” making this data dump more embarrassing for the CIA then dangerous for the public.
Wikileaks sais that the material they will publish in this series will not contain 0-days or security vulnerabilities that could be exploited by attackers.