maciek905 - Fotolia

WikiLeaks publishes code that could expose CIA hacking operations

The latest files published by WikiLeaks reveal techniques used by the CIA to hide its hacking tools, potentially making it possible to identify the agency’s hacking operations

WikiLeaks has published code that could be used to develop software to identify hacking tools developed by the US Central Intelligence Agency (CIA).

The release of code from the CIA’s development library comes a month after WikiLeaks published the first set of files it claimed were from the CIA’s software development server.

The 8,761 documents described an arsenal of CIA hacking tools to target Windows, Android, iOS, OSX and Linux that exploit zero-day vulnerabilities in most desktop and mobile operating systems, putting affected tech firms on the back foot and racing to release fixes and contain the damage.

The latest release, however, includes code for the obfuscation tools designed to make it difficult to detect, reverse-engineer and trace the origins of the CIA hacking tools.

The obfuscation tools, known as Marble Framework, are designed to obscure text strings and binary objects within the CIA by hacking tools in a number of ways, including “scrambling” binary content using a number of bit-shifting techniques, and inserting snippets of foreign languages, reports Ars Technica.

The leaked development library code appears to be “one of the most technically damaging leaks ever done by WikiLeaks, as it seems designed to disrupt ongoing CIA operations,” Nicholas Weaver, University of California at Berkeley computer security researcher told the Washington Post.

According to WikiLeaks, the Marble source code includes a de-obfuscator. “Combined with the revealed obfuscation techniques, a pattern or signature emerges which can assist forensic investigators attribute previous hacking attacks and viruses to the CIA,” said WikiLeaks.

Security commentators have also warned that the CIA code could now be adopted by other hacking groups to obfuscate their own malware.

WikiLeaks has speculated that test examples in the Marble source code in Chinese, Russian, Korean, Arabic and Farsi would permit a forensic attribution double game by pretending that the spoken language of the malware creator was not English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion.

However, according to Jake Williams, founder of security firm Rendition InfoSec, the tests are more likely to be aimed at ensuring that hacking operations using code written in those languages could be hidden. “If you’re trying to false-flag an operation as Chinese, you wouldn’t want to hide those code strings, you’d want everyone to see them,” he told the Washington Post.

Although the CIA has not commented on the authenticity of the Marble code, spokesman Dean Boyd said: “Dictators and terrorists have no better friend in the world than [WikiLeaks founder] Julian Assange, as theirs is the only privacy he protects.

“The American public should be deeply troubled by any WikiLeaks disclosure designed to damage the intelligence community’s ability to protect America against terrorists and other adversaries.

“Such disclosures not only jeopardise US personnel and operations, but also equip our adversaries with tools and information to do us harm,” said Boyd in a statement.

Read more about responsible disclosure

WikiLeaks came under fire for publishing information about the hacking tools and vulnerabilities they exploit without first disclosing it to software and hardware makers to enable them to prepare patches to protect users of affected products.

But just two days later, WikiLeaks promised to show tech firms details of the CIA hacking tools to enable them to prepare fixes before any more are made public.

Assange said the CIA could potentially cause the tech industry “billions of dollars of damage” and that after some thought, he had decided to give the tech community further leaks first.

“We have decided to work with them, to give them exclusive access to some of the technical details we have,” he said. Once the material is effectively disarmed, we will publish additional details.”

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Privacy and data protection

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Simon Smith eVestigator here. As a very seasoned programmer, and Cyber Security Expert - I do not think this is a major damning discovery. At the end of the day the code has to be de-obfuscated to execute. However they have code-shifted it or XOR'd it, or whatever they have done, whatever the language, typically Javascript exploiting cross server side scripting, it has to put it back into one piece anyway.

As a master programmer of over 20 years and Cyber Security expert and expert witness, the technique I use to extinguish malware that is obfuscated is simply to throw it onto a VMWare machine, take a snapshot, let it run, observe the executed code in the DOM, take a snapshot and compare. It is really not a large danger at all. The more concerning part is that there is malware and fighting cyber-attacks is more newsworthy. Proper experts already know the technique I've described above to reverse engineer malware and it is quite simple.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close