Today, April 28th, 2017, WikiLeaks publishes the documentation and source code for CIA’s “Scribbles” project, a document-watermarking preprocessing system to embed “Web beacon”-style tags into documents that are likely to be copied by Insiders, Whistleblowers, Journalists or others. The released version (v1.0 RC1) is dated March, 1st 2016 and classified SECRET//ORCON/NOFORN until 2066.
Scribbles is intended for off-line preprocessing of Microsoft Office documents. For reasons of operational security the user guide demands that “[t]he Scribbles executable, parameter files, receipts and log files should not be installed on a target machine, nor left in a location where it might be collected by an adversary.”
According to the documentation, “the Scribbles document watermarking tool has been successfully tested on […] Microsoft Office 2013 (on Windows 8.1 x64), documents from Office versions 97-2016 (Office 95 documents will not work!) [and d]ocuments that are not be locked forms, encrypted, or password protected”. But this limitation to Microsoft Office documents seems to create problems: “If the targeted end-user opens them up in a different application, such as OpenOffice or LibreOffice, the watermark images and URLs may be visible to the end-user. For this reason, always make sure that the host names and URL components are logically consistent with the original content. If you are concerned that the targeted end-user may open these documents in a non-Microsoft Office application, please take some test documents and evaluate them in the likely application before deploying them.”
Security researchers and forensic experts will find more detailed information on how watermarks are applied to documents in the source code, which is included in this publication as a zipped archive.
Here’s How Scribbles Tool Works:
Scribbles is coded in C# programming language and generates a random watermark for each document, inserts it into the document, saves all processed documents in an output directory, and creates a log file that identifies the watermarks inserted into every document.
This technique works exactly in the same way as the “tracking pixel” works, where a tiny pixel-sized image is embedded inside an email, allowing marketers and companies to keep track of how many users have seen the advertisement.
Using this tool CIA inserts a tiny uniquely generated file, hosted on a CIA-controlled server, to the classified documents “likely to be stolen.”
So, every time the watermarked document is accessed by anyone, including potential whistleblowers, it will secretly load an embedded file in the background, which creates an entry on the CIA’s server, containing unique information about the one who accessed it, including the time stamp and his/her IP address.