The fifth instalment of the Vault 7 series has been released by WikiLeaks. The “Hive” instalment is described by WikiLeaks as a “back-end infrastructure malware with a public-facing HTTPS interface.” This is used to transfer a CIA targeted machine’s information and to execute orders on the machines.
The public HTTPS protocol used for communication with encrypted connections “utilizes unsuspicious-looking cover domains.” Hence, those targeted by the CIA are unlikely to be aware that their ‘secure’ communications are being breached.
— WikiLeaks (@wikileaks) April 14, 2017
The Hive documents for the CIA’s Hive project were developed by Embedded Development Branch (EDB) – the same branch responsible for the CIA attacks on the Apple firmware detailed by WikiLeaks’ earlier ‘Dark Matter’ leak.
Hive has been around since 2010, and according to a User Guide is functional as a beacon and interactive shell. In other words, this design assists in other CIA tools and the like being deployed, acting as a “virus control system” in “many malware implants and intelligence operations,” reports Sprutnik News.
WikiLeaks published the release on 14 April:
“For C&C servers, Longhorn typically configures a specific domain and IP address combination per target. The domains appear to be registered by the attackers; however they use privacy services to hide their real identity. The IP addresses are typically owned by legitimate companies offering virtual private server (VPS) or webhosting services. The malware communicates with C&C servers over HTTPS using a custom underlying cryptographic protocol to protect communications from identification.”
The Hive release follows “Grasshopper” on April 7, and Marble Framework on March 31.
Marble Framework hides “text fragments used in CIA malware from visual inspection.” The release demonstrated how the CIA could play a “double game” of attribution as the creation is also in Chinese, Russian, Korean, Arabic and Farsi. This would distract and ultimately lead forensic investigators to the wrong conclusion.
The Grasshopper release was more to do with Microsoft Windows operating systems. The CIA’s “Grasshopper framework allowed for a “customized implant” for a targeted OS.
According to WikiLeaks:
“Grasshopper provides a very flexible language to define rules that are used to “perform a pre-installation survey of the target device, assuring that the payload will only [be] installed if the target has the right configuration”. Through this grammar CIA operators are able to build from very simple to very complex logic used to determine, for example, if the target device is running a specific version of Microsoft Windows, or if a particular Antivirus product is running or not.”
As for the latest release in the series, WikiLeaks hopes the Hive publication will assist and “enable anti-malware researchers and forensic experts to analyse this kind of communication between malware implants and back-end servers used in previous illegal activities,” says WikiLeaks.