CIA used Tro­jan code

The CIA’s hack­ing op­er­a­tions al­legedly bor­rowed el­e­ments from the Car­berp fi­nan­cial mal­ware when the code was leaked in 2013, writes Michael Kan

PC Advisor - - CONTENTS -

When the source code to a sus­pected Rus­sian-made mal­ware leaked on­line in 2013, guess who used it? A re­cent re­lease from Wik­iLeaks claims the US CIA bor­rowed some of the code to bol­ster its own hack­ing op­er­a­tions.

In April, Wik­iLeaks re­leased 27 doc­u­ments that al­legedly de­tail how the CIA cus­tomised its mal­ware for Win­dows sys­tems.

The CIA bor­rowed a few el­e­ments from the Car­berp fi­nan­cial mal­ware when de­vel­op­ing its own hack­ing tool known as Grasshop­per, ac­cord­ing to those doc­u­ments.

Car­berp gained in­famy as a Tro­jan pro­gram that can steal on­line bank­ing cre­den­tials and other fi­nan­cial in­for­ma­tion from its vic­tims’ com­put­ers. The mal­ware, which likely came from the crim­i­nal un­der­ground, was par­tic­u­larly prob­lem­atic in Rus­sia and other for­mer Soviet states. In 2013, the source code was leaked, spark­ing wor­ries in the se­cu­rity com­mu­nity that more cy­ber­crim­i­nals might use the mal­ware.

The Wik­iLeaks re­lease in­cludes sup­posed CIA user man­u­als that show the agency took an in­ter­est in the mal­ware, es­pe­cially with the way it can sur­vive and linger on a Win­dows PC.

“The per­sis­tence method, and parts of the in­staller, were taken and mod­i­fied to fit our needs,” the US spy agency al­legedly wrote in one man­ual, dated Jan­uary 2014.

It’s un­clear why the agency chose Car­berp. How­ever, the bor­rowed el­e­ments were only used in one ‘per­sis­tence mod­ule’ meant for the CIA’s Grasshop­per hack­ing tool. That tool is de­signed to build cus­tom mal­ware con­fig­ured with dif­fer­ent pay­loads, ac­cord­ing to a sep­a­rate doc­u­ment.

The Wik­iLeaks’ re­lease de­scribes sev­eral other mod­ules that work with Grasshop­per to let mal­ware per­sist on a PC, such as by lever­ag­ing Win­dows Task Sched­uler or a Win­dows registry run key. How­ever, no ac­tual source code was in­cluded in the re­lease. Nev­er­the­less, the doc­u­ments will prob­a­bly help peo­ple de­tect the CIA’s hack­ing tools, which is Wik­iLeaks’ in­ten­tion in re­leas­ing the clas­si­fied in­for­ma­tion.

In March, Wik­iLeaks be­gan re­leas­ing a trove of secret files al­legedly ob­tained from the CIA. Those first leaks de­scribed how the agency has a li­brary of hack­ing tech­niques bor­rowed from mal­ware out in the wild.

The US spy agency has so far de­clined to com­ment on the au­then­tic­ity of Wik­iLeaks’ doc­u­ment dump.

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.