Shortly before the weekend Wikileaks published Vault 8, their analysis and the source code they used as part of their Vault 7 leaks that document how the CIA execute their cyber offence strategy. As the days go by and more people are given a chance to analyse and review the source code contained as part Vault 8; we’ll probably hear of even more of the elaborate methods that are used by the CIA, but I’ve had a look through its initial announcement around the CIAs use of Hive.
Hive seems to be the tool the CIA have created to not only more easily retrieve the surveillance it has extracted from a target; but also to ensure that the activities are not traceable back to the agency. With the high number of exploits I imagine are being utilised by the agency; along with the large number of agents managing each project, the possibility of someone making a mistake and giving the game away would be quite high.
The program appears to be an attempt to mitigate that by providing one method a number of exploits can communicate using and to do so without risking the activity traced back to the CIA. Not only does this do so by moving data over a VPN back to the CIA, but it also uses innocuous looking domains to hide activity.
When a group is set up, each group will register innocuous looking domains and use these as a front; so if an unauthenticated user tries to trace this data, they will be diverted to the front website. Reading through the analysis I can’t help but think of an old fashioned money laundering operation; all outward appearances suggest the business is something unexceptional like a launderette, but behind the facade is something different.
An extra disguise that the CIA used was to use fake digital certificates from various entities, one entity being Kaspersky Labs who have admitted their certificates have been tampered with. This extra addition meant that if anyone examines the traffic generated it will look the data is being moved by the entity the certificate belong to, not the CIA.
I can’t help but be impressed by the methods used in the program, but it will also add to questions being raised asking if governments should really be using vulnerabilities for cyber offence, or if it should inform software makers as soon as it finds them to prevent nefarious actors taking advantage of them. Likely a question that wont be answered for some time yet.