Home > Internet, WORLD NEWS > WikiLeaks Releases Fifth Instalment of Vault Series, “Hive”

WikiLeaks Releases Fifth Instalment of Vault Series, “Hive”



The fifth instalment of the Vault 7 series has been released by WikiLeaks. The “Hive” instalment is described by WikiLeaks as a “back-end infrastructure malware with a public-facing HTTPS interface.” This is used to transfer a CIA targeted machine’s information and to execute orders on the machines.

The public HTTPS protocol used for communication with encrypted connections “utilizes unsuspicious-looking cover domains.” Hence, those targeted by the CIA are unlikely to be aware that their ‘secure’ communications are being breached.

The Hive documents for the CIA’s Hive project were developed by Embedded Development Branch (EDB) – the same branch responsible for the CIA attacks on the Apple firmware detailed by WikiLeaks’ earlier ‘Dark Matter’ leak.

Hive has been around since 2010, and according to a User Guide is functional as a beacon and interactive shell. In other words, this design assists in other CIA tools and the like being deployed, acting as a “virus control system” in “many malware implants and intelligence operations,” reports Sprutnik News.

WikiLeaks published the release on 14 April:

“For C&C servers, Longhorn typically configures a specific domain and IP address combination per target. The domains appear to be registered by the attackers; however they use privacy services to hide their real identity. The IP addresses are typically owned by legitimate companies offering virtual private server (VPS) or webhosting services. The malware communicates with C&C servers over HTTPS using a custom underlying cryptographic protocol to protect communications from identification.”

The Hive release follows “Grasshopper” on April 7, and Marble Framework on March 31.

Marble Framework hides “text fragments used in CIA malware from visual inspection.” The release demonstrated how the CIA could play a “double game” of attribution as the creation is also in Chinese, Russian, Korean, Arabic and Farsi. This would distract and ultimately lead forensic investigators to the wrong conclusion.

The Grasshopper release was more to do with Microsoft Windows operating systems. The CIA’s “Grasshopper framework allowed for a “customized implant” for a targeted OS.

According to WikiLeaks:

“Grasshopper provides a very flexible language to define rules that are used to “perform a pre-installation survey of the target device, assuring that the payload will only [be] installed if the target has the right configuration”. Through this grammar CIA operators are able to build from very simple to very complex logic used to determine, for example, if the target device is running a specific version of Microsoft Windows, or if a particular Antivirus product is running or not.”

As for the latest release in the series, WikiLeaks hopes the Hive publication will assist and “enable anti-malware researchers and forensic experts to analyse this kind of communication between malware implants and back-end servers used in previous illegal activities,” says WikiLeaks.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: