WikiLeaks Exposes CIA’s Anti-Forensics Tool

The third set of stolen CIA documents has recently been released. After Year Zero and Dark Matter, WikiLeaks has now opened another vault. Codenamed Marble, the vault contains 676 source code files of the CIA`s anti-forensic Marble Framework that was used to make it hard for forensic investigators to attribute cyber-attacks, Trojans, and viruses to the agency. However, WikiLeaks noticed that these most recent documents focus on the CIA`s obfuscation techniques and anti-forensics tools instead of including exploits.

Early in March, WikiLeaks released the first episode of documents which disclosed a number of outdated security flaws in Android, iOS, Samsung TVs and a couple of other products. Microsoft, Google, Apple and other companies, however, stated that all the issues have been already addressed long ago. Moreover, experts also added that the release was not as shocking as Julian Assange promised it would be and that it only confirmed what people already knew the agency was doing in its targeted attacks.

The second release was codenamed Dark Matter and it focused exclusively on Apple products what was supposed to be better secured that others. WikiLeaks had subtly said that it is possible that CIA is infecting Apple devices right in the factory. However, this accusation was not proved by any of the leaked documents. Apple once again stated that the mentioned vulnerabilities have already been patched. And yet, one of the biggest revelations was the fact that CIA has been attacking iPhone devices since the first year they were launched on the market.

“Based on our initial analysis, the alleged iPhone vulnerability affected iPhone 3G only and was fixed in 2009 when iPhone 3GS was released. Additionally, our preliminary assessment shows the alleged Mac vulnerabilities were previously fixed in all Macs launched after 2013.” – said Apple.

This third trove doesn’t have to go with other tech companies. It focuses on the CIA itself. In this release, WikiLeaks stated that CIA makes attribution difficult by hiding (obfuscating) text fragments:

“Marble does this by hiding (“obfuscating”) text fragments used in CIA malware from visual inspection. This is the digital equivalent of a specalized CIA tool to place covers over the english language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA. Marble forms part of the CIA’s anti-forensics approach and the CIA’s Core Library of malware code. It is “[D]esigned to allow for flexible and easy-to-use obfuscation” as “string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop.”

According to the release, CIA is also using a deobfuscator tool to reverse text obfuscation. Moreover, the release reveals that the agency knows too many languages. Marble framework has text examples in Russian, Korean, Chinese, Farsi and Arabic which CIA uses to make it difficult for forensics investigators to connect an attack to it.

WikiLeaks doesn’t receive as much trust and attention as it did at first when it released the Vault 7 documents. After trying to exaggerate security situations to presenting demands to companies before it could share source code a couple of times, the company repeated the steps of the famous Edward Snowden, who shared all the document with the public without making any demands to companies or publications. Microsoft and Apple have already said that the organization has to share security flaws like everyone else and it won`t be treated differently for it. After the Dark Matter release, Apple stated the following:

“We have not negotiated with Wikileaks for any information. We have given them instructions to submit any information they wish through our normal process under our standard terms. Thus far, we have not received any information from them that isn’t in the public domain. We are tireless defenders of our users’ security and privacy, but we do not condone theft or coordinate with those that threaten to harm our users.”

Ii seems like WikiLeaks has finally decided to focus on the CIA agency itself instead of tech companies and their products.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.