WikiLeaks’ Vault 7 leak details CIA hacking methodologies and tools. This massive leak contains 8,761 documents but most of the deeply technical content is redacted. WikiLeaks claims to have additional content but has not released it yet.
Here are few interesting things to know about the Vault 7 leak:
Attack attribution is complicated
For the past several years, nation-states have been repurposing foreign tools and techniques to allow micro-operations while distancing themselves and eliminating the chances of an attack being attributed to its real source. The methods displayed by the CIA to avoid attribution, and specifically to create misattribution (for example, by hiring offshore teams and using foreign tools), shatter current conceptions of what is attribution and how it is done.
The questions to ask is is attribution dead? Are forensic fingerprints meaningless now? Now that any attackers can disguise themselves as the CIA, and the CIA can disguise itself as a nation-state, the answer is to yes - to some extent. While it is clear that the CIA (and other organizations) hide their tracks by using foreign tools and using foreign locations, they still use the methodologies for running cyber operations that are unique to their organization. For example, while the CIA may use foreign malware, their methodology for lateral movement in the network is probably unique and distinctive to them and is usually harder to change and disguise. Attribution is possible but should rely less on the identification of a malware, and focus instead on the behaviors and methodologies used by the hackers. In other words, when you want to attribute an attack, look for the TTPs (tactics, techniques and procedures) that are used and always question the source of the code.
In 2015, the White House issued a policy outlining how the U.S. will respond to cyber attacks from malicious actors. This policy was a reaction to several cyber attacks attributed to Russian state actors. This attribution is the foundation upon which the policy was based, and the leaked information proves how ineffectual deterrence is in information security.
The revealed information is "generic"
The parts of Vault 7 Cybereason researched are more metadata than data. This is mainly due to the extensive censorship applied by WikiLeaks, but we suspect that the truly interesting parts have not been leaked yet. This idea is best reflected in the list of tools used by UMBRAGE, among them:
- Open-source code, accessible for all
- Commercial tools such as FineReader
- Code supplied by security vendors or research centers
- “Private” cyber-groups RATs, such as Hikit (Chinese), Carberp (Russian) and DarkComet RAT (originally French)
- Nation-state APTs, such as Shamoon (Iran) and other Chinese and Russian APTs
This list is a very generic, off-the-shelf guide for well-known attack techniques, probably for helping create small ad-hoc tools used in specific operations with low SIGINT footprint. Most of the techniques are basic and publicly available, and some of them are used by well-known malware. More sophisticated methods that are probably kept for high profile targets were not revealed.
What will happen to the remaining data?
WikiLeaks has made itself the number one target for nation-states and similar actors since it claims to keep valuable code samples in-house. Unfortunately, WikiLeaks does not have the same protection measures and safeguards as the CIA. Eventually, some of the biggest players out there will gain hold of the tools. This supports the idea about the proliferation of the tools to lower-level actors.
On Thursday WikiLeaks editor-in-chief Julian Assange promised that his organization would work with hardware and software makers to fix the zero days disclosed in the leak before releasing more information about the flaws. Hopefully, this information will be used to close security gaps in the impacted products. Our main concern is that this information will find its way to cyber criminals and will be used to attack organizations before these vulnerabilities are fixed.