The Long-Term Threats Posed by the Vault 7 Leaks

Dealing with the challenges posed by the public disclosure of offensive cyber capabilities has become common for security professionals. More recent disclosures include the ongoing Vault 7 leaks that started in March 2017 and released details on the CIA’s supposed cyber warfare and electronic surveillance secrets, and The Shadow Brokers’ April leak that introduced, among other tools and exploits, the now infamous EternalBlue exploit to the world. Before those came to light, there was the Hacking Team leak in July 2015, which arguably forced security practitioners to start considering the implications of leaked exploits on enterprise security.

The Shadow Brokers’ leak, and before that the Hacking Team leak, tend to dominate the news cycle and attract the most attention from the cybersecurity community since they involve the release of malware source code and zero-day exploits that pose an immediate threat. While those leaks and their implications are serious, the Cybereason Intelligence Group believes that the Vault 7 leaks, which focus on methods rather than tools and exploits, can potentially have longer-term consequences for information security since they force defenders to deal with detecting malicious behavior, which is more challenging to identify.

In this paper we will show why the enterprise security repercussions of these three leaks isn’t equal. Some threats have greater longevity compared to others. The leaked data creates two unique risk curves for enterprise defenders with The Shadow Brokers and Hacking Team leaks causing a drastic near-term spike while the Vault 7 leak causes a slow but escalating risk as new stealthy techniques are adopted.

VAULT 7

Hacking Team, a company that provides lawful interception and computer network exploitation services, was compromised in mid-2015. This compromise resulted in six zero-day vulnerabilities (CVE-2015-2387 and CVE-2015-2426 for Windows LPE; CVE-2015-5119, CVE-2015-5122 and CVE-2015-5123 for Adobe Flash; CVE-2015-2425 for Internet Explorer) and other exploits (CVE-2015-0349 for Adobe Flash ; CVE-2014-3153 for Android) being released into the wild. Known APT actors leveraged these vulnerabilities and exploits within hours of their release, and in fewer than 48 hours these were also incorporated into known exploit kits like Angler, Nuclear, Neutrino and Magnitude, demonstrating the rapid weaponization of this type of release.

Defenders were already inundated with new exploitation attempts before companies could even think through how to build a hot patch. In addition to these exploits, Hacking Team’s malware source code was also reviewed and repurposed by several actors, including APT28 in a Mac OS X implant called XAgent, the Callisto APT group which employed the “Scout” initial reconnaissance tool, and even the CIA according to Vault 7 documents.

The Shadow Brokers’ dump and subsequent subscription service are significant milestones since they provide different actors unprecedented access to government-level tools and vulnerabilities. Even though most of the leaked tools and exploits dated to 2013 (some to 2010), most of them are still unknown when they are released to the general public. One such tool is UNITEDRAKE, which was mentioned in the December 2013 leaked NSA ANT catalog and was released to subscribers on September 6, 2017. According to UNITEDRAKE’s manual it is a “fully extensible remote collection system designed for Windows targets”. In addition to Windows tools (like Brutal Kangaroo) and exploits (, The Shadow Brokers’ leak contains dozens of exploits for enterprise firewalls, antivirus products and very specific operating systems. The distribution of those technologies is far smaller than Windows, making them a more targeted threat.

Leaked exploits such as EternalBlue were incorporated into at least four well-publicized worms, including WannaCry and NotPetya, within two months of their public release. Damage from these attacks was instantaneous and quantifiable, and so were the remediation plans and reactions from the information security industry.  Lloyd's of London and risk-modeling firm Cyence estimate that WannaCry caused $8 billion worth of damage globally and place NotPetya’s economic impact at $850 million. Meanwhile, companies are calculating the impact NotPetya on their bottom line. Shipping company Maersk, for example, estimates that NotPetya caused $300 million in lost revenue while consumer goods maker Reckitt Benckiser could see a £100 million ($129 million) hit in yearly revenue, in addition to long term reputational damage.

These releases lead to a race condition where defenses are quickly assembled until a more permanent solution is found either through patching or reconfiguring networks. As information gets released, the relevant vendors should warn their customers about the leaked vulnerabilities and fix them as soon as possible. For instance, some of the Hacking Team vulnerabilities were patched within a few days of discovery.

However, even in cases when the vulnerabilities were fixed quickly, the adoption rate of those patches is often measured in weeks or even months, resulting in a global infection for organizations. This delay in applying security updates resulted in many organizations getting infected by WannaCry in May and NotPetya in June, while Microsoft already fixed the EternalBlue vulnerability in March. Furthermore, EternalBlue was used by APT28 for lateral movement in targeted attacks against hotels in Europe and the Middle East as late as July. Either way, the field is fixed and the group (attacker or defender) who weaponizes the information first wins. While painful in the short term, the lifespan of these tools and exploits usually ranges from days to weeks, and in some cases even several months, like the Android “Kernel Waiter Exploit” that was used to spread mobile ransomware for almost a year after it was leaked.

...but leaked techniques are worse

The Vault 7 leaks, however, are totally different. They focus primarily on how the exploits and tools were used and developed. This leads to an explanation of the logic behind the malicious activity, which serves as a free education for those looking to do harm, and helps close the gap between very advanced attackers and low-level ones.

In a press release discussing Vault 7, WikiLeaks said it reviewed the leaked content, published substantive documentation and avoided distributing 'armed' cyber weapons. The Cybereason Intelligence Group believes this statement is far from true. When compared to other leaks discussed here, Vault 7 seems harmless in the short term since those leaks do not contain source code, builds or exploits that could be weaponized immediately. But we conclude that these leaks are even more dangerous because they expose the secret TTPs (tactics, techniques and procedures) of advanced operations in several ways:

  1. Leaked OPSEC discussions and best practices such as and What did Equation do wrong, and how can we avoid doing the same?
  2. Leaked technical user manuals expose ideas, operational concepts and methods that could be mimicked by attackers in their own operations.
  3. Information about vulnerabilities in a specific product or function tips off attackers that it is exploitable and worth reverse-engineering, as our CEO Lior Div points out in this Network World blog. He gives the the example of Cisco warning customers that a software flaw discussed in the Vault 7 leak allows attackers to take over more than 300 of the company’s switches.

The danger of these leaks is that the security industry is slow to respond to these types of threats. They are harder to defend against because the industry now has to figure out how to defend against behaviors that often take advantage of legitimate processes and capabilities without having a clearly defined target to judge progress against.

Second, there are so many urgent threats that require immediate attention that time is often against security professionals. Network defenders can’t easily justify research into hypothetical methods of intrusion when they are overwhelmed and overworked by malware that poses a direct threat.

Finally, because there’s a substantial gap in time from when the malware discussed in the Vault 7 leaks was created to when the program is publicly disclosed, it is likely that most of the malware detailed in the leak is no longer actively used by the original creator. This means that dealing with this malware is not a high priority for defenders. This asymmetry in prioritization gives malicious actors a long runway to build, test and exploit the information released in the Vault 7 leaks due to the lack of urgency that this style of leak creates.

A review of Linux tools in the Vault 7 leaks shows several clever ways to conduct cyber operations that are under reported and currently difficult to detect, whether it’s Outlaw Country’s use of hidden IP tables or leveraging SSH and SYSV message queues for Gyrfalcon. The techniques detailed in these leaks show useful hacks in current and legacy versions of operating systems as well as how a particular group thinks about targeting information and breaking into systems. This knowledge not only raises the bar for hacking operations; it also allows adversaries to mimic an advanced threat group for misattribution.

The Vault 7 leakS pose the most risk to enterprise security

To be clear, the Vault 7, The Shadow Brokers’ and Hacking Team leaks all pose risks to enterprise security. But when viewed with the perspective of what leak poses the greatest risk over time, Vault 7 takes that title. Security professionals know and understand the techniques used by these advanced threat actors, but the industry is too busy dealing with immediate threats.

However, there’s no reason to be in this situation. Just like attackers can incorporate the ideas, methods and operational thinking from the Vault 7 release into malware, defenders can do the same and think of creative ways to detect these behaviors. The key is to use behavioral analysis to detect this activity. Malware is now polymorphic, constantly changing its code to avoid detection, making traditional technical analysis ineffective at flagging these programs.

On the other hand, behavioral analysis detects TTPs, which are much more difficult to change and take substantial amounts of time to develop, making them more valuable to the attackers. If defenders discover TTPs, they’ll have a detrimental impact on the attackers’ operation and eclipse any operational damage caused by discovering IOCs.

Matan Mimran
About the Author

Matan Mimran

Matan Mimran is a Cyber Intelligence Researcher at Cybereason.