Write a comment

Today, 9 November 2017, WikiLeaks published the source code and development logs to Hive, a major component of the CIA infrastructure to control its malware.

Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention. Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet. Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.

Hive can serve multiple operations using multiple implants on target computers. Each operation anonymously registers at least one cover domain (e.g. "perfectly-boring-looking-domain.com") for its own use. The server running the domain website is rented from commercial hosting providers as a VPS (virtual private server) and its software is customized according to CIA specifications. These servers are the public-facing side of the CIA back-end infrastructure and act as a relay for HTTP(S) traffic over a VPN connection to a "hidden" CIA server called 'Blot'.

The cover domain delivers 'innocent' content if somebody browses it by chance. A visitor will not suspect that it is anything else but a normal website. The only peculiarity is not visible to non-technical users - a HTTPS server option that is not widely used: Optional Client Authentication. But Hive uses the uncommon Optional Client Authentication so that the user browsing the website is not required to authenticate - it is optional. But implants talking to Hive do authenticate themselves and can therefore be detected by the Blot server. Traffic from implants is sent to an implant operator management gateway called Honeycomb (see graphic above) while all other traffic go to a cover server that delivers the insuspicious content for all other users.

Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.

The documentation for Hive is available from the WikiLeaks Vault7 series.

To see the latest Dump from Wikileaks proving the CIA impersonates RUSSIAN HACKERS, Click Here

Loading comment... The comment will be refreshed after 00:00.

Be the first to comment.

Say something here...
You are a guest ( Sign Up ? )
or post as a guest
 

 

 

Latest

1 Comment

Democrats Could be HELD in Senate Session through OCTOBER - Can't Campaign!

September 21, 2018
Write a comment

Mitch McConnell: Has the Votes to Confirm Kavanaugh

September 21, 2018
41 Comments

SYRIA ATTACKED AGAIN - "MISSILES FROM THE SEA" -- Russian IL-20 Aircraft with 14 Troops aboard "HIT" - falls into the Med.

September 17, 2018
5 Comments

North Carolina Nuclear Plant Declares EMERGENCY

September 17, 2018
22 Comments

AMBUSHED! US Forces KILLED by ISIS in Syria

September 16, 2018
12 Comments

Here it is: Filming of a FALSE Chemical Attack at Hospital in Syria

September 16, 2018
5 Comments

Hurricane Leaves Major "Hole" In US National Defenses!

September 15, 2018
19 Comments

RUSSIANS BOMB AL-TANF - PERIMETER OF U.S. BASE; AMERICAN TROOPS "TRAPPED"

September 15, 2018
Write a comment

47.3 Inches of Rain in 48 Hours - and it's still raining!

September 15, 2018
9 Comments

COVERT INTEL: Solar Observatory Closure in New Mexico

September 15, 2018
2 Comments

Mueller Refers Former Obama White House Counsel for Criminal Prosecution!

September 15, 2018
12 Comments

COVERT INTEL: Keep an eye on Europe This Weekend; Germany, Austria, Lichtenstein in particular

September 14, 2018
16 Comments

First Deaths from Hurricane as Hundreds More Cry for Help in North Carolina

September 14, 2018
12 Comments

RADIATION SPIKE AT FORMER NUKE PLANT SITE IN CALIFORNIA

September 14, 2018
15 Comments

70 -100 EXPLOSIONS AND FIRES IN ANDOVER AND LAWRENCE, MASS. - GAS MAIN MALFUNCTION CAUSING HOMES TO EXPLODE

September 13, 2018