Write a comment

Today, 9 November 2017, WikiLeaks published the source code and development logs to Hive, a major component of the CIA infrastructure to control its malware.

Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention. Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet. Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.

Hive can serve multiple operations using multiple implants on target computers. Each operation anonymously registers at least one cover domain (e.g. "perfectly-boring-looking-domain.com") for its own use. The server running the domain website is rented from commercial hosting providers as a VPS (virtual private server) and its software is customized according to CIA specifications. These servers are the public-facing side of the CIA back-end infrastructure and act as a relay for HTTP(S) traffic over a VPN connection to a "hidden" CIA server called 'Blot'.

The cover domain delivers 'innocent' content if somebody browses it by chance. A visitor will not suspect that it is anything else but a normal website. The only peculiarity is not visible to non-technical users - a HTTPS server option that is not widely used: Optional Client Authentication. But Hive uses the uncommon Optional Client Authentication so that the user browsing the website is not required to authenticate - it is optional. But implants talking to Hive do authenticate themselves and can therefore be detected by the Blot server. Traffic from implants is sent to an implant operator management gateway called Honeycomb (see graphic above) while all other traffic go to a cover server that delivers the insuspicious content for all other users.

Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.

The documentation for Hive is available from the WikiLeaks Vault7 series.

To see the latest Dump from Wikileaks proving the CIA impersonates RUSSIAN HACKERS, Click Here

Loading comment... The comment will be refreshed after 00:00.

Be the first to comment.

Say something here...
You are a guest ( Sign Up ? )
or post as a guest

 

 

 

Latest

13 Comments

No Updates Until about 5:00 PM EST Today

November 15, 2018
6 Comments

RESTRICTED INTELLIGENCE

November 11, 2018
15 Comments

Given the US Political Situation, Some Refresher Training seems to be in order:

November 10, 2018
11 Comments

Bye, Bye Di

November 09, 2018
8 Comments

Report: CNN's Jim Acosta called-out Sick today

November 09, 2018
1 Comment

Measles "Outbreak" in Lakewood, NJ

November 09, 2018
Write a comment

Major Earthquake in far north Atlantic Ocean; M6.8

November 08, 2018
8 Comments

South Africa: “First Black Bank” Collapses after Being Looted by Owners

November 08, 2018
10 Comments

Trump - Putin Summit in Paris CANCELLED (PLEASE, America, Make Preps)

November 07, 2018
11 Comments

Sessions Resigns at Request of President Trump - DEMOCRATS PANICKING - ROSENSTEIN NO LONGER OVERSEES MUELLER!

November 07, 2018
8 Comments

Election Perspective as of 10:00 PM EST

November 06, 2018
13 Comments

URGENT: PUTIN ALLEGEDLY TO CANCEL MEETING WITH TRUMP IN PARIS

November 06, 2018
15 Comments

ELECTION DAY - WILL YOU CHOOSE TO CONTINUE FIXING THE COUNTRY, OR WILL YOU GO BACK TO THE FAILED POLICIES OF THE PAST?

November 06, 2018
Write a comment

MULTIPLE TORNADOES ON THE GROUND IN LOUISIANA

November 05, 2018
13 Comments

PRESIDENT TRUMP WARNS ILLEGAL VOTERS "YOU WILL BE PROSECUTED"

November 05, 2018
10 Comments

Russia Massing War Ships Off Syria Coast - Possible Mass-Attack Upon Idlib Planned after numerous cease-fire Violations

November 05, 2018
9 Comments

Iran Leader Says "WAR Situation" After US Sanctions re-applied; Launches Nationwide MILITARY DRILLS

November 05, 2018
3 Comments

Trump: Democrats Encouraging Illegals to Break Our Laws So They Can Sign Up for Welfare and the Right to Vote

November 05, 2018
Write a comment

NYPD Bomb Squad Called Over GRENADES Found in Brooklyn

November 05, 2018
3 Comments

US troops set up barbed wire near Mexico border

November 05, 2018