The Cloud Consultancy Europe Ltd.
+44 (0) 203 637 6667 [email protected]

Wikileaks has published details of three new CIA hacking tools pulled from its Vault 7 trove of information.

The tools target Apple MacOS X and Linux operating systems and were called ‘Achilles’, ‘SeaPea’, both of which target MacOs, and ‘Aeris’, which targets Linux. The trio of tools were developed under a CIA project labelled ‘Imperial’.

Achilles enables CIA agents to “Trojan an OS X disk image (.dmg) installer with one or more desired operator specified executables for a one-time execution”, according to Wikileaks.

The details imply that physical access to the machine is required. SeaPea, meanwhile, provides a MacOS rootkit, which enables agents to penetrate systems when they are rebooted.

Once launched SeaPea “provides stealth and tool-launching capabilities,” according to Wikileaks, so that CIA agents can monitor and take control of targets’ Macs without their knowledge.

SeaPea was previously outed in a Vault 7 dump called DarkSeaSkies, which majored on CIA hacking tools for cracking Apple Macs and iPhones.

The Linux malware dubbed Aeris, meanwhile, targets a number of Linux distributions, including Debian, CentOS and Red Hat, as well as FreeBSD and Solaris Unix.

The malware includes features for data exfiltration and can be used to build customised attacks.

“Aeris is an automated implant written in C that supports a number of POSIX-based systems (Debian, Red Hat, Solaris, FreeBSD, [and] CentOS]),” wrote Wikileaks.

It continued: “It supports automated file exfiltration, configurable beacon interval and jitter, standalone Collide-based HTTPS LP support and SMTP protocol support – all with TLS encrypted communications with mutual authentication.

“It is compatible with the NOD cryptographic specification and provides structured command and control that is similar to that used by several Windows implants.”

Wikileaks has published the full user guides to all three of the Imperial family of malware tools.

It comes a week after the organisation exposed US defence contractor Raytheon’s Umbrage Component Library project, which was submitted to the CIA in November 2014.

“They mostly contain proof-of-concept ideas and assessments for malware attack vectors – partly based on public documents from security researchers and private enterprises in the computer security field,” according to Wikileaks.

The company, it added, “acted as a kind of ‘technology scout’ for the Remote Development Branch (RDB) of the CIA by analysing malware attacks in the wild and giving recommendations to the CIA development teams for further investigation and proof-of-concept development for their own malware projects”.

In other words, Raytheon analysed the use of malware tools in the wild, which may also include tools used by other intelligence agencies, but passed on details about them to US agencies instead of informing the makers of the software that was being exploited.

Now, with details of such tools out in the open, all kinds of malware ‘threat actors’ can make use of the information.

The WannaCry and NotPetya attacks earlier this year used tools developed by, and leaked from, the US National Security Agency.

Meanwhile, security specialists have claimed that there is evidence that some of the malware tools spilled by Wikileaks had been used in the wild.