Documents expose how Hollywood promotes war on behalf of the Pentagon, CIA and NSA

Tom Secker and Matthew Alford report on their astonishing findings from trawling through thousands of new US military and intelligence documents obtained under the Freedom of Information Act. The documents reveal for the first time the vast scale of US government control in Hollywood, including the ability to manipulate scripts or even prevent films too critical of the Pentagon from being made — not to mention influencing some of the most popular film franchises in recent years. This raises new questions not only about the way censorship works in the modern entertainment industry, but also about Hollywood’s little known role as a propaganda machine for the US national security apparatus.

— source

CIA malware BothanSpy and Gyrfalcon targeting Windows and Linux

WikiLeaks has dumped its newest Vault 7 documents, detailing the capabilities of two alleged CIA hacking tools dubbed BothanSpy and Gyrfalcon. The malware payloads have allegedly been designed to steal SSH credentials from systems running both Windows and Linux operating systems (OS).

According to WikiLeaks, while BothanSpy targets Windows computers, Gyrfalcon goes after Linux platforms. SSH credentials or Secure Shell credentials are cryptographic keys designed to securely access a remote computer or server. In other words, the two alleged CIA malware strains would allow spies to remotely hack into systems, likely without being detected.

— source

WikiLeaks Publishes CIA Documents Detailing “Brutal Kangaroo” Tool and LNK Exploits

On June 22, 2017, WikiLeaks released a new cache of documents detailing four tools allegedly used by the CIA as part of its ongoing “Vault 7” campaign. The leaked tools are named “EzCheese,” “Brutal Kangaroo,” “Emotional Simian,” and “Shadow.” When used in combination, these tools can be used to attack systems that are air-gapped by using weaponized USB drives as an exfiltration channel. Per the documentation, deployment of the tool takes place by unwitting targets; however, the use of such tools could also easily be deployed purposefully by complicit insider actors.

— source

Hacking governments since 2011

Malware that WikiLeaks purports belongs to the Central Intelligence Agency has been definitively tied to an advanced hacking operation that has been penetrating governments and private industries around the world for years, researchers from security firm Symantec say.

Longhorn, as Symantec dubs the group, has infected governments and companies in the financial, telecommunications, energy, and aerospace industries since at least 2011 and possibly as early as 2007. The group has compromised 40 targets in at least 16 countries across the Middle East, Europe, Asia, Africa, and on one occasion, in the US, although that was probably a mistake.

Uncanny resemblance

Malware used by Longhorn bears an uncanny resemblance to tools and methods described in the Vault7 documents. Near-identical matches are found in cryptographic protocols, source-code compiler changes, and techniques for concealing malicious traffic flowing out of infected networks. Symantec, which has been tracking Longhorn since 2014, didn’t positively link the group to the CIA, but it has concluded that the malware Longhorn used over a span of years is included in the Vault7 cache of secret hacking manuals that WikiLeaks says belonged to the CIA. Virtually no one is disputing WikiLeaks’ contention that the documents belong to the US agency.

“Longhorn has used advanced malware tools and zero-day vulnerabilities to infiltrate a string of targets worldwide,” Symantec researchers wrote in a blog post published Monday. “Taken in combination, the tools, techniques, and procedures employed by Longhorn are distinctive and unique to this group, leaving little doubt about its link to Vault7.”

Exhibit A in Symantec’s case are Vault7 documents describing malware called Fluxwire. The changelog tracking differences from one version to the next match within one to a few days the changes Symantec found in a Longhorn trojan known as Corentry. Early versions of Corentry also show that its developers used the same program database file location specified in the Fluxwire documentation. A change in Fluxwire version 3.5.0 that removes the database file path also matches changes Symantec tracked in Corentry. Up until 2014, Corentry source code was compiled using the GNU Compiler Collection. Then on February 25, 2015, it started using the Microsoft Visual C++ compiler. The progression matches changes described in Vault7 documentation.

Yet more similarities are found in a Vault7 malware module loader called Archangel and a specification for installing those modules known as Fire and Forget. The specification and modules described match almost perfectly with a Longhorn backdoor that Symantec calls Plexor.

Another Vault7 document prescribes the use of inner cryptography within communications already encrypted using the secure sockets layer protocol, performing key exchanges once per connection, and the use of the Advanced Encryption Standard with a 32-bit key. Still other Vault7 documents outline the use of the real-time transport protocol to conceal data sent to command-and-control servers and a variety of similar “tradecraft practices” to keep infections covert. While malware from other groups uses similar techniques, few use exactly the same ones described in the Vault7 documents.

According to Symantec:

While active since at least 2011, with some evidence of activity dating back as far as 2007, Longhorn first came to Symantec’s attention in 2014 with the use of a zero-day exploit (CVE-2014-4148) embedded in a Word document to infect a target with Plexor.

The malware had all the hallmarks of a sophisticated cyberespionage group. Aside from access to zero-day exploits, the group had preconfigured Plexor with a proxy address specific to the organization, indicating they had prior knowledge of the target environment.

To date, Symantec has found evidence of Longhorn activities against 40 targets spread across 16 different countries. Symantec has seen Longhorn use four different malware tools against its targets: Corentry, Plexor, Backdoor.Trojan.LH1, and Backdoor.Trojan.LH2.

Before deploying malware to a target, Longhorn will preconfigure it with what appears to be target-specific code words and distinct C&C domains and IP addresses to communicate with. Longhorn uses capitalized code words, internally referenced as “groupid” and “siteid”, which may be used to identify campaigns and victims. Over 40 of these identifiers have been observed, and typically follow the theme of movies, characters, food, or music. One example was a nod to the band The Police, with the code words REDLIGHT and ROXANNE used.

Longhorn’s malware has an extensive list of commands for remote control of the infected computer. Most of the malware can also be customized with additional plugins and modules, some of which have been observed by Symantec.

Longhorn’s malware appears to be specifically built for espionage-type operations, with detailed system fingerprinting, discovery, and exfiltration capabilities. The malware uses a high degree of operational security, communicating externally at only select times, with upload limits on exfiltrated data, and randomization of communication intervals—all attempts to stay under the radar during intrusions.

For C&C servers, Longhorn typically configures a specific domain and IP address combination per target. The domains appear to be registered by the attackers; however they use privacy services to hide their real identity. The IP addresses are typically owned by legitimate companies offering virtual private server (VPS) or webhosting services. The malware communicates with C&C servers over HTTPS using a custom underlying cryptographic protocol to protect communications from identification.

Prior to WikiLeaks publishing its Vault7 materials, Symantec had regarded Longhorn as a well-resourced organization that engaged in intelligence-gathering operations. Researchers based that assessment on Longhorn’s global range of targets and its ability to use well-developed malware and zero-day exploits. Symantec also noted that the group appeared to work a standard Monday-though-Friday work week, based on timestamps and domain name registration dates, behavior which is consistent with state-sponsored groups. Symantec also uncovered indicators—among them the code word “scoobysnack”—and software compilation times—that showed Longhorn members spoke English and likely lived in North America.

Since WikiLeaks published its first Vault7 installment in early March, there has been no outside source to either confirm or refute the authenticity of the documents. The Symantec research establishes without a doubt that the malware described in the trove is real and has been used in the wild for at least six years. It also makes a compelling case that the group that’s responsible is the CIA.

— source by Dan Goodin

Release of the Largest Leak of Secret CIA Documents

WikiLeaks has published what it says is the largest leak of secret CIA documents in history. The thousands of documents, dubbed “Vault 7,” describe CIA programs and tools that are capable of hacking into both Apple and Android cellphones. By hacking into entire phones, the CIA is then reportedly able to bypass encrypted messenger programs, such as Signal, Telegram and WhatsApp, although, contrary to many news reports, the documents do not show the CIA has developed tools to hack these encrypted services themselves. The documents also outline a CIA and British intelligence program called “Weeping Angel,” through which the spy agency can hack into a Samsung smart television and turn it into a surveillance device that records audio conversations, even when it appears to be off.

Julian Assange talking:

Vault 7 is the largest intelligence leak in history. We’ve published so far less than 1 percent of that material. Now, so far, the publications that we have published reveal that the Central Intelligence Agency has decided to create, in the last 10 years, its own captive version of the National Security Agency, not specialized in bulk interception, but specialized in semiautomated hacking processes. That’s creation of viruses, Trojans, etc., to put in people’s computer systems, telephones, TVs, and have those then report back to CIA listening posts that collect that information, ingest it into the broader CIA process. And also information can be pushed, using these mechanisms, onto those telephones, computers, etc., etc., to, for example, plant information that could implicate someone falsely, or perhaps even truly, in a crime.

So, I think it’s—it’s significant that as the Central Intelligence Agency gained budgetary and political preeminence over the National Security Agency, which used to have a bigger budget—in the post-9/11 environment, the CIA’s budget has now increased to about 1.5 times that of the National Security Agency. So, in response to that increased political power, where increased budgetary spending comes from, it has created its own effective air force, using drones, and its own large hacker squad. So it is able to do things internally that it would previously have to go out for others to do. So, the Central Intelligence Agency, like all institutions, is maximizing its institutional power. And it is slowly succeeding, compared to other institutions.

Now, in response to the various disclosures about the National Security Agency—most importantly, the Edward Snowden disclosures of 2013—industry has responded to market demand in various places, and various engineers ideologically also invested in this, to introduce encryption, in WhatsApp, in Signal, greater type—more types of encrypted email and so on. Now, the Central Intelligence Agency’s hacking approach does not target the intermediaries like the National Security Agency does for these bulk intercepts. Instead, it targets the endpoints, and then it doesn’t need to worry about the encryption. For example, if you and I, Amy, are communicating using, say, Signal on a smartphone, on an Apple or Android, then the Signal encryption protocol is actually quite good and, as far as is known, cannot be decrypted by an intermediary bulk spying on communications traffic going across the Atlantic, like the National Security Agency does. But if either you or I have our phones hacked, and the CIA software specializes in doing this, it means that that encryption doesn’t matter, because the—because the information is gathered either before it’s encrypted or after it is decrypted.

we made this offer publicly, and we also wrote to a number of the large companies, such as Apple, Microsoft, Google, Mozilla, which produces the Mozilla browser, etc. Now, the European companies responded almost immediately. Some even approached us. A couple of U.S. companies, such as Mozilla, responded immediately. And we were also approached by a security engineer at Cisco.

Google, Apple and Microsoft took eight or nine days, depending on the company, to respond. Now, that means that they were putting the—all the users at risk for eight or nine days. What was happening in that eight or nine days? Well, we hear—we’re not sure it’s true for all of the companies, but we hear from one of the companies that what was happening is that they were engaging their lawyers, they had been worried about the politics, etc., etc. My guess is that, on the legal front, a type of collaboration involving classified material could be argued to be conspiracy to commit espionage. Now, of course, that’s not actually practically possible in the U.S. court system or politically possible. And then these companies have individuals within them who have security clearances, because they work on classified projects for the government. And particularly the security divisions of Apple, Google, Microsoft, etc., have people with security clearances in them and who might lose their security clearances if they’re engaged in working on information that has been distributed not through a formal process. So, what you see in the—all those big three taking eight or nine days is some kind of collaboration, either directly with each other or through a third party, say, like the Department of Justice, to understand what role that they’re going to play.

And the role that they ended up playing is saying, “No, we don’t agree to fix anything,” which we had asked for, within 90 days. “No, we don’t agree to say that any fix came from you.” This was our requirement. “Instead, you can just throw something at our regular security reporting mechanism.” So, what’s going on there? Well, no record of collaboration, in a formal sense or in a political sense, that could be used to make political problems for those companies in terms of their contracts with the United States government or potentially introduce problems in relation to the Espionage Act or security clearances. That’s my supposition. We don’t know that’s true for sure. We know that some of that is true for at least one of these companies. But looking at the timing, it’s very unusual that Google, Microsoft and Apple all wrote back to us on the eighth or ninth day, whereas the other companies wrote back immediately or at various times.

Julian Assange
founder and editor-in-chief of WikiLeaks.

— source

WikiLeaks Reveals ‘Athena’ CIA Spying Program Targeting All Versions of Windows

WikiLeaks has published a new batch of the ongoing Vault 7 leak, detailing a spyware framework – which “provides remote beacon and loader capabilities on target computers” – allegedly being used by the CIA that works against every version of Microsoft’s Windows operating systems, from Windows XP to Windows 10.

Dubbed Athena/Hera, the spyware has been designed to take full control over the infected Windows PCs remotely, allowing the agency to perform all sorts of things on the target machine, including deleting data or uploading malicious software, and stealing data and send them to CIA server.

The leak, which includes a user manual of Athena, overview of the technology, and demonstration on how to use this spyware, reveals that the program has two implications: Primary: Athena for XP to Windows 10. Secondary: Hera for Windows 8 through Windows 10

— source

Meet the Midwestern Contractor That Appears Hundreds of Times in the CIA WikiLeaks Dump

In a suburb of Cincinnati about 30 minutes north of the Ohio River, right down the street from the local Hooters, a little known subsidiary of defense giant Northrop Grumman works on contracts for the Central Intelligence Agency.

Xetron Corporation, whose products range from military sensors to communications systems to information security software, shows up in nearly 400 documents published earlier this month by WikiLeaks. Those documents describe some of the tools the CIA uses to hack phones, smart TVs, and other digital products to conduct espionage overseas — and some of the partners that help them do it, like Xetron.

Now Xetron employees are facing additional scrutiny in the wake of the WikiLeaks dump, according to one source familiar with the matter, with some of them suddenly pulled in to polygraph examinations. It’s unclear if the government is conducting an active investigation into the company as a potential source of the leaks or if the firm is simply responding to stepped-up security requirements on some of its projects.

According to the source, it typically takes months for contractors to schedule the polygraph examinations required on certain sensitive government contracts — sometimes up to a year. “But if it was really important for a mission it would happen immediately … or [if there’s] concern about the project,” the person said. Another source familiar with Xetron’s operations said being suddenly asked to sit for a polygraph in the context of normal project requirements is unusual. The sources requested anonymity to preserve their employability in the buttoned-up world of defense contracting.

The FBI, Xetron, and Northrop Grumman all declined to comment. “Thank you for reaching out to us. At this time we’re not able to provide a comment on this matter,” Northrop Grumman spokesperson Matt McQueen wrote.

“We have no comment on the authenticity of purported intelligence documents released by WikiLeaks or on the status of any investigation into the source of the documents,” Heather Fritz Horniak, spokesperson for the CIA wrote in an email to The Intercept.

The material released by WikiLeaks show that Xetron provided the CIA with tools to gain unauthorized access to Cisco routers. In one document, Xetron engineers are shown working with “The Bakery” — an unidentified group, possibly a codename for a unit within the CIA — to create “Cinnamon”: a malicious implant for Cisco devices. Another document says that Xetron developed software that routes communications back and forth between computers compromised by the CIA and command servers also controlled by the agency.

Xetron has been sharing hacking techniques with the intelligence community going back to at least 2010, according to documents from NSA whistleblower Edward Snowden. In that year, according to a top-secret schedule, a Xetron representative was slated to present malicious Windows software named “Orca” at one of the CIA’s annual “Jamboree” technology conferences for agency staff and contractors. Orca was designed to circumvent a security feature of Windows that prevented anyone from tampering with programs on a computer hard drive. Orca instead tampered with programs after they had been loaded from the drive into memory.

In a follow-on presentation at the 2011 Jamboree, another Xetron representative was scheduled to detail research into techniques to obscure the origins of malicious software like Orca. In 2012, a Xetron representative was slated to outline a technique for reverse engineering — that is, essentially re-creating — the “embedded” software used to operate real-world machines, according to a Jamboree conference schedule.

It’s not clear whether the CIA ever adopted any of the methods outlined in Xetron’s presentations. Asked about the Snowden documents, the agency wrote that “it is CIA’s job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad. America deserves nothing less. It is also important to note that CIA is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and CIA does not do so.” The NSA did not comment.

Xetron’s proximity to the intelligence community has become particularly noteworthy in the wake of reports that federal investigators are focused on CIA contractors as the most likely sources of the documents published by WikiLeaks — although there is no evidence linking the company to that breach. The documents exposed details on many CIA capabilities, including a library of hacks against smartphones deemed “impressive” by digital security experts. Intelligence officials are taking the breach seriously; the CIA in a statement said the document release would “not only jeopardize U.S. personnel and operations, but also equip our adversaries with tools and information to do us harm.” According to two sources working at major defense contractors, such employers are taking extra steps to remind employees about company ethics — giving speeches and posting fliers in the halls about appropriate data transfer procedures.

It’s highly likely the government knows where the leak came from, or has a good idea, said Nick Weaver, a senior staff researcher at the International Computer Science Institute in Berkeley.

“I would be shocked if the investigators don’t already know when and by whom the data was accessed, by combining access logs on the server with the very narrow time range when this leak could have occurred,” he wrote in a text message. “If they don’t know this by now, it indicates that a huge amount of effort dealing with insider threats was wasted. Google was able to do this analysis for the data allegedly stolen from their autonomous car project. Why couldn’t the CIA?”

Despite claiming some 68,000 employees as of 2013, Xetron has maintained a relatively low profile over the years. One exception came in 2011, when the hacker collective Anonymous released email purloined from digital security firm HBGary; in one such email, HBGary reportedly discussed negotiating with Xetron to provide Xetron computer malware it could repurpose or re-sell.

Xetron began as a smaller “defense electronics” firm in 1972 and was purchased by Westinghouse Electric Corporation in 1986. Both companies were acquired by Northrop Grumman in 1996. Xetron’s Ohio plant endured an expensive fire, which inflicted $15 million in damage, in the early 1990s.

“Xetron specializes in providing solutions that meet operational needs or fill technology gaps,” reads a recent description of the company written by Northrop Grumman for potential government customers. One specialty includes “computer network operations” — expertise in encryption and intrusion detection as well as “reverse engineering and computer assault.”

“Our many repeat Government customers can attest to the reliability of the products we provide,” the description reads. “Click the links below to learn more about just some of the products and services we offer. Even if you don’t see it here, tell us what you need. Chances are we can help.”

The company draws a large number of students from nearby engineering schools; it has a partnership on “cyber informatics” with the University of Cincinnati where employees of the company can take classes alongside students. In September 2016, representatives of Xetron went to the University of Dayton to recruit engineers “to join their highly skilled Cyber and Intelligence, Surveillance, and Reconnaissance development teams,” according to a public Facebook post.

Multiple former employees described an office environment focused on beating rivals like Lockheed Martin for government contracts, but where it was not unusual to spend years on a proof-of-concept only to see it left unused.

“Morale was weak, to say the least,” one former employee said. Even so, few former employees were willing to discuss even banal details about working at Xetron; it’s not at all clear that the environment would push someone to leak sensitive work product. “I think a lot of them still believe in the mission, they were just overworked and underappreciated.”

— source by Jenna McLaughlin