Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Wikileaks Next Series: Vault 7
#24
Hive

[FONT=&amp]9 November, 2017[/FONT]
[FONT=&amp]Today, 9 November 2017, WikiLeaks publishes the source code and development logs to Hive, a major component of the CIA infrastructure to control its malware.

Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention. Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet. Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.

Hive can serve multiple operations using multiple implants on target computers. Each operation anonymously registers at least one cover domain (e.g. "perfectly-boring-looking-domain.com") for its own use. The server running the domain website is rented from commercial hosting providers as a VPS (virtual private server) and its software is customized according to CIA specifications. These servers are the public-facing side of the CIA back-end infrastructure and act as a relay for HTTP(S) traffic over a VPN connection to a "hidden" CIA server called 'Blot'.

[Image: hive.png]

The cover domain delivers 'innocent' content if somebody browses it by chance. A visitor will not suspect that it is anything else but a normal website. The only peculiarity is not visible to non-technical users - a HTTPS server option that is not widely used: Optional Client Authentication. But Hive uses the uncommon Optional Client Authentication so that the user browsing the website is not required to authenticate - it is optional. But implants talking to Hive do authenticate themselves and can therefore be detected by the Blot server. Traffic from implants is sent to an implant operator management gateway called Honeycomb (see graphic above) while all other traffic go to a cover server that delivers the insuspicious content for all other users.

Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.

The documentation for Hive is available from the WikiLeaks Vault7 series.
[/FONT]
"We'll know our disinformation campaign is complete when everything the American public believes is false." --William J. Casey, D.C.I

"We will lead every revolution against us." --Theodore Herzl
Reply


Messages In This Thread
Wikileaks Next Series: Vault 7 - by David Guyatt - 07-03-2017, 08:03 AM
Wikileaks Next Series: Vault 7 - by Magda Hassan - 07-03-2017, 09:07 AM
Wikileaks Next Series: Vault 7 - by Peter Lemkin - 07-03-2017, 09:16 AM
Wikileaks Next Series: Vault 7 - by Magda Hassan - 07-03-2017, 09:30 AM
Wikileaks Next Series: Vault 7 - by Magda Hassan - 07-03-2017, 09:38 AM
Wikileaks Next Series: Vault 7 - by Magda Hassan - 07-03-2017, 09:39 AM
Wikileaks Next Series: Vault 7 - by Peter Lemkin - 07-03-2017, 11:00 AM
Wikileaks Next Series: Vault 7 - by Peter Lemkin - 07-03-2017, 02:03 PM
Wikileaks Next Series: Vault 7 - by Peter Lemkin - 07-03-2017, 02:23 PM
Wikileaks Next Series: Vault 7 - by Peter Lemkin - 07-03-2017, 02:24 PM
Wikileaks Next Series: Vault 7 - by Peter Lemkin - 07-03-2017, 02:32 PM
Wikileaks Next Series: Vault 7 - by Peter Lemkin - 07-03-2017, 02:40 PM
Wikileaks Next Series: Vault 7 - by Magda Hassan - 07-03-2017, 02:50 PM
Wikileaks Next Series: Vault 7 - by Peter Lemkin - 07-03-2017, 03:10 PM
Wikileaks Next Series: Vault 7 - by Peter Lemkin - 07-03-2017, 03:32 PM
Wikileaks Next Series: Vault 7 - by David Guyatt - 07-03-2017, 06:28 PM
Wikileaks Next Series: Vault 7 - by Magda Hassan - 08-03-2017, 12:12 AM
Wikileaks Next Series: Vault 7 - by Peter Lemkin - 24-03-2017, 06:52 AM
Wikileaks Next Series: Vault 7 - by Lauren Johnson - 09-11-2017, 05:06 PM

Possibly Related Threads…
Thread Author Replies Views Last Post
  Complete Wikileaks Data Dump Lauren Johnson 1 4,120 14-12-2021, 06:08 PM
Last Post: Lauren Johnson
  Wikileaks promises new release of information on Hilary. Drew Phipps 21 27,168 19-10-2016, 06:06 AM
Last Post: Peter Lemkin
  Interview w/ Sarah Harrison - link between Snowden & Wikileaks Peter Lemkin 0 3,674 01-07-2014, 06:28 PM
Last Post: Peter Lemkin
  Wikileaks donation blockade by Mastercard and Visa and others. Peter Lemkin 3 5,334 02-05-2012, 08:58 AM
Last Post: Magda Hassan
  Wikileaks - the Spy Files! Peter Lemkin 0 3,378 24-01-2012, 10:42 AM
Last Post: Peter Lemkin
  WikiLeaks Haiti: The PetroCaribe Files Peter Lemkin 4 7,200 13-08-2011, 11:41 AM
Last Post: Peter Lemkin
  Will WikiLeaks unravel the American 'secret government'? James H. Fetzer 549 176,337 15-02-2011, 06:05 PM
Last Post: Jan Klimkowski
  Judging Wikileaks by What is NOT Revealed Charles Drago 0 2,811 04-02-2011, 05:19 PM
Last Post: Charles Drago
  Wikileaks About To Release 400,000 New Documents On Iraq Monday or Soon! Peter Lemkin 0 3,675 17-10-2010, 08:53 PM
Last Post: Peter Lemkin
  The Hate Mongers Among Us: A 4-Part Series by Jeff Gates 0 492 Less than 1 minute ago
Last Post:

Forum Jump:


Users browsing this thread: 1 Guest(s)