Information Security News
Two days after researchers exposed a National Security Agency-tied hacking group that operated in secret for more than a decade, CIA hackers convened an online discussion aimed at preventing the same kind of unwelcome attention. The thread, according to a document WikiLeaks published Tuesday, was titled "What did Equation do wrong, and how can we avoid doing the same?"
Equation Group is the name Kaspersky Lab researchers gave to the hacking unit that was responsible for a string of hacks so sophisticated and audacious they were unlike almost any the world had seen before. For 14 years, and possibly longer, the hackers monitored computers in at least 42 countries, sometimes by exploiting the same Microsoft Windows vulnerabilities that would later be exploited by the Stuxnet worm that targeted Iran's nuclear program. The backdoors hid inside hard drive firmware and in virtual file systems, among other dark places, and had their own self-destruct mechanism, making it impossible for outsiders to grasp the true scope of the group's hacks.
Equation Group eventually came to light because of a handful of errors its members made over the years. One was the widespread use of a distinctive encryption function that used the RC5 cipher with negative programming constants rather than with the positive constants favored by most developers. The nonstandard practice made it easier to identify Equation Group tools. Another mistake: failing to scrub variable names, developer account names, and similar fingerprints left in various pieces of Equation Group malware. A third error was the failure to renew some of the domain name registrations Equation Group-infected computers reported to. When Kaspersky Lab obtained the addresses, the researchers were shocked to find some machines infected by a malware platform abandoned more than 10 years earlier were still connecting to it.
by Sean Gallagher
This morning, WikiLeaks posted the first of what the organization's spokesperson says is a multi-part series of documents and files from the Central Intelligence Agency. "The first full part of the series, 'Year Zero', comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina [sic]," WikiLeaks' spokesperson said in a press release.
The documents, many of them incomplete or redacted, appear to be pulled in part from an internal Wiki, while others appear to have been part of a user file directory. In a move unusual for WikiLeaks, individuals' names have been redacted and replaced with unique identifiers. "These redactions include tens of thousands of CIA targets and attack machines throughout Latin America, Europe, and the United States," WikiLeaks' spokesperson explained in the release. "While we are aware of the imperfect results of any approach chosen, we remain committed to our publishing model and note that the quantity of published pages already eclipses the total number of pages published over the first three years of the Edward Snowden NSA leaks."
The documents include instructions for using hacking tools, tips on configuration of Microsoft Visual Studio (classified as Secret/NOFORN), and testing notes for various hacking tools. Among the hacking tools listed are those for iOS, a collection of Android zero-days, and hacking techniques from various sources, including the UK's GCHQ and the National Security Agency. These tools, WikiLeaks claimed, "permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Weibo, Confide, and Cloackman by hacking the 'smart' phones that they run on and collecting audio and message traffic before encryption is applied." That doesn't mean the CIA has broken encryption on those tools—WikiLeaks' claim is based on their ability to "root" those devices.