back to article WikiLeaks doc dump reveals CIA tools for infecting air-gapped PCs

WikiLeaks has published online more top-secret documents it has obtained from the CIA describing the agency's hacking tools. This time the dossier details software codenamed Brutal Kangaroo that agents can use to infect targets' air-gapped computers with malware. The documents, originally written on May 11, 2015 and revised on …

  1. John Smith 19 Gold badge
    Thumb Up

    Hacked the snack machine and stole $4K of goodies.

    Proper BOFH behavior.

    Allegedly.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hacked the snack machine and stole $4K of goodies.

      They do say the only difference between criminals and the police is the uniform.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hacked the snack machine and stole $4K of goodies.

        "They do say the only difference between criminals and the police is the uniform."

        Poacher turned gamekeeper and vice versa. That theme ran through "Red Dragon" and the other Hannibal Lecter stories.

      2. Anonymous Coward
        Anonymous Coward

        Re: Hacked the snack machine and stole $4K of goodies.

        Criminals would say that.

    2. Wensleydale Cheese

      Re: Hacked the snack machine and stole $4K of goodies.

      Not just a hackable machine, but lousy financial controls in place as well.

      How many times was the thing restocked without adequate income from it?

      1. Anonymous Coward
        Anonymous Coward

        Re: Hacked the snack machine and stole $4K of goodies.

        Sounds like these CIA guys were formerly at MIT.

      2. neillanwarne

        Re: Hacked the snack machine and stole $4K of goodies.

        Judging by the prices in our office machines, once.

      3. Anonymous Coward
        Anonymous Coward

        Re: Hacked the snack machine and stole $4K of goodies.

        > How many times was the thing restocked without adequate income from it?

        How many times were decent, hard-working service technicians sacked on suspicion of theft because the CIA office staff were, of course, above suspicion?

        1. Anonymous Coward
          Anonymous Coward

          Re: Hacked the snack machine and stole $4K of goodies.

          One day I found that a snack machine had given me a Mars bar without accepting my money. Went to the catering manager to pay for it. She had noticed a discrepancy in recent tallies - but hadn't twigged that the Mars bar slot had accidentally been set to zero cost.

  2. goldcd

    FFS

    If you believe you've assembled the A-team of hackers - and you don't believe they'll pick on your rip-off vending machine..

    ..just fire yourself.

  3. Notas Badoff

    "Suspicion Deflection"

    Oh if only they'd named it "Drop Bear" then they could believably claim it was one of them Asian nation states!

    (Yeah, yeah, I know, but the American public wouldn't remember 'continents' ...)

    1. Voland's right hand Silver badge

      Re: "Suspicion Deflection"

      Name already taken - by the embedded ssh server build. The one used by OpenWRT.

      1. DropBear
        Joke

        Re: "Suspicion Deflection"

        Damn right it's taken!

  4. gerdesj Silver badge
    Gimp

    Air gap with Windows gateways, you say (imply)

    A real air gapped network has another device in between with no network access, doesn't run anything mainstream but is capable of scanning files and copying them from one media to another. Tripwire etc is involved and most of it is mounted read only.

    The data on the secure side is converted to plaintext and is retransmitted, again, via two semaphore operators in a tunnel with the doors closed at each end during transmission. The final bridge is the recipient semaphorist typing into a TTY.

    Wifey has started using something called "wifi" to get her docs and photos on our home LAN - apparently security is fine but inconvenient. The pigeons serving the offsite backups are starting to show signs of flagging under the sudden onslaught of data. I may have to upgrade to albatrosses to carry the new high capacity coded message canisters.

    1. Woza
      Joke

      Re: Air gap with Windows gateways, you say (imply)

      When you do upgrade, make sure you use a pointless albatross - less wear and tear on its feet.

      1. ratfox

        Re: Air gap with Windows gateways, you say (imply)

        Have you tried swallows? I hear they're fast.

        1. tfewster
          Happy

          Re: Air gap with Windows gateways, you say (imply)

          Would that be an African or a European swallow? And will that change post-Brexit?

          1. Anonymous Coward
            Anonymous Coward

            Re: Air gap with Windows gateways, you say (imply)

            unladen?

            1. CrazyOldCatMan Silver badge

              Re: Air gap with Windows gateways, you say (imply)

              unladen?

              Wasn't he killed a while back?

        2. Anonymous Coward
          Anonymous Coward

          Re: Air gap with Windows gateways, you say (imply)

          Pelicans have more bandwidth.

      2. John Smith 19 Gold badge
        Big Brother

        "pointless albatross"

        What do you know about pointless albatross?

        It's not even ready for release yet.

      3. Alan Brown Silver badge

        Re: Air gap with Windows gateways, you say (imply)

        What flavour is that albatross?

    2. Andytug

      Re: Air gap with Windows gateways, you say (imply)

      You should check out RFC1149, the updated version with QoS, RFC2549, and the IPv6 update, RFC6214.

    3. Florida1920

      Re: Air gap with Windows gateways, you say (imply)

      I may have to upgrade to albatrosses to carry the new high capacity coded message canisters.

      Pelicans. http://s.hswstatic.com/gif/pelican-1.jpg

      1. Alan Brown Silver badge

        Re: Air gap with Windows gateways, you say (imply)

        Pelicans. http://s.hswstatic.com/gif/pelican-1.jpg

        An example of RFC1149 encapsulation at work: https://www.youtube.com/watch?v=phUs2kIGY9M

    4. 2Nick3

      Re: Air gap with Windows gateways, you say (imply)

      "... via two semaphore operators in a tunnel ..."

      I frequently refer to bad network connections having "two squirrels with semaphore flags in the data path." I had no idea the use of that technology was so wide spread!

  5. Anonymous Coward
    Anonymous Coward

    Amazing

    Sophisticated malware that crosses an air gap...

    you mean like a...

    VIRUS?

    1. Anonymous Coward
      Anonymous Coward

      Re: Amazing

      Yeah , an air gap pc has to catch a disease the old fashioned way!

      " target computer that is set up to autorun its contents and is using Windows 7 as an operating system and running .Net 4.5"

      Is that likely? surely everyone has autorun shut off by now?

      Surely we've realised its just another of microsoft's hacking APIs (along with hiding file extensions) , even if we cant understand the completely retarded thinking that put them there

  6. Anonymous Coward
    Anonymous Coward

    Nope...

    Organization's PCs have wee stickers over the USB sockets.

    We're safe.

    NEXT!

    1. Danny 14

      Re: Nope...

      I work in a school. The USB ports are safe because they all have chewing gum in them.

      1. Cynic_999

        Re: Nope...

        "

        I work in a school. The USB ports are safe because they all have chewing gum in them.

        "

        Besides which there is no room for a virus - the HDD is filled with porn.

  7. Winkypop Silver badge
    WTF?

    Who comes up with these silly application names?

    Cowboys or spooks?

    Sorry; same, same...

    1. LDS Silver badge

      Re: Who comes up with these silly application names?

      Usually in those environments names are designed to be as random as possible, using a given vocabulary. The idea behind is the names shouldn't tell much about what they refer to (of course, their documentation would have to stay secret...), so just referring to them by name doesn't deliver useful information.

      More or less like many Linux application names :-P

      1. Amos1

        Re: Who comes up with these silly application names?

        I think they have the opportunity to tweak them or try again with the name generator. Brutal Kangaroo jumping from machine to machine with impunity. That's just poetic.

        I wonder what Honest Politician would do? Probably doesn't exist yet.

      2. Anonymous Coward
        Anonymous Coward

        Re: Who comes up with these silly application names?

        "Usually in those environments names are designed to be as random as possible, using a given vocabulary."

        There was the story (apocryphal?) of a major broadsheet newspaper's crossword in 1944 containing the answers "Overlord", "Omaha", "Utah" etc. As this was just before D-Day the security services became very concerned and visited the crossword compiler on suspicion he was a German spy.

        The man was a school teacher. It transpired that some of his pupils helped him with suggestions for words to which he fitted clues. As children they had reasonably free access to the nearby US army camp and its bonuses of chocolates etc - a part of the temporary accommodation of the large invasion forces. The boys saw these relatively unusual words written on boards and fed them back to their school master as crossword answers.

  8. Anonymous Coward
    Anonymous Coward

    Who watches the watchers?

    Yet again government agents abuse any tool/law they get their hands upon.

    These are supposed to be people we trust to act with integrity but it is clear that until greater power is balanced with greater punishment then they will continue to abuse whatever they are trusted with.

    1. Voland's right hand Silver badge

      Re: Who watches the watchers?

      Nothing wrong with THIS abuse - these are the guys their country pays to go and get info from ANOTHER country and/or attack another country by messing with its infrastructure, planting fake news, etc. The goal is to do it by any means necessary short of causing a war (unless they have been tasked with causing a war).

      Like it or not, that is a the job of the externally facing secret services - CIA, GRU, MI6, etc. They are paid to fight dirty so that we do not fight "clean" on the battlefield according to the Geneva Conventions. Historically, they have been massively overdoing it on both sides and it is long overdue for them to be reigned in exactly because of that - a dirty cloak and dagger war can always spill out in the open and become clean and nobody wants to do that.

      1. Anonymous Coward
        Anonymous Coward

        Re: Who watches the watchers?

        @ Voland's right hand

        How do you know what they have been up to, what is clear is that if they robbed the vending machine and no one came forward to pay then they clearly are not acting within the law but as common thieves.

        I am not niave about the need to counter foreign attacks but at the same time either they are supervised and the theft was condoned or they are allowed to do what they like with zero oversight.

        These guys were not behind enemy lines they were in the country they are supposed to be protecting, if they have no respect for their own country's laws or citizens (who paid for stolen goodies) then why are they trusted with that country's secrets

        1. Voland's right hand Silver badge

          Re: Who watches the watchers?

          How do you know what they have been up to,

          I know more than I would have preferred to know. I have multiple granduncles who have worked for one of the "firms" and I know about some of their older "handywork" which is now past its classification "window" (lots of it is still not published, it officially does not exist, just no criminal penalty if you happen to know about it without having the relevant clearance).

          As far as the morals of the staff employed by the CIA, GRU, MI6, Mossad, etc, you get both sides of the coin. People who do it for their country and people who you would rather not meet in a dark alley. Both of them have little respect for the law as their job is to break the law to get the work done.

          It is the job of the political control of the agency and whoever gives orders to ensure that the subject of their interests is the enemy and not their own population. Unfortunately, the 20th and the 21st century (so far) are a litany of failures as far as that is concerned. Pretty much all governments have taken a leaf out of the Stalin and Hitler's book and have deployed the secret services (along with their long list of dirty methods) against internal targets.

    2. Anonymous Coward
      Anonymous Coward

      Re: Who watches the watchers?

      "These are supposed to be people we trust to act with integrity but it is clear that until greater power is balanced with greater punishment then they will continue to abuse whatever they are trusted with."

      Oh grow up. You seriously think that no other government in the world is doing this or at least trying to? Its the nature of espionage. And isn't it odd that wikileaks only seems to stick it to the US security services, where are all the insider documents from Russia or China? You have to wonder who's funding this supposedly impartial whistle blowing site.

      1. Thrudd

        Re: Who watches the watchers?

        Point totally messed.

        It isn't against the enemy whoever they may be but against allies and their own people that is the issue. Remember that these tools had been found in the past left laying about in domestic systems by sloppy spooks.

      2. Anonymous Coward
        Anonymous Coward

        @ Voland's right hand

        "Oh grow up. You seriously think that no other government in the world is doing this or at least trying to? Its the nature of espionage. And isn't it odd that wikileaks only seems to stick it to the US security services, where are all the insider documents from Russia or China? You have to wonder who's funding this supposedly impartial whistle blowing site."

        "no other government in the world is doing this", they are supposed to act against foreign powers not the people they are supposed to protect. In terms of domestic dissidents then who chooses what is best for our country? if it is a democracy it is supposed to be us.

        "And isn't it odd that wikileaks only seems to stick it to the US security services, where are all the insider documents from Russia or China?" I don't live in Russia or China but if I did and they were democracies then I would be equally concerned about a group acting against democracy and the law in the country in which I lived.

        Given that I did not come from a family "on the inside" then my chances of becoming collateral damage are much higher than yours. I am not niave, I just remember all the deaths reported in the papers of plastic bag over the head self strangulations during kinky sex. All the child abuse and murders that went unpunished and has recently be shown to have been condoned by the authorities. The cost to the people they are presented to be protecting seems somewhat high

        If it is against the law then that should apply to everyone in that country, one law for everyone or it is not a law at all. That this reports suggest that there is no effective oversight is most worrying of all, how do we know the next terror attack wasn't for our own good?

  9. Ole Juul

    I you're a target, move

    a target computer that is set up to autorun its contents and is using Windows 7

    Seriously, is that so hard to avoid?

    1. Anonymous Coward
      Anonymous Coward

      Re: I you're a target, move

      As far as I can tell, it's again a good reason to drop Windows, but it's like the Trump presidency: it doesn't matter how blatant the problem, there will always be plenty of BS merchants seeking to declare anything black of the purest white.

      I'm just stating it here so the Redmond downvoters have something to do.

    2. DropBear

      Re: I you're a target, move

      Leaving the standard autorun active would really be kinda stupid this day and age. However, one can rely on the OS trying to read the file structure of inserted media - not having read the source I can only wonder if it would be possible to exploit something there and craft a "file structure" that ends up executing a payload instead...

      1. Anonymous Coward
        Anonymous Coward

        Re: I you're a target, move

        Leaving the standard autorun active would really be kinda stupid this day and age.

        Agree. Now, who does this again and again by default. Hmmm. I think they're from Redmond. Hmmm. No, it escapes me at the moment.

      2. Kiwi
        Thumb Up

        Re: I you're a target, move

        Leaving the standard autorun active would really be kinda stupid this day and age. However, one can rely on the OS trying to read the file structure of inserted media - not having read the source I can only wonder if it would be possible to exploit something there and craft a "file structure" that ends up executing a payload instead...

        It's the driver portion that's the key bit. IIRC "Brontik" (or some similar name, circa 2013) could infect USB sticks in such a way that Windows would load the malware as if it was a driver for the stick. Several times I saw that thing getting past up-to-date AV and past autorun. Was interesting when I finally got a sample of it to play with (before the boss did a hardware wipe of the USB I had it on, involving a blowtorch...), plugged it into something that had only just updated it's av (can't recall which, but was one of the better ones), and the machine was infected despite good AV and all autorun stuff off. Did it to prove to the boss we needed another scanning station that wasn't using a HDD-installed Windows.

        Whatever it was, it blew straight past the defences and the machine was infected (had an obvious payload, dropped "porn.avi(hidden.EXE)" onto the desktop (or something like that) among other things, and you could see it happen a few seconds after plugging the stick in but before you got the "your driver was installed correctly" prompt. I know it infected 7 and XP, safe to assume also Vista.

        But maybe it was also working on the filesystem as you suggest. However it worked it was damned quick!

  10. fedoraman
    Thumb Up

    A new knife?

    To anyone who has ever bought a new knife:- What is one of the first things that you cut with it?

    Yes, yourself.

    (Hence the thumb)

    1. Rich 11

      Re: A new knife?

      What is one of the first things that you cut with it?

      The packaging it came in. Why would I use my own flesh to test its edge? I stopped doing that when I was 8. Mostly.

      1. Anonymous Coward
        Anonymous Coward

        Re: A new knife?

        "The packaging it came in. "

        Super-sharp Kitchen Devils now come in a blister pack - presumably designed so kids can't pocket the knife in the shop. Unfortunately it is very easy to nick yourself on the knife edge when opening the blister pack - a light touch is enough for a bleeding fine cut.

    2. Kiwi
      Thumb Up

      Re: A new knife?

      To anyone who has ever bought a new knife:- What is one of the first things that you cut with it?

      Yes, yourself.

      Immutable law of physics that. Why, you could send it to someone to open on your behalf, on another planet, in a parallel universe, and before it has even cut air you'll be bleeding!

      Funniest was someone very carefully handling the blade packet with gloves (one of those ones where you don't need to touch the blade ever).. Blade somehow slipped, dropped onto his bare leg just above the steel cap boots he was wearing, giving himself a small but annoying cut. Blood sacrifice satisfied no one else was cut by that blade

  11. Paul Herber Silver badge

    Bleedin' albatross

    It's Stormy Petrel on a USB stick, mate.

  12. Anonymous Coward
    Anonymous Coward

    So in short...

    ...an virus that uses USB & Autorun a the carrier,

    Well thats new.

  13. Prst. V.Jeltz Silver badge

    autorun - big woop

    I'm sorry but I didnt need the CIA to tell me that if I want to infect an air gapped pc I have to put my malware on a stick and hope there are enough idiots with autorun still turned on that the malware will make its way over the airgap

    The CIA are going to shit a gold brick when they realise there is a way round the "no autorun" hurdle - simply label your malware nakedladys.jpg.exe

    1. Anonymous Coward
      Anonymous Coward

      Re: autorun - big woop

      "[...] nakedladys.jpg.exe [...]"

      IIRC and use the right-to-left text order modifier control to avoid it ending in the obvious "exe".

    2. Anonymous Coward
      Anonymous Coward

      Re: autorun - big woop

      That ruse only works with straight men and "possibly" gay women. The rest of the population sees it for the trojan horse it is. Proof positive that diversity in the workplace is a good thing.

  14. Cynic_999

    Autorun?

    Does anyone set up their PC to autorun these days? Let alone those who are security conscious enough to keep a machine airgapped.

  15. Androgynous Cow Herd

    Innovation...

    So you are saying that even if a system is airgapped, if you can insert a piece of third party media into it that contains a virus, it will be infected anyway?

    Clever what they can do these days...

  16. ThaumaTechnician

    Did I read that article too fast?

    "Once an infected thumb drive is plugged into a target computer..."

    Uh, if a thumb drive is plugged in, it's not considered air-gapped any more, no?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like