Latest WikiLeaks Vault7 release details CIA Windows spyware
Fri 19 May 2017
WikiLeaks has released a new set of documents in the CIA Vault 7 leak, detailing a CIA spyware project called ‘Athena/Hera’.
The Athena malware targets computers running Windows XP to Windows 10, while the Hera variant was created for Windows 8 to Windows 10.
Once installed, the Athena/Hera spyware acts as a remote beacon and loader on the target computer, allowing the machine to be controlled remotely. Using Athena, the agency could set up and delete malicious payloads, aimed at specific outcomes. The malware also allows for the retrieval of files and data, which can be copied, deleted, or sent to the remote command server.
According to the documentation published by WikiLeaks, the Python-based malware hijacks a support DLL by the host application, either using RemoteAccess or DNSCache service.
The WikiLeaks documentation also details the methods by which Athena/Hera can bypass the Microsoft SysInternals troubleshooting service, which checks DLL for a verifiable signature chain of trust. The CIA apparently warned the developer Siege Technologies that the final product could not cause any security popups or alerts, specifically those from Kaspersky Total Security or Kaspersky Internet Security products.
If the documentation is correct, the CIA has been working with Siege on the development of Athena/Hera since 2015, shortly after the release of Windows 10. Siege Technologies, a cybersecurity company based in New Hampshire, claims to deliver ‘offense-driven defensive cyber security solutions in the private and government sectors.’
Siege Technologies was acquired by Virginia’s Nehemiah Security in November of last year.
In an email chain released with the Athena/Hera documents, it was stated that “Hackers at the NSA’s Tailored Access Operations, or TAO, have more than 1,000 special tools to aid them in stealing data or manipulating a rival’s electronics. As described by three people briefed on the technology, the tools enable rapid, mix-and-match attack capabilities against the most widely used computers, servers and software.”
The email also said that TAO has the ability to remotely access microphones on computers using the Windows operating systems, and can use this to covertly record the conversations taking place near the machine.
This is the ninth weekly release of Vault 7 documents, each of which details a CIA project aimed at using technological advances for covert activities.