WikiLeaks has published more documents revealing the hacking tools used by the CIA. This latest dossier dump includes details on how the agency was able to infiltrate air-gapped computers - machines that hold information so sensitive they are physically isolated and incapable of connecting to other computers or unsecured networks.
The 150 pages of material published by WikiLeaks includes a user guide for the Brutal Kangaroo program that targets closed networks or computers using infected USB sticks. One of its components is Shattered Assurance, a server tool that utilizes the Drifting Deadline malware to infect any USB drives that are plugged into the machine in question. When the affected drive is then plugged into an air-gapped computer, Shadow malware is deployed onto the system.
"When a user is using the primary host and inserts a USB stick into it, the thumb drive itself is infected with a separate malware. If this thumb drive is used to copy data between the closed network and the LAN/WAN, the user will sooner or later plug the USB disk into a computer on the closed network.”
"By browsing the USB drive with Windows Explorer on such a protected computer, it also gets infected with exfiltration/survey malware. If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange," writes Wikileaks.
The drives were sometimes able to infect machines without the user having to open any files by utilizing Windows OS exploits.
“Older versions of the tool suite used a mechanism called EZCheese that was a zero-day exploit until March 2015; newer versions seem to use a similar, but yet unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system,” according to Wikileaks.
In a statement, a Microsoft wrote: "Our investigation confirmed that customers on supported versions of Windows are not impacted. For the best defense against modern security threats, we recommend Windows 10, which is updated automatically by default."
WikiLeaks notes the similarities between Brutal Kangaroo and Stuxnet, the industrial malware that infected the air-gapped computers used by Iranian scientists working on the country’s nuclear program.