
Vault 8 – Source code and analysis for CIA software projects - degenerate
https://wikileaks.org/vault8/
======
drak0n1c
If pretty basic software can place misleading markers on internet traffic and
file metadata, why is the presence of Russian metadata in a hack or leak
considered evidence?

~~~
dguido
Because "Russian metadata" was not the totality of evidence used to draw the
conclusion that it was Russia. It's never just one thing, it's all the things,
together.

If you want an example of the kind of analytical techniques that people use
for attribution in the US government and sophisticated industry groups, then
refer to the Diamond Model of Intrusion Analysis:
[http://www.activeresponse.org/wp-
content/uploads/2013/07/dia...](http://www.activeresponse.org/wp-
content/uploads/2013/07/diamond.pdf)

~~~
monocasa
Isn't the CIA here specifically attacking this model of attribution?

~~~
Natsu
Kaspersky has a response to the attacks on attribution that's quite relevant
to this story which you can read here:

[https://cdn.securelist.com/files/2017/10/Guerrero-Saade-
Raiu...](https://cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-
VB2017.pdf)

It was on HN before, but it vanished quickly -

[https://news.ycombinator.com/item?id=15483529](https://news.ycombinator.com/item?id=15483529)

~~~
dang
Looks like we invited nkurz to repost that one but it didn't happen to get
traction either time. Hard to say why, but it wasn't flags.

~~~
Natsu
Sorry, didn't mean to imply otherwise. It's pretty interesting, IMHO, but just
didn't get upvotes/visibility.

------
yters
Interesting that WL goes after the one nation state that is not going to
completely fubar them, and has much better human rights than the other big
nation states it could go after. I say that if WL's real goal is to promote
human rights, the US is not the highest target on the list. On the other hand,
if they want easy publicity with minimal risk to self, the US is probably
their best target.

~~~
serf
> I say that if WL's real goal is to promote human rights, the US is not the
> highest target on the list.

well, I say that constant hopes for transparency and the strides we take
towards those goals will keep the United States high on the list of nations
with decents human rights.

WL is one of those strides, and I think it's invaluable.

It's 'interesting' that given the muck that WL has raked up about the U.S.
that anyone could be upset about their ( the US ) having been a target..

~~~
aalleavitch
The question is not whether the US should be subject to oversight, the
question is "does WikiLeaks intend to push a deliberate agenda with their
disproportionate targeting of the US?"

You would be naive to take for granted that WikiLeaks is acting exclusively
out of principle.

~~~
jhiska
You are reframing the discussion.

~~~
AnimalMuppet
I would disagree. This particular discussion was started by yters' post;
aalleavich's point seems to me to be extremely in sync with yters'.

------
45h34jh53k4j
This is the source code (and several binary compiles) of the CIA C2
infrastructure + client implants for Solaris, Linux and various routers. I
suspect that now this is in the open, past and current CIA malware will now be
detectable by commercial Anti Virus.

~~~
willstrafach
I'm not so sure about that. WL released the documentation back in April, which
contained more than enough information to create a few behavioral detection
signatures for the implants. I would assume that any AV company who cared has
already created and deployed signatures.

~~~
45h34jh53k4j
Hi chronic,

We now know that all comms implant to C2 are TLS with a unique (fake)
certificate tree. They use unique, single use domains for operations. I don't
believe there was enough information in vault 7 to identify IOC's that could
be used for behavioural analysis. We also now know that the C2 fronting
servers negotiate 'Client Cert optional', which is a fairly unique
configuration item.

The git repo contains 3 binary builds of the client/server malware. I think
this is more important for detection than their docs.

Regardless, its all public domain now.

~~~
willstrafach
AV is now far beyond just using hash-based detection, but you are correct that
having the three binary builds will allow that to also be added to their
(hopefully existing) detections. No argument there.

What you're saying comes from the documentation included in the source, yes.
But if you dig into the Confluence dump from back in March, you'll see that
the User's Guide and Developer's Guide PDFs for Hive were attached to one of
the wiki pages already, explaining how this all worked. It did not get any
press attention as it was quite mundane compared to the more interesting
leaked wiki pages, but I would really hope AV companies and others in infosec
noticed this already.

------
throwaway292929
The following line from /honeycomb/crypto.c look very interesting...

    
    
       /*
        * Computing a "safe" DH-1024 prime can take a very
        * long time, so a precomputed value is provided below.
        * You may run dh_genprime to generate a new value.
        */
       char *my_dhm_P = 
           "E4004C1F94182000103D883A448B3F80" \
           "2CE4B44A83301270002C20D0321CFD00" \
           "11CCEF784C26A400F43DFB901BCA7538" \
           "F2C6B176001CF5A0FD16D2C48B1D0C1C" \
           "F6AC8E1DA6BCC3B4E1F96B0564965300" \
           "FFA1D0B601EB2800F489AA512C4B248C" \
           "01F76949A60BB7F00A40B1EAB64BDD48" \
           "E8A700D60B7F1200FA8E77B0A979DABF";

~~~
ryanlol
Those lines aren't very interesting. The comment explains exactly what and why
they are.

You'll be able to find this same C̶I̶A̶ ̶b̶a̶c̶k̶d̶o̶o̶r̶ DH-1024 prime in
tons of other projects:

[https://github.com/mstorsjo/rtmpdump/blob/master/librtmp/rtm...](https://github.com/mstorsjo/rtmpdump/blob/master/librtmp/rtmp.c#L42)

[https://github.com/travelping/nattcp/blob/master/polarssl.c#...](https://github.com/travelping/nattcp/blob/master/polarssl.c#L24)

~~~
throwaway292929
You're right, I got over-enthusiastic. And it looks like the C code has been
migrated to Python anyway. Also, owners of MikroTik hardware look to be
thoroughly owned:

    
    
            elif str(beacon_hdr.os) == '40':
    	    beacon_data['os'] = "MikroTik-MIPSBE"
    	elif str(beacon_hdr.os) == '41':
    	    beacon_data['os'] = "MikroTik-MIPSLE"
    	elif str(beacon_hdr.os) == '42':
    	    beacon_data['os'] = "MikroTik-x86"
    	elif str(beacon_hdr.os) == '43':
    	    beacon_data['os'] = "MikroTik-PPC"

------
_pdp_
The bad news is that soon CIA will not have to build their own infrastructure
due to the rise of all kinds of public P2P technologies. The best type of
covert operation is the one that is hidden in plain sight.

------
SomeStupidPoint
I see Wikileaks is still publishing "leaks" about US agencies in the week
following major news on the Russian investigation, as they have more-or-less
consistently since February.

I'm sure this time is just coincidence, too.

------
IIAOPSW
Again?

Can someone tell me if there's actual malfeasance this time or just more edgy
moaning about the spy agency doing its job?

I'm happy to call out the security apparatus when it actually oversteps its
bounds (Eg the Snowden leaks). But so far as I can tell wikileaks vault 7/8
isn't a leak in the public interest. Its just anti-American wankery.

~~~
monocasa
The amount of work that they put into throwing off attribution, while
expected, is important to make it's way into public knowledge rather than just
the realm of conspiracy, IMO.

~~~
jhiska
It is vital to the intel community that their methods of attribution can't be
publicly audited and that their authority is trusted on word alone.

------
bob9
Interesting drop.

I have many questions but two are very high on my list:

1\. one of the commit messages mentions merge from a git remote hosted at
devlan.net. Who owns that host and is it a hidden CIA server or repurposed
captured host?

[https://wikileaks.org/vault8/document/hive-
log/page-41/#pagi...](https://wikileaks.org/vault8/document/hive-
log/page-41/#pagination) Merge branch 'master' of
ssh://stash.devlan.net:7999/hive/hive

[https://www.whois.com/whois/devlan.net](https://www.whois.com/whois/devlan.net)

It kinda looks like a captured host registered originally by a French admin.

2\. Why Solaris? Microtik and the other router targets make sense in
combination with generic Linux machines, but Solaris sticks out and there must
be an interesting explanation for targeting that. What kind of internet facing
Solaris hosts are out there or which orgs use it in such a capacity to become
a target for the CIA?

~~~
tgragnato
1\. Stash seems to be an atlassian instance hosted on their intranet.

2\. <conjecture> Kaspersky ? </conjecture> \+ ISPs, universities, etc.

~~~
bob9
1\. it's very bad practice, even if only internal, to use an already
registered public domain. It crossed my mind that this might just be an
internal domain (devlan -> developer LAN), though it seemed unbelievable an
agency would have people in IT with that much disrespect for proper network
config.

It must be an interesting life for the French admin of the "real" devlan.net
since the leaks.

2\. I don't get the Kaspersky reference. Can you explain?

ISP and University: I suppose you mean those would be running public Solaris
hosts, right? And that therefore the CIA has been hiding on those servers. I
sure would hate the CIA to spy on scientists, though it's not unheard of that
one of the agencies knocks on a door of a scientist who just happened to be on
the verge of publishing something they deem a risk. Happened in the past and
sure still does. The imbalance and abuse of power is the problem and here it's
legalized/constitutionalised. An agency can spy on my private life and
professional work without being questioned, but we aren't allowed to demand a
transparent administration or any of the many ranches of government.

