In short, the malware does it by capturing the IDs of nearby public hotspots and then matching them with the global database of public Wi-Fi hotspots’ locations.
Here’s How the CIA’s ELSA Malware Works
The Elsa system first installs the malware on a targeted WiFi-enabled machine using separate CIA exploits to gain persistent access on the device.
The malware then uses Wi-Fi hardware of the infected computer to scan nearby visible WiFi access points (AP) and records their ESSID – stands for Extended Service Set Identifier (IEEE 802.11 wireless networking), MAC address and signal strength at regular intervals.
In order to perform this data collection, the ELSA malware does not require the targeted computer to be connected to the Internet. Instead, it only requires the malware to be running on a device with Wi-Fi enabled.
“If [the target device] is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp,” WikiLeaks notes.
The collected information is then stored in encrypted form on the targeted device for later exfiltration.
The CIA malware itself doesn’t beacon (transfer) this data to the agency’s server, instead, the operator (CIA hacker) downloads the encrypted log files from the device using separate CIA exploits and backdoors.
The operator then decrypts the log files and performs further analysis on their target.
The CIA hacker (operator) then uses additional back-end software to match collected access point data from exfiltrated log files with public geolocation databases (from Google and Microsoft) and finds the exact location of their target.
Previous Vault 7 CIA Leaks
Last week, WikiLeaks dumped an alleged CIA tool suite for Microsoft Windows, dubbed Brutal Kangaroo, that targets closed networks or air-gapped computers within an organization or enterprise without requiring any direct access.
Since March, the whistleblowing group has published 12 batches of “Vault 7” series, which includes the latest and last week leaks, along with the following batches:
- Cherry Blossom – a CIA’s framework, basically a remotely controllable firmware-based implant, used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
- Pandemic – a CIA’s project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
- Athena – A CIA’s spyware framework that has been designed to take full control over the infected Windows PCs remotely, and works against every version of Microsoft’s Windows operating systems, from Windows XP to Windows 10.
- AfterMidnight and Assassin – Two apparent CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.
- Archimedes – A man-in-the-middle attack tool allegedly developed by the agency to target computers inside a Local Area Network (LAN).
- Scribbles – Software supposedly designed to embed ‘web beacons’ into confidential documents, allowing the CIA to track insiders and whistleblowers.
- Grasshopper – A framework that allowed the CIA to easily create custom malware for breaking into Microsoft’s Windows and bypassing antivirus protection.
- Marble – Disclosed the source code of a secret anti-forensic framework used by the agency to hide the actual source of its malware.
- Dark Matter – Hacking exploits the CIA designed to target iPhones and Macs.
- Weeping Angel – Spying tool used by the spy agency to infiltrate smart TV’s, transforming them into covert microphones.
- Year Zero – CIA hacking exploits for popular hardware and software.