Wikileaks released the source code for Hive on Thursday, a CIA (Central Intelligence Agency) implants used in transferring exfiltrated information from target Windows machines. The technical details for Hive were released back on April 14th, 2017 in Vault 7 series of documents.
Vault 7 series was aimed at detailing activities and hacking capabilities of the CIA to perform electronic surveillance and cyber warfare. During the series, WikiLeaks released technical details on 23 tools that were allegedly used by the agency to hack Smart TVs, cars, web browsers, operating systems (including Windows, Mac, and Linux), smartphone operating system (including Android and iOS), VLC player, webcams, and microphones.
However, the latest release has been carried out under the code name of Vault 8. The Vault 8 series will only expose source codes for previously leaked implants.
“This publication will enable investigative journalists, forensic experts, and the general public to better identify and understand covert CIA infrastructure components,” WikiLeaks said. “Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention,” said the official press release.
Hive works as a communication tool between malware and “cover domains.” These domains seem harmless and “perfectly-boring-looking” to visitors however traffic from implants communicating with these domains is sent to an implant operator management gateway called Honeycomb. The collected data is then sent back to the CIA.
According to WikiLeaks, CIA used these fake certificates to impersonate existing entities including Kaspersky Lab.
“The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated,” noted WikiLeaks.
Remember, the US government has banned Kaspersky Lab for its alleged links with Russia. However, after the release of Hive’s source code, it’s unclear if the CIA only impersonated Kaspersky Labs or also hacked their system to frame the cybersecurity giant and bring Russia under fire.
Also, Israel played a vital role in hacking Kaspersky Labs. In October this year, it was reported that in 2015 Israeli spies managed to access Kaspersky’s backend systems and identified that Russian hackers were discreetly using the software both as a universal search engine and a spying tool.