In the documents exposed by WikiLeaks, the CIA’s Vault7 contains a plethora of obscure terms, jargon, and some incomplete descriptions along with links, which are very interesting, but many of the terms are hard to understand. Therefore, after reviewing all the Vault7 documents, I have tried to explain as many of the hacker tools involved based on their real meanings and some verifiable results for reference and research. I welcome everyone to correct and communicate.
In the following content, some explanations are derived from the mentioned test devices, developer comments, and other information that closely fit the actual meanings; while some commercial tools (such as Lockheed Martin’s DART software), links mentioned in the documents, and operation codes are not listed here. Let us explore the CIA’s cyber arsenal together with Freebuf:
Hacker Tools Involved in EDB Department
The Embedded Development Branch (EDB) is responsible for infiltrating and implanting built-in tools into target devices such as phones, workstations, and smart TVs, using both software and hardware methods. The tools they developed include:
Pterodactyl: A “general hardware solution that supports media copy and replication” tool that can copy data from target computers using embedded single-board computers like Raspberry Pi; (mentioned in vault7: 107 times)
SparrowHawk: A cross-platform architecture and Unix-based keylogger that collects target user keystrokes and formats them uniformly; (mentioned in vault7: 91 times)
DerStarke: A boot-level rootkit Trojan targeting Apple OSX systems; (mentioned in vault7: 79 times)
GyrFalcon: A data acquisition tool targeting OpenSSH clients that can track SSH connections and obtain usernames, passwords, and connection data; (mentioned in vault7: 36 times)
SnowyOwl: A code injection tool based on OpenSSH sessions targeting the target system; (mentioned in vault7: 13 times)
HarpyEagle: Specifically designed for Apple routers AirportExtreme and Wi-Fi storage devices Time Capsule, aimed at obtaining root permissions remotely or locally and implanting rootkits; (mentioned in vault7: 60 times)
BaldEagle: A HALdaemon exploit tool targeting Unix system hardware abstraction layers; (mentioned in vault7: 27 times)
MaddeningWhispers: An exploit tool for remote infiltration of Vanguard devices; (mentioned in vault7: 34 times)
CRUCIBLE: An automated exploit identification tool; (mentioned in vault7: 8 times)
YarnBall: A covert USB storage tool used during payload deployment or data theft; (mentioned in vault7: 43 times)
GreenPacket: A toolkit for implanting Trojans in GreenPacket router devices; (mentioned in vault7: 11 times)
QuarkMatter: Another boot-level Trojan targeting OSX systems; (mentioned in vault7: 40 times)
Weeping Angel: A Trojan implant tool component targeting Samsung smart TVs developed jointly by the CIA and MI5. This surveillance software, once it infects a smart TV, will hijack the TV’s shutdown operation, keep the program running in the background, making the user think it has shut down, then it will start the microphone and activate the recording function, sending the recorded content back to the CIA’s backend server; (mentioned in vault7: 65 times)
Hive: A component platform providing intrusion assistance for other attacks and tools targeting Windows and UNIX systems; (mentioned in vault7: 197 times)
Honeycomb: Used in conjunction with Hive, running on Linux systems, a data collection processing script tool targeting Swindle or Blot proxy servers; (mentioned in vault7: 78 times)
CutThroat: Built on top of a proxy server, a virtual machine interface for sending data to target systems; (mentioned in vault7: 232 times)
Bee Sting: An iFrame injection tool for HTTP connections; (mentioned in vault7: 21 times)
Sontaran: A tool for infiltrating Siemens OpenStage digital phones; (mentioned in vault7: 83 times)
Secret Squirrel (SQRL): A tool developed jointly by the Remote Development Branch (RDB) and the Embedded Development Branch (EDB), with its specific purpose still unknown.
Hacker Tools Involved in RDB Department
The Remote Development Branch (RDB) has relatively little data mentioned in the Vault7 documents.
Umbrage: A team-mode network attack platform where CIA technicians collect a large number of publicly available hacker tools, attack techniques, and usable code from leaked data, forming a network attack characteristic library that can be applied to investigations of network attack activities.
According to other media reports, the CIA can use this characteristic library to launch “false flag” network attacks against target systems through various tactics such as imitation and obfuscation, deliberately leaving traces to mislead and confuse enemies, hiding their true intentions. (mentioned in vault7: 46 times)
ShoulderSurfer: A tool for extracting data from Microsoft Exchange; (mentioned in vault7: 43 times)
Hacker Tools Involved in OSB Department
The Operational Support Branch (OSB), besides maintaining some useful software tools, has also developed generic solutions for certain individual operational targets, including some infiltration tools for Windows systems and mobile apps:
Time Stomper: A tool used to modify the timestamp attributes of attack payloads during specific network intrusion operations; (mentioned in vault7: 12 times)
Munge Payload: A tool for encrypting and evading detection of attack payloads; (mentioned in vault7: 65 times)
Magical Mutt: A tool that can implement malicious DLL injection and monitor target system processes; (mentioned in vault7: 16 times)
Flash Bang: A browser sandbox escape and hijacking tool, which can achieve further privilege escalation on the target system after successfully escaping or hijacking; (mentioned in vault7: 27 times)
RickyBobby: A lightweight remote control implant tool named after the character Ricky Bobby from the movie “Talladega Nights,” containing various DLL attack files and execution scripts that can perform functions like port monitoring, uploading, downloading, and command execution on the target system; (mentioned in vault7: 21 times)
Fight Club: In specific attack activities, using mobile carriers as transmission intermediaries, bundling the RickyBobby remote control in installation programs of VLC, WinRAR, TrueCrypt, Shamela, and Microsoft Office to control and infect target systems; (mentioned in vault7: 21 times)
Melomy DriveIn: Hijacks the VLC player DLL process, indirectly implanting the RickyBobby remote control; (mentioned in vault7: 9 times)
Rain Maker: Hidden in the green version of the VLC player program, using mobile carriers as infection transmission intermediaries, when a user inserts an infected USB medium into a network-isolated target system, it can covertly steal files and collect information from the network-isolated system; (mentioned in vault7: 101 times)
Improvise: A data collection and theft tool supporting mainstream operating systems Windows, Mac, and Linux, which can be used for attack configuration, data post-processing, payload adjustment settings, and attack method selection. For different attack target systems, names with a bar-like flavor are defined: Margarita, Dancefloor, Jukebox; (mentioned in vault7: 28 times)
Basic Bit: A keyboard logging tool targeting Windows systems; (mentioned in vault7: 158 times)
Fine Dining: A series of customized services provided to technical operatives executing infiltration tasks, such as generating a disguised PDF document to execute file collection tasks on the target Mac system or performing DLL hijacking on specific programs; (mentioned in vault7: 53 times)
HammerDrill: Uses CD/DVD as a medium for infection transmission, writing malicious code to the disk to control the target system; (in HammerDrill v2.0, there’s a feature: if the target system is using Nero for software burning, it will install a 32-bit hidden Trojan program on the new disk being burned; (mentioned in vault7: 12 times)
Taxman :(no introduction in vault7)
HyenasHurdle:(no introduction in vault7)
AIB (Automated Implant Branch) – Hacker Tools Involved
The Automated Implant Branch is responsible for developing some implanted Trojan remote control programs. Although most of the hacker tools involved are not specifically described, some exposed tools provide a glimpse of their general intent:
Frog Prince: A full-featured Trojan remote control implant integration system, including C&C control end, port monitoring, and implant software; (mentioned in vault7: 38 times)
Grasshopper: A highly configurable Trojan remote control implant tool targeting Windows systems; (mentioned in vault7: 91 times)
Caterpillar: A tool for obtaining files from the target system via secure transmission; (mentioned in vault7: 85 times)
AntHill: Seems to be a component for remote control implant software used for file management; (mentioned in vault7: 28 times)
The Gibson: Seems to be a program component for C&C control and monitoring; (mentioned in vault7: 19 times)
Galleon: A set of scripts and tools for securely transferring files from the target computer to the control end; (mentioned in vault7: 38 times)
Assassin:(no introduction in vault7)
HercBeetle – (no introduction in vault7)
CandyMountain – (no introduction in vault7)
Hornet – (no introduction in vault7)
Cascade – (no introduction in vault7)
MagicVikings – (no introduction in vault7)
NDB (Network Devices Branch) – Hacker Tools Involved
The Network Devices Branch, unlike other EDB and NDB departments, does not have an intuitive superior department explanation, and the superior department SED remains unclear.
AfterMidnight: A toolset for system privilege escalation on Windows systems using DLL injection techniques; (mentioned in vault7: 13 times)
Packrat: An implementation of automated monitoring software integrated with open-source or commercial tools, applicable to configurations for various service systems such as VMWare Workstation, VMWare ESXi, VirtualBox, OpenStack, KVM/QEMU, Docker, AWS, Google Compute Cloud, etc.; (mentioned in vault7: 34 times)
RoidRage: A tool for Trojan implantation and vulnerability exploitation targeting Android 5.0 and earlier devices; (mentioned in vault7: 104 times)
The.Net: Contains a series of fictional company names, such as Umbrella, Abstergo, etc., used for simulating real internal and external network communication; (mentioned in vault7: 1411 times)
Philosoraptor: The specific purpose is unclear, but from its “claimed purpose,” it seems to describe and demonstrate the unique features of commercial software tools; (mentioned in vault7: 32 times)
Marble Framework: A tool used to obfuscate the development code of hacker software, preventing attribution investigation, forming an overall obfuscation coding system with other similar tools; (mentioned in vault7: 66 times)
Kraken: Seems to be a tool for project management and status tracking of network attack activities; (mentioned in vault7: 23 times)
Fluxwire: A contractor-provided distributed integrated network management tool used for status management and command configuration of connected devices, supporting 9 types of operating systems and 6 architecture modes (details to refer to the description); (mentioned in vault7: 78 times)
Cocoon : (no introduction in vault7)
Tremor : (no introduction in vault7)
Hacker Tools Related to iOS Systems
Adderall: A tool for extracting files and kernel caches from iOS devices; (mentioned in vault7: 132 times)
ElderPiggy: iOS system privilege escalation tool; (mentioned in vault7: 39 times)
NightVision: A tool for reading and recording kernel storage in iOS systems; (mentioned in vault7: 122 times)
Nightskies: A tool for Trojan implantation targeting iOS systems through CrunchyLimeSkies; (mentioned in vault7: 83 times)
Mcnugget: A tool for managing and controlling Trojan implants targeting iOS systems; (mentioned in vault7: 174 times)
HAMR: A tool for exploiting browser vulnerabilities targeting mobile operating systems; (mentioned in vault7: 139 times)
DRBOOM: A tool for single-step Trojan implantation targeting iOS 8.2 and earlier systems; (mentioned in vault7: 9 times)
Hacker Tools Related to Android Systems
The document mentions that the CIA has developed multiple exploitable vulnerabilities targeting Android systems, but this information has been edited. Therefore, only some typical hacker tools involved are introduced here:
AngerQuake (later renamed AngerManagement): A tool targeting Android systems that collects vulnerable browser plugins for exploitation by HAMR; (mentioned in vault7: 69 times)
Orion: An Android system webkit vulnerability exploitation tool, applicable to Android 4.0, 4.1, 4.2; (mentioned in vault7: 35 times)
Freedroid: An Android system privilege escalation tool; (mentioned in vault7: 86 times)
In addition, the CIA has various tools for exploiting vulnerabilities and privilege escalation on Android systems, such as Barracuda, FlameSkimmer, Spearow, Dragonfly, etc. For details, please refer here.
Conclusion
From the Vault7 documents exposed by WikiLeaks, it can be seen that the CIA places great importance on building capabilities in network intrusion technology. From tool design, code writing, program deployment, post-maintenance, to attack execution, they treat network attack activities as a systematic project to implement; moreover, from the CIA’s organizational structure, the division of labor among its various branches is clear, responsibilities are distinct, and goals are unified. Although the research focuses differ, they ultimately form a collaborative team effort for various network attack tasks, posing a significant threat.
According to WikiLeaks, a large amount of CIA data will be disclosed in the future. Freebuf will continue to monitor the latest developments in this event and continue to analyze the existing content, disclosing relevant information at the first opportunity.
*Source: techcrunch, compiled by Freebuf editor clouds, please indicate the source from Freebuf.com when reprinting.
