WikiLeaks Doc Dump Reveals CIA Tools For Hacking Air-Gapped PCs (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

WikiLeaks Doc Dump Reveals CIA Tools For Hacking Air-Gapped PCs (bleepingcomputer.com)

Posted by BeauHD on Friday June 23, 2017 @10:00AM from the open-window dept.

An anonymous reader writes: "WikiLeaks dumped today the manuals of several hacking utilities part of Brutal Kangaroo, a CIA malware toolkit for hacking into air-gapped (offline) networks using tainted USB thumb drives," reports Bleeping Computer. The CIA uses these tools as part of a very complex attack process, that allows CIA operatives to infect offline, air-gapped networks. The first stage of these attacks start with the infection of a "primary host," an internet-connected computer at a targeted company. Malware on this primary host automatically infects all USB thumb drives inserted into the machine. If this thumb drive is connected to computers on an air-gapped network, a second malware is planted on these devices. This malware is so advanced, that it can even create a network of hacked air-gapped PCs that talk to each other and exchange commands. To infect the air-gapped computers, the CIA malware uses LNK (shortcut) files placed on the USB thumb drive. Once the user opens and views the content of the thumb drive in Windows Explorer, his air-gapped PC is infected without any other interaction.

30 of 74 comments (clear)

Min score:

Reason:

Sort:

Damn by DontBeAMoran · 2017-06-23 10:06 · Score: 4, Interesting

Once again, no love for macOS, Linux and BSD.

--
#DeleteFacebook
1. Re:Damn by Anonymous Coward · 2017-06-23 10:23 · Score: 5, Funny
  
  Dude, RTFM. all you have to do is:
  ls -l /dev/disk/by-path/ and find the stick's device.
  mkdir /tmp/usb
  mount [device node from first step] /tmp/usb
  cd /tmp/usb
  sudo ./ciamalware.sh
  They do have Linux support. It's not that hard.
2. Re:Damn by Spazmania · 2017-06-23 10:32 · Score: 1
  
  ROFL. Mod this guy up.
  
  --
  Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
3. Re:Damn by AHuxley · 2017-06-23 11:54 · Score: 1
  
  If an interesting Mac, Linux or Unix user is found in the wild, new code will be requested.
  
  --
  Domestic spying is now "Benign Information Gathering"
4. Re:Damn by TheRealMindChild · 2017-06-23 14:45 · Score: 1
  
  I use Solaris :(
  
  --
  
  "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
5. Re:Damn by thomn8r · 2017-06-26 05:24 · Score: 1
  
  I'm getting an error from ld that it wants libbigbrother2.0.so but I'm running 1.3
Leveraging stupidity by Rick+Schumann · 2017-06-23 10:07 · Score: 4, Insightful

If this thumb drive is connected to computers on an air-gapped network, a second malware is planted on these devices.
If you work at a company that has an air-gapped private network for security reasons and you actually do this, then you are a moron and deserve to be fired. I've worked for a defense contractor. We were all trained to not do stupid things like this; basic OPSEC.
1. Re:Leveraging stupidity by sconeu · 2017-06-23 10:18 · Score: 1
  
  How do you get AV updates onto said airgapped machine/network? When I was trying to set up a red network, one of our requirements (out of the DoD manual) was to have AV that was regularly updated.
  Of course, back then, we didn't use USB.... we used CD-R (not CD-RW).
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
2. Re:Leveraging stupidity by CaptainDork · 2017-06-23 10:23 · Score: 1
  
  OPSEC
  Kinda like Manning walking in with a Lady Gaga CD, erasing it, and populating it with shit, and walking out.
  Kinda like Snowden walking in and out.
  Kinda like WikiLeaks getting hold of secret, well-guarded CIA stuff.
  CaptainDork's 1st Corollary: "When it becomes digitized, it's in the public domain."
  
  --
  It little behooves the best of us to comment on the rest of us.
3. Re:Leveraging stupidity by Anonymous Coward · 2017-06-23 10:31 · Score: 1
  
  You used the safest solution - a CD or DVD. If malware were to try and install itself on a CD or DVD, the spin-up would be noticed. Keeping the OS on an image file that is stomped onto the OS partition every night is another way.
  https://www.schneier.com/blog/archives/2013/10/air_gaps.html
4. Re:Leveraging stupidity by 93+Escort+Wagon · 2017-06-23 10:35 · Score: 2
  
  We were all trained to not do stupid things like this; basic OPSEC.
  Yes, and yet we're all aware of hacks successfully targeting defense contractors, and Chinese war planes which strikingly resemble next-generation American designs. I wonder how they got the plans?
  I'm sure RSA trained their employees not to do "stupid things like this" too, and yet they managed to get thoroughly owned several years ago.
  People do stupid things all the time - even people who've received proper training. Yes, they deserve to be fired... but at that point the damage is done.
  
  --
  #DeleteChrome
5. Re:Leveraging stupidity by AHuxley · 2017-06-23 11:38 · Score: 1
  
  The security services usually have some story about been from head office, another department, security or a contractor.
  A short conversation with management and staff will allow any stranger to use usb sticks as needed.
  The other method is to place usb sticks to be found or swap the usb sticks of trusted staff.
  If a company or government orders a lot of office supplies online from a trusted US brand? That shipment might be a be altered on the way.
  
  --
  Domestic spying is now "Benign Information Gathering"
6. Re:Leveraging stupidity by Minupla · 2017-06-23 12:13 · Score: 2
  
  I'm sure RSA trained their employees not to do "stupid things like this" too,
  
  To be fair, the RSA attack had less to do with a user making a dumb mistake and more a case of poor architectural choices (critical data on the same network as a low-level user, insufficient network segmentation, and honestly, there should have been an airgap between the RSA key secrets and the HR person whose system was compromised, or the admin user's workstation that the attack escalated too.
  All that having been said, it was a VERY sophisticated attack by a well funded actor, and likely would have occurred in spite of countermeasures eventually (at the end of the day, if you're a well funded state actor, 'kinetic' (to use the favored euphemism) options are available when the cyber options prove ineffectual.
  If you're interested this account is, as I understand it from other sources, fairly accurate:
  https://www.slideshare.net/Kun...
  Min
  
  --
  On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
7. Re:Leveraging stupidity by chihowa · 2017-06-23 15:41 · Score: 2
  
  Yeah... you're not describing an airgapped network.
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
8. Re:Leveraging stupidity by sconeu · 2017-06-26 08:53 · Score: 1
  
  What part "requirement from the DoD manuals" are you having a problem understanding?
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Just don't call it 'shocking' please. by mdkathon · 2017-06-23 10:08 · Score: 1

When there is a will there is a way.
Cool but... by 110010001000 · 2017-06-23 10:10 · Score: 1

...any computer that can run software isn't secure. Mind blown.
A word to the wise: by Gravis+Zero · 2017-06-23 10:39 · Score: 4, Insightful

Never create a weapon that you wouldn't want to fall into the hands of your worst enemy... because it will.

--
Anons need not reply. Questions end with a question mark.
1. Re:A word to the wise: by AHuxley · 2017-06-23 11:45 · Score: 2
  
  Ex staff, former staff, contractors, other nations staff, other random people in other trusted governments. Cults and faiths placing their staff deep into gov/mil.
  The politics of trusted staff.
  The staging servers that interesting people finally noticed..
  The use of plain text and no crypto so contractors can make profits working on gov networks.
  Too many secrets is now too many contractors.
  
  --
  Domestic spying is now "Benign Information Gathering"
Re: So don't use windows explorer, use an alternat by Zero__Kelvin · 2017-06-23 11:12 · Score: 1

You were so close to understanding the solution. If only you hadn't added the word "explorer" to your sentence.

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Told you by WillAffleckUW · 2017-06-23 11:15 · Score: 1

Next time, listen.
I blame the router and modem manufacturers for this, actually.
"Oh, what harm could ever come from releasing source code to the Russians, it's not like they would subvert the elections in all Western nations"
Sure.
oh, and you should totally trust your anti-virus security to Russian firms too.
The surprising thing is you've pretty much only realized the tools we designed a few decades ago, until we realized how deeply the Russians had burrowed into you.

--
-- Tigger warning: This post may contain tiggers! --
Impressive by Hentes · 2017-06-23 11:25 · Score: 1

So they managed to create a network requiring no persistent connections? They should claim their 2 mil prize!
Re: So don't use windows explorer, use an alterna by Zero__Kelvin · 2017-06-23 11:30 · Score: 1

Great point ... because when you have an air-gapped computer for security reasons, the last thing you want to do is eliminate as many attack vectors as possible.

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Re: So don't use windows explorer, use an alternat by that+this+is+not+und · 2017-06-23 11:47 · Score: 1

Midnight Commander might be a good alternative. It's not just GPL, it's an official GNU project. Windows binaries are available if you don't want to build it from source.
It's a clone of the classic Norton Commander.
Re:So don't use windows explorer, use an alternati by AHuxley · 2017-06-23 11:47 · Score: 1

Once the CIA, MI6, GCHQ and NSA get interested they will find out what consumer grade OS the interesting site is using.
The question is then to risk a network detecting the data moment and blame "malware" with another nations code litter.
Or to walk, post the USB stick using some cover story.

--
Domestic spying is now "Benign Information Gathering"
Re: So don't use windows explorer, use an alternat by Teckla · 2017-06-23 12:37 · Score: 1

I second Midnight Commander.
It's an amazing application. One of its best features is it looks and works the same on Windows, macOS, Linux, and *BSD. Once you learn it (which isn't hard at all -- it's pretty darn self evident), you've boosted your productivity in all of the aforementioned operating systems.
Bonus feature: No Microsoft OneDrive advertisements built into the application!
Just imagine by Snotnose · 2017-06-23 12:58 · Score: 1

What if we had a TLA that searched for ways the Bad Guys could Fuck Us Up. Now imagine we had a TLA that searched for ways the Bad Guys could Fuck Us Up, but it turns out our TLA are The Bad Guys.

This shit needs to stop. Hopefully the NSA and whomever have figured out they aren't the smartest kids in the room and decide to make us all more secure.

Damn, meds are wearing off and I'm back to reality. Shit, real life really sucks ass.
I guess Wikileaks saw the Window$ core leak too by TheOuterLinux · 2017-06-23 16:18 · Score: 1

Ha!....
Re: So don't use windows explorer, use an alterna by Zero__Kelvin · 2017-06-23 22:10 · Score: 1

I got your phenomenally stupid point dumbfuck.

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Re:So don't use windows explorer, use an alternati by LinuxIsGarbage · 2017-06-24 01:23 · Score: 1

Some other file manager instead of windows explorer might not trigger the exploit, assuming autoplay is disabled? Maybe?
If I'm forced to use Windows, I like to use Far Manager. It's a text mode file manager so I can stroke my neckbeard while I use it.