Jump to content

WikiLeaks Releases Source Code For Hive - CIA's Malware Control System

Recommended Posts


Today, 9 November 2017, WikiLeaks publishes the source code and development logs to Hive, a major component of the CIA infrastructure to control its malware.

Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention. Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet. Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.

Hive can serve multiple operations using multiple implants on target computers. Each operation anonymously registers at least one cover domain (e.g. "perfectly-boring-looking-domain.com") for its own use. The server running the domain website is rented from commercial hosting providers as a VPS (virtual private server) and its software is customized according to CIA specifications. These servers are the public-facing side of the CIA back-end infrastructure and act as a relay for HTTP(S) traffic over a VPN connection to a "hidden" CIA server called Please login or register to see this link. .



The cover domain delivers 'innocent' content if somebody browses it by chance. A visitor will not suspect that it is anything else but a normal website. The only peculiarity is not visible to non-technical users - a HTTPS server option that is not widely used: Optional Client Authentication. But Hive uses the uncommon Optional Client Authentication so that the user browsing the website is not required to authenticate - it is optional. But implants talking to Hive do authenticate themselves and can therefore be detected by the Blot server. Traffic from implants is sent to an implant operator management gateway called Honeycomb (see graphic above) while all other traffic go to a cover server that delivers the insuspicious content for all other users.


Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Please login or register to see this link. pretending to be signed by Please login or register to see this link. . In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.


The documentation for Hive is Please login or register to see this link. from the WikiLeaks Please login or register to see this link. .


Source: Please login or register to see this link.

  • Like 1
  • Upvote 2

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By Gecko
      Please login or register to see this link.
      Inca n-am apucat sa ma uit pe date, dar am primit un citat de la cineva care mi-a trezit interesul:
    • By Aerosol

      Security researchers at the Central Intelligence Agency (CIA) have worked for almost decade to target security keys used to encrypt data stored on Apple devices in order to break the system.
      Citing the top-secret documents obtained from NSA whistleblower Edward Snowden, The Intercept blog reported that among an attempt to crack encryption keys implanted into Apple's mobile processor, the researchers working for CIA had created a dummy version of Xcode.
      Xcode is an Apple’s application development tool used by the company to create the vast majority of iOS apps. However using the compromised development software, CIA, NSA or other spies agencies were potentially allowed to inject surveillance backdoor into programs distributed on Apple's App Store.
      In addition, the custom version of Xcode could also be used to spy on users, steal passwords, account information, intercept communications, and disable core security features of Apple devices.
      The latest documents from the National Security Agency’s internal systems revealed that the researchers’ work was presented at its 2012 annual gathering called the "Jamboree" -- CIA sponsored secretive event which has run for nearly a decade -- at a Lockheed Martin facility in northern Virginia.
      According to the report, "essential security keys" used to encrypt data stored on Apple’s devices have become a major target of the research team.
      Overall, the U.S. government-sponsored researchers are seeking ways to decrypt this data, as well as penetrate Apple's firmware, using both "physical" and "non-invasive" techniques.
      In addition to this, the security researchers also presented that how they successfully modified the OS X updater -- a program used to deliver updates to laptop and desktop computers -- in an attempt to install a "keylogger" on Mac computers.
      Another presentation from 2011 showed different techniques that could be used to hack Apple's Group ID (GID) -- one of the two encryption keys that Apple places on its iPhones.
      One of the techniques involved studying the electromagnetic emissions of the GID and the amount of power used by the iPhone’s processor in order to extract the encryption key, while a separate method focused on a "method to physically extract the [Apple's] GID key."
      Although the documents do not specify how successful or not these surveillance operations have been against Apple, it once again provoke the ongoing battle between spy agencies and tech companies, as well as the dishonesty of the US government.
      On one hand, where President Barack Obama criticized China for forcing tech companies to install security backdoors for the purpose of government surveillance. On the other hand, The Intercept notes that China is just following America's lead, that’s it.
      "Spies gonna spy," said Steven Bellovin, a computer science professor at Columbia University and former chief technologist for the FTC. "I’m never surprised by what intelligence agencies do to get information. They’re going to go where the info is, and as it moves, they’ll adjust their tactics. Their attitude is basically amoral: whatever works is OK."
      We have already reported about NSA and GCHQ’s various surveillance programs including PRISM, XkeyScore, DROPOUTJEEP, and many more.
      Please login or register to see this link.
    • By Aerosol

      Tearing a page, so to speak, from social media crowdfunding campaigns like last year's ALS Ice Bucket Challenge, the National Archives has turned to Twitter to raise a volunteer workforce of citizen archivists to help transcribe some of millions of digitized documents—including thousands of declassified CIA and Department of Defense files. The goal of the Transcription Challenge: 1,000 transcribed pages of documents by March 23.
      The Transcription Challenge corresponds with Sunshine Week, an open government campaign originally launched by the Florida Society of Newspaper Editors as Sunshine Sunday in 2002. The event was adopted by the American Society of Newspaper Editors and extended to a week in 2003, and it has since picked up support from the Reporters Committee for the Freedom of the Press, Bloomberg, The Gridiron Club, and the John S. and James L. Knight Foundation. The National Archives is looking for individuals interested in helping to use Twitter and the hashtag #1000pages to claim documents for transcription and tell the Archives' staff what they've found.
      In addition to CIA and other declassified files, the Archives is offering up a number of other "missions," ranging from National Forest documents and photos to papers of the Continental Congress and records of the Confederate Government. There are also audio recordings of interviews conducted by the 9/11 commission.
      Please login or register to see this link.
    • By Aerosol

      As the company behind one of the first transparency reports, Google has often said it works toward more transparency surrounding government data requests, but a Monday letter to the company's CEO Eric Schmidt from WikiLeaks exposed the search engine provider as having waited more than two and a half years to let WikiLeaks staffers know their data had been handed over to the U.S. government in response to a secret search warrant.
      Google notified the staffers of the data collection on December 23, 2014, after initially serving the warrants in March 2012, according to The Guardian. The tech company reportedly couldn't disclose the search warrant execution to its subjects because of a gag order.
      “We are astonished and disturbed that Google waited over two and a half years to notify its subscribers that a search warrant was issued for their records,” said the letter, signed by Michael Ratner, president emeritus of the Center for Constitutional Rights, and attorneys for the targets of the warrants - Sarah Harrison, investigations editor of WikiLeaks, Kristinn Hrafnsson, spokesperson, and Joseph Farrell, senior editor.
      The letter also requested a copy of the court order with which Google complied, a list of the material the company disclosed or gave to law enforcement, as well as information on whether Google initiated any legal challenges before complying with the warrants.
      “We certainly would expect Google to give an explanation to journalists after the provider waited over two and a half years to notify them that it handed their information over to the government,” Carey Shenkman, a First Amendment attorney working for Ratner in New York City who signed the letter, said in a statement emailed to SCMagazine.com.
      The letter compared Twitter's efforts in challenging search warrant requests to Google's apparent failure to do so. This possible lack of scrutiny prohibited the WikiLeaks' staffers from intervening and protecting their interests, including their “rights to privacy, association and freedom from illegal searches,” the letter said.
      [An earlier version of this article incorrectly referred to Michael Ratner as "professor emeritus of the Center for Constitutional Rights" instead of "president emeritus of the Center for Constitutional Rights."]
      Please login or register to see this link.
    • By immun3
      Postul de televiziune CNN a difuzat sâmb?t? înregistr?ri video cu persoane care prezentau convulsii sau copii mor?i, care ar fi victime ale atacurilor chimice din 21 august din Siria ?i care au fost ar?tate congresmenilor americani.
      maginile provenind din 13 înregistr?ri video ?i prezentate în exclusivitate de CNN, care nu garanteaz? autenticitatea lor din surse independente, prezint? ?iruri de cadavre de copii ?i adul?i într-o înc?pere.
      Altele înf??i?eaz? un b?rbat care are convulsii, un altul care încearc? s?-?i readuc? la via?? copilul, altul care îl spal? pe fa?? pe un micu?, în timp ce pe fundal se aud strig?te.
      Aceste imagini au fost prezentate unui grup mic de senatori de c?tre administra?ia Obama, care a afirmat în fa?a Comisiei pentru Serviciile de informa?ii din Senat c? prezint? scene surprinse dup? atacurile chimice din 21 august, afirm? CNN.
      Please login or register to see this link.
      Sursa mediafax.ro
      Ce parere aveti?