It's almost as if the cyber-Easter Bunny brought us a big basket of eggs. Wikileaks drops the latest CIA tool set called Hive, a front shell game of web sites that pass information from targets to the CIA control sites. Then the Shadow brokers dropped their latest release, a series of exploits, logs and files describing a massive attack by the NSA against the global banking system.

The breathtaking releases underscore both the poor track record of the CIA and NSA intelligence agencies and their inability to control the vast trove of cyber-weapons developed at great expense to hack the world. The fact that in both cases an adversary, working either inside or outside of the respective agencies, stole these exploits makes an excellent case for the open disclosure of software and hardware vulnerabilities. Still, both Ft. Meade and Langley remain silent about the ever widening scandal that is now enveloping them with each leak making world-wide news.

Hive, according to the CIA documents, is a software implant and transmit back information from targeted systems. Hive is designed to have two primary functions: beacon and interactive shell. The Hive network is not limited to installation into ordinary web servers but can attack specific devices as well such as in MikroTik routers and AVTech Network Video Recorders. The CIA documents do note a disturbing fact. It would seem that Hive is a whole lot more common than one would think for an intelligence exploit.

"Since Hive has been installed and used on such a wide scale, an update capability was provided for updating the Hive implants on remote boxes," states the CIA Users Guide for Hive.

"The patched Hive implant is copied onto the target in a location from which the code is executable using a suitable name for hiding in plain sight," noted the CIA guide.

As with previous CIA exploits, Hive has additional features made available by associated software exploits. One example is CUTTHROAT which is a client service to allow implanted software to function. CUTTHROAT allows the CIA to execute commands to exploit software, upload and download files and even open an active encrypted terminal shell to directly execute commands from a CIA listening post.

"(Cutthroat) open an encrypted shell with the client (as a separate process). Takes three parameters in the following order: client IP address, client port number, and a password that initializes the Twofish symmetric cipher," notes the documents.

The Hive concept is to use a VPN gateway to hide traffic from an intended target and display a front face of some non-descript website. The traffic coming from an exploited target is encrypted and siphoned off to a separate server labeled HONEYCOMB.

While bad the CIA hacking tools are nothing compared to the super-nova like NSA tools revealed by the Shadow group. The NSA tools dumped by the brokers are fully functional executables, descriptions and instructions. Basically, this means that anyone can repurpose them to attack Windows computers.

This is bad news for the Redmond Washington based Microsoft because the dump contains numerous easy to run hacking tools including multiple unknown exploits, or zero-days. These previously undiscovered weaknesses in Windows operating systems are not only a strike against Microsoft but also a potential attack against every Windows user around the globe.

The primary NSA operations revealed by the dump show they hacked the SWIFT banking network, a large number of banks and Middle Eastern petroleum firms and the EastNets which acts as a "service bureau" connecting customers to the SWIFT financial network. Of the victims, EastNets was the first to respond, releasing a statement which stated there was "no credibility" to the allegation that its customers' details had been stolen.

Despite the denial, the details from EastNets dumps contains not only a listing of the targeted sites but detailed information such as IP address, administrative login and passwords, network configurations and details right down to every computer, router and electronic device linked to each targeted network including printers. Clearly, thousands of employee accounts and machines from EastNets' offices were compromised and that financial institutions in Kuwait, Bahrain and the Palestinian territories had been targeted for espionage.

The operation also spanned the globe, attacking sites in Belgium, Dubai, Egypt, and the UAE. The NSA even kindly provided proof listings from tests against all the major anti-virus makers showing the exploits were not detected.

Ironically, the NSA dumps contain a file of NSA administration login and passwords in open text. I note this because the NSA is the top level intelligence cryptographic agency in the US government, thus storing passwords and logins in the open and getting caught doing it - is akin to having someone pull your pants down in public.

The NSA also targeted other sites besides Middle Eastern banks and networks. The NSA hacks targeted the Taiwan Chia Nan University of Pharmacy & Science, the Japan Kurume Institute of Technology and a Japanese Civil Aviation college. One has to wonder what information Ft. Meade has on these institutions to make them worthy of an attack.

However, it is known that the NSA exploits are not only real but still alive. For example, the EXPLODINGCAN exploit uses the PROPFIND bug, which was revealed only a few weeks ago. This particular discovery, and the information on the EXPLODINGCAN exploit dated to 2013, 4 years ago, makes it clear that it is possible that some of the NSA exploits were discovered and modified by other organizations or criminal hackers.

The leaks also raise another lingering question about the 2015 Juniper Dual_EC hack which resulted in a blow-back against the US. The original Dual_EC hack appears to be the work of Ft. Meade and has all the hall marks shown in the Shadow Brokers exploits. However, the hack was turned against America. The Juniper back door implant was discovered and exploited by a third party who then retargeted it against the USA. The compromise of Juniper communications gear affected US banks, the stock market, major US corporations, and even the US government.

The level of the twin releases today from both Shadow brokers and Wikileaks suggests the Dual_EC back door must have been stolen from Ft. Meade. The leak of Hive and Vault 7 shows there is a compromise inside the CIA. The agencies entrusted with the intelligence and security of America are now spilling secrets out that can be used against America.

It is also clear the US government has front door access into SWIFT banking network for broadly defined, and inadequately secured, purposes. There problem is that the NSA claims they hacked SWIFT to search for terrorists. However, the US government already has lawful access to SWIFT data via legal means through the FISA court sanctioned actions. The breach of such a large network on a global scale brings with it a number of uncomfortable questions about the legality, treaties with other nations and diplomatic relations with targeted allies.

With all due respect to Ft. Meade and Langley... which side are you on?



if you want cryptographic software of the finest kind - RAVEN has got it



NSA Shadow Brokers hacks

CIA HIVE Wikileaks

Contact Us: