Mysterious Disk Wiper: WikiLeaks Reveals How CIA Weaponized 'Shamoon' Malware

© Photo : PIxabayCyber crime
Cyber crime - Sputnik International
WikiLeaks' exposure of CIA hacking tools and practices has raised a number of issues. It appears that by weaponizing malware, viruses, Trojans, remote control systems and secretly exploiting the vulnerabilities of popular software and hardware, the CIA's hacking division has crossed the red line.

The latest WikiLeaks exposure has given both enterprises and ordinary consumers of IT products the shivers.

While former NSA contractor Edward Snowden's revelations shed light on the extent of US global surveillance, the WikiLeaks files offer an inside peek at how the intrusion has been carried out.

WikiLeaks' "Year Zero" document collection has introduced "the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of 'zero day' weaponized exploits against a wide range of US and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones."

While the real magnitude of the problem has yet to be evaluated, the question remains open, whether the US government and Silicon Valley giants were aware of the CIA's hacking problem.

Commenting on the explosive leak Tuesday, Snowden tweeted: "If you're writing about the CIA/@Wikileaks story, here's the big deal: first public evidence USG secretly paying to keep US software unsafe."

​"The CIA reports show the USG developing vulnerabilities in US products, then intentionally keeping the holes open. Reckless beyond words," he added.

​However, besides targeting potential US adversaries overseas by penetrating into their systems, it appears that the US intelligence community had no scruples about exposing American citizens to both its spying practices and potential data theft by external intruders.

"Evidence mounts showing CIA & FBI knew about catastrophic weaknesses in the most-used smartphones in America, but kept them open — to spy," Snowden pointed out, referring to the leaked documents.

The WikiLeaks press release called attention to the fact that "the same vulnerabilities exist for the population at large, including the US Cabinet, Congress, top CEOs, system administrators, security officers and engineers."

"By hiding these security flaws from manufacturers like Apple and Google, the CIA ensures that it can hack everyone, at the expense of leaving everyone hackable," the press release stated.

A CIA internal report from 2009 shows that the spy agency repeatedly overstated the value of intelligence gained through the torture of its detainees. - Sputnik International
WikiLeaks Warns CIA Trying to Hack Cars for ‘Undetectable Assassinations’
Furthermore, in addition to its capability to break into both civilian and government systems, the CIA is capable of hiding the traces of its intrusion and, what is more interesting, the intelligence agency can also leave behind "fingerprints" belonging to hackers from other nations due to its substantial library of attack techniques "stolen" from malware produced in other states.

Meanwhile, on early Tuesday, published an article describing the Data-wiping malware program Shamoon and warning that the virus is likely to make a successful comeback.

"Shamoon — the mysterious disk wiper that popped up out of nowhere in 2012 and took out more than 35,000 computers in a Saudi Arabian-owned gas company before disappearing — is back," the media outlet wrote, citing Russian multinational cybersecurity provider Kaspersky Lab.

© REUTERS / Sergei Karpukhin/File PhotoFILE PHOTO: An employee works near screens in the virus lab at the headquarters of Russian cyber security company Kaspersky Labs in Moscow July 29, 2013.
FILE PHOTO: An employee works near screens in the virus lab at the headquarters of Russian cyber security company Kaspersky Labs in Moscow July 29, 2013.  - Sputnik International
FILE PHOTO: An employee works near screens in the virus lab at the headquarters of Russian cyber security company Kaspersky Labs in Moscow July 29, 2013.

The provider has revealed it observed "three waves of attacks of the Shamoon 2.0 malware, activated on 17 November 2016, 29 November 2016 and 23 January 2017."

While analyzing the Shamoon 2.0 attacks, Kaspersky Lab stumbled upon a new wiper strikingly similar to Shamoon. The company dubbed it "StoneDrill."

According to the company, the new malware possesses an impressive ability to evade detection and includes functions that are used for espionage purposes.

"StoneDrill has several 'style' similarities to Shamoon, with multiple interesting factors and techniques to allow for the better evasion of detection," the press release said.

Russian hacker bear - Sputnik International
So 'Russian Hackers' Were CIA All Along? Twitter Reacts to WikiLeaks CIA Dump
Kaspersky Lab remarked that while Shamoon 2.0 appears to have a language ID of "Arabic (Yemen)," suggesting the attackers might be from Yemen, "StoneDrill" has the traces of the Persian language in multiple resource sections.

The cybersecurity provider stressed that the embedded language sections could have been "false flags" intended to mislead investigators about the origins of the malware.

So, what does Shamoon have to do with the latest WikiLeaks disclosure?

The crux of the matter is that the malware could have been used by the CIA's hacking group for data destruction. This malware is described in the CIA files as part of its Component Library.

"The UMBRAGE team maintains a library of application development techniques borrowed from in-the-wild malware. The goal of this repository is to provide functional code snippets that can be rapidly combined into custom solutions. Rather than building feature-rich tools, which are often costly and can have significant CI value, this effort focuses on developing smaller and more targeted solutions built to operational specifications," one of the leaked CIA files reads.

"When possible, each item should include a working example of the technique (and/or pointer to code in the SVN repository), documentation describing the application of the technique, and notes concerning our use of these techniques in delivered tools," it added.

In the section describing components related to destroying data on a target system, the CIA highlights the much-discussed Shamoon malware.

"The Shamoon malware made use of a legitimate, signed driver from a commercial company called Eldos," the CIA report says.

"This method is quite obvious and trivial to implement, since it involves using a signed driver to perform raw disk access.  The biggest limitation is that it requires the installation of a driver on the target system," it adds.

While it does not necessarily mean that the CIA could have been behind the recent attacks mentioned by Kaspersky Lab, WikiLeaks files clearly indicate that the US intelligence agency has weaponized and most probably reused the malware for its own needs. The files also show that the CIA hacking group could use "fingerprints" belonging to foreign hacking groups.

The question then arises, where legal operative work ends and mere hacking begins.

To participate in the discussion
log in or register
Заголовок открываемого материала