"Today, July 6th 2017, WikiLeaks publishes documents from the BothanSpy and Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors," WikiLeaks said in a statement.
SSH is a cryptographic network protocol which gives the user a secure remote access to a website’s server. The SSH credentials are the login details, namely the server address, port number, the username and the password.
According to WikiLeaks, the BothanSpy is an implant targeting the SSH client program for Microsoft Windows platform, stealing user credentials form active SSH sessions. The data is then either exfiltrated to a CIA-controlled server, or encrypted and saved for later exfiltration by other means.
Gyrfalcon, in its turn, is an implant that targets Linux platforms and can steal the credentials, encrypting the information for later exfiltration.
WikiLeaks released three documents that appear to be the CIA’s tool documentation and user manuals for both projects as evidence.
The whistleblowing website released the first patch from the Vault 7 project in March, with the first full part comprising 8,761 documents. The previous release, dedicated to the CIA spying geo-location malware for WiFi-enabled devices, dubbed ELSA, took place on June 28.