The latest addition to WikiLeaks’ Vault 7 cache of CIA tools and documents gives details of tools used by the agency to attack Windows and Linux computers. The BothanSpy and Gyrfalcon projects can be used to intercept and exfiltrate SSH (Secure Shell) credentials.
The latest addition to WikiLeaks’ Vault 7 cache of CIA tools and documents gives details of tools used by the agency to attack Windows and Linux computers. The BothanSpy and Gyrfalcon projects can be used to intercept and exfiltrate SSH (Secure Shell) credentials.
BothanSpy is used to target Windows, while Gyrfalcon is used for Linux machines, with both working in different ways. A number of popular distros can be hit by Gyrfalcon, including CentOS, Debian, RedHat, openSUSE and Ubuntu, and both tools function as implants that steal credentials before transmitting them to a CIA server.
The leaked documentation for the tools was updated as recently as March 2015, and the file relating to BothanSpy reveals that XShell needs to be installed as it itself installs as a Shellterm extension. There are smatterings of humor throughout the file, with a warning that: «It does not destroy the Death Star, nor does it detect traps laid by The Emperor to destroy Rebel fleets.» There is also the introductory quip: «Many Bothan spies will die to bring you this information, remember their sacrifice.»
Writing about the Windows tools, BothanSpy, WikiLeaks says:
The Linux tool is different, and the guide warns that anyone using it must «obtain a thorough understanding of the Linux/UNIX command line interface and shells such as bash, csh, and sh.» There is the additional note that: «Both the library and application must be installed with root privileges, however, they do not need root privilege to execute successfully on the Linux platform. Therefore, the operator must be confident with their understanding of Linux to use root privileges and not muck up the Linux platform’s configuration.»
About Gyrfalcon WikiLeaks says:
You can read more about BothanSpy and Gyrfalcon over on WikiLeaks .
Image credit: i3alda and Stanislaw Mikulski / Shutterstock