In a batch of secret documents published online this week (22 June), whistleblowing website WikiLeaks detailed a complex maze of malware allegedly developed by the US Central Intelligence Agency (CIA) to help infiltrate "air-gapped" computers and networks.
Codenamed "BrutalKangaroo", the malware exploits Microsoft Windows and can reportedly give tech-savvy spies access to closed networks (computers not connected to the internet) by "air-gap jumping" using booby-trapped USB sticks. According to WikiLeaks, it can then create covert networks, make commands and exfiltrate data.
"The documents describe how a CIA operation can infiltrate a closed network (or a single air-gapped computer) without direct access," WikiLeaks noted.
Such air-gapped systems are typically isolated from the internet, meaning they are difficult to infiltrate or hack without direct access to the machine. However, as the documents show, it's far from impossible.
It works like this: The agency infects an internet-connected computer in the targeted organisation with the BrutalKangaroo malware. Then, when a victim inserts a USB drive into the machine, the drive itself becomes infected. The agency then relies on this USB making its way into the closed network.
WikiLeaks noted: "If this thumbdrive is used to copy data between the closed network and the LAN/WAN, the user will sooner or later plug the USB disk into a computer on the closed network." The Brutal Kangaroo document, labelled Secret/No Foreign Intelligence, is dated February 2016.
The malware consists of multiple components.
"Drifting Deadline" is the thumbdrive infection tool, "Shattered Assurance" deals with the automated infection of the USB sticks, "Broken Promise" surveys the system and "Shadow" is a method to gain persistence on the computer.
An older version of air-gap jumping malware, from 2012, was titled "Emotional Simian."
Dates on the user manuals for these tools vary, largely between 2012 and 2016. One older version of the malware used a component dubbed "EZCheese" that exploited a Windows flaw that existed until March 2015. The CIA has not confirmed the authenticity of the leaked files.
The attacks on air-gapped systems share similarities to the 'Stuxnet' hack uncovered in 2010 which also involved infiltrating closed networks using malware on USB sticks. The aim was to disrupt an Iranian nuclear facility and is now believed to have been orchestrated by US/Israeli forces.
This is the 12<sup>th major release of CIA documents, technical manuals and user guides from WikiLeaks – all part of an ongoing series titled Vault 7. Previous leaks have detailed exploits for iOS smartphones, Android devices, Smart-TVs and a selection of popular home routers.
The source of the leak remains unknown and it remains unknown if the CIA, which is still investigating, has made any arrests relating to the disclosures. The files were reportedly stolen from inside the agency's top secret cyber-espionage unit based in Langley, Virginia.
Critics argue all the files show is the CIA is doing its job – a line the agency has echoed. In a previous statement, it said: "It is CIA's job to be innovative, cutting-edge, and the first line of defence in protecting this country from enemies abroad. America deserves nothing less."
Julian Assange remains in the Ecuadorian Embassy in London under political asylum.