Whistleblowing website WikiLeaks has released a new cache of 27 documents allegedly pilfered from the US Central Intelligence Agency (CIA). The batch, linked to its ongoing "Vault 7" disclosure, details a platform used to "build customised malware" targeting Microsoft Windows.
In a statement published to its website this week (7 April), WikiLeaks outlined a purported CIA system called "Grasshopper" which is labelled Secret and only intended for those inside the walls of the secretive intelligence agency. It marks the third major Vault 7 release so far.
The Grasshopper toolset – including malware used to gain "persistence" on a target's computer system – is reportedly designed to remain undetected from well-known anti-virus products from vendors including Kaspersky Lab, Symantec and Microsoft.
"The documents WikiLeaks publishes today provide insights into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers," a statement read.
The published documents include user and administrator guides. "An operator uses Grasshopper to build a custom installation executable, execute that installation executable on a target computer, and (optionally) decode the results of that execution," is how one guide described the framework.
Additionally, a document detailing a "persistence module" linked to Grasshopper called Stolen Goods (Version 2), appears to show how the CIA adapted known criminal malware for its own uses. In one case, components of malware used in the Russian underground called "Carberp" were noted.
"The persistence method, and parts of the installer, were taken and modified to fit our needs," the document stressed. "A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified," it added.
The tools appear to have been designed and used between 2012 and 2015. One document, simply titled "Releases", indicates there has been multiple iterations of the framework.
WikiLeaks' previous release – exposing a framework called "Marble" – included hundreds of alleged source code files used for anti-forensics. If legitimate, the tools could be used by the agency to prevent cybersecurity investigators from attributing hacking attacks to the agency.
Assange previously pledged to work alongside the world's biggest technology firms and give them "exclusive access" to the alleged CIA toolsets prior to public disclosure. Many companies – including Google and Apple – indicated they had no desire to work with the controversial website.
The source of the Vault 7 leak remains unknown, however WikiLeaks said in its initial analysis of the files that they were taken from an "isolated, high-security network" at Langley, Virginia. The first release made a splash by including malware used to target iOS and Android operating systems.
The US intelligence community has previously accused WikiLeaks of working alongside hackers linked to Russia, suspected of being part of a campaign to help elect US president Donald Trump.
Assange has consistently denied receiving any content from a "state actor".
The CIA has not officially confirmed the authenticity of the leak. In a statement on its website, it said: "It is CIA's job to be innovative, cutting-edge, and the first line of defence in protecting this country from enemies abroad. America deserves nothing less."
Many security experts and analysts remain uncertain about the motive of the leaks. Nicholas Weaver, a researcher with the International Computer Science Institute at the University of California at Berkeley, previously said the CIA leaks appear "designed to disrupt ongoing CIA operations, but not help anyone else."
Nevertheless, more Vault 7 releases are expected to be on the horizon. Assange said last month the initial leak was the equivalent of "less than 1%" of the total amount he had in his possession. In a separate interview, he slammed the CIA as "incompetent" for losing control of the data.