On November 9th, 2017, WikiLeaks published six documents from the CIA’s Hive project – created by its Embedded Development Branch (EDB).
Hive is a CIA back-end infrastructure malware that has a public-facing HTTPS interface, used by the agency’s implants to transfer obstructed data from target machines to the CIA. The program also receives commands from its CIA operators to execute specific tasks on the targets. According to the report, Hive is used by multiple malware implants as well as CIA operations. The front-end HTTPS interface uses unsuspecting looking covert domains to hide its actual presence.
Suspicious security firms, including Anti-virus companies and forensic experts, noticed the program Hive in action to analyze communication patterns of these specific implants. However, the firms were unable to relate the back-end infrastructure activities to the CIA’s operations. However, Symantec recently published a blog detailing how they were able to attribute Longhorn operations to the CIA as per WikiLeaks’ Vault 7 report, which reports:
“For C&C servers, Longhorn typically configures a specific domain and IP address combination per target. The domains appear to be registered by the attackers; however, they use privacy services to hide their real identity. The IP addresses are typically owned by legitimate companies offering virtual private server (VPS) or web hosting services. The malware communicates with C&C servers over HTTPS using a custom underlying cryptographic protocol to protect communications from identification.”
We noticed that the documents from this publication could allow anti-malware researchers and forensics experts to analyze this technique – communication between the malware implants and back-end servers.
Incidentally, Hive provides solutions to crucial issues of the malware operators at the CIA. Even the most intelligent malware implant on a target computer is useless if it cannot communicate with its operators in a secure channel. Therefore, using the Hive program solves the problem. Since even if an implant is discovered on a target computer, relating it to the CIA is impossible by just observing the communication of the malware with the other servers on the internet. Hive offers a covert communications platform for a wide range of CIA malware to send extracted data to the CIA servers while receiving new instructions from its operators at the CIA.
The intelligence program – Hive, can serve multiple activities – by utilizing multiple implants on target computers. Every operation registers at least one covert domain anonymously – for its own use. The server hosting the covert domain site is then rented from commercial hosting providers as a Virtual Private Server. Its software is re-designed to meet the CIA’s requirements. These servers are the front-ends of the CIA’s back-end infrastructure and have the role of relaying the HTTPS traffic over a VPN connection to another hidden CIA server termed Blot.
The covert domains are designed to show regular content, should somebody open them by chance. Any visitor will not suspect anything else, but a normal working website.
Moreover, the only alarming issue will not be visible to normal users either – only an HTTPS server option, which is not often used: Optional Client Authentication.
Consequently, Hive uses this not-so-common Optional Client Authentication, so that the browser opening the website is not required to authenticate – however, it is optional. Implants communicating with Hive will have to authenticate, to be detected by the Blot server. All the traffic from the implants is sent to an implant operator managed gateway known as Honeycomb. The rest of the traffic goes to a covert server, which delivers the unsuspicious content for all the normal users.
The CIA’s impersonating existing files generate all the digital certificates used by the implants to authenticate. WikiLeaks argues that the three examples included in the source code created fake certificates for anti-virus companies like Kaspersky Laboratory in Moscow – which pretends to be signed by Thawte Premium Server CA, Cape Town. This way, any organization observing the network traffic coming out of its network, will not notice the CIA ongoing exfiltration of its data to uninvolved entities- whose identities have been impersonated.