WikiLeaks released the third tranche of its leaked CIA documents trove on Friday, which in this episode focuses on anti-forensics tools.
The previous two releases from Vault7 have focused on manuals and supporting documents for the spy agency's hacking tools. The first set of leaked files, released on 7 March, described security exploits used to compromise vulnerable Android handhelds, Apple iPhones, Samsung TVs, Windows PCs, Macs, and other devices.
Two weeks later, in episode two, we learned how the CIA could purchase Apple Macs and iPhones, install spyware on them, and give them to targets. WikiLeaks spun this to suggest this might be happening in the factory, a suggestion unsupported by the leaked documents themselves, as previously reported.
Episode three brings the release of source-code files for the CIA's secret anti-forensic Marble Framework. The technology is designed to make the CIA's malware harder for security researchers at antivirus firms to analyse, thus hampering attribution. It does this by hiding ("obfuscating") text fragments.
Obfuscating code and designing it so that it detects and doesn't run in virtual machine sandbox has not been an uncommon tool among mainstream cybercrooks for some years.
One feature in Marble stands out. It creates a means for virus writers to pretend that the malware was created by a speaker of a range of foreign languages (Chinese, Russian, Korean, Arabic and Farsi). These are, of course, the languages of the US's main cyber-adversaries – China, Russia, North Korea and (historically, at least) Iran.
WikiLeaks suggests that this tech would allow the real-life equivalent of American Dad's Stan Smith to trick security researchers into thinking they were, for example, Chinese PLA.1
The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, but there are other possibilities, such as hiding fake error messages.
There might be something in this but robust attribution is based on multiple factors, so using Marble alone wouldn't be enough to throw a normally competent cyber-sleuth off the trail.
Marble Framework is used for obfuscation only and does not contain any vulnerabilities or exploits by itself, something that has allowed WikiLeaks to release its source code. Exploits and hacker tools from earlier releases have been held back and only manuals and supporting documents have been pushed out. WikiLeaks has promised to supply CIA's hacking tool code to vendors. El Reg has independently confirmed that Assange and co have entered talks on this point with Microsoft, at least.
1Marble also includes a deobfuscator to reverse CIA text obfuscation (i.e. translate text strings back to English).