WikiLeaks Leaks Source Code For CIA Spyware Hive

Jody Ray Bennett
Jody Ray Bennett
WikiLeaks Leaks Source Code For CIA Spyware Hive

Today WikiLeaks published the source code and development logs to a “major component of the CIA infrastructure to control its malware” called Hive. There have been several versions of the software, and WikiLeaks have constantly published updated iterations.

The last came in April 2017 which detailed “how the agency can monitor its targets through the use of malware and carry out specific tasks on targeted machines.” A 2015 User Guide showed that Hive was initially released in 2010.

According to WikiLeaks, “Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.” Russia Today described it as a “multi-platform malware suite” that “provides customizable implants for Windows, Solaris, MikroTik (used in Internet routers), Linux platforms, and AVTech Network Video Recorders, used for CCTV recording.”

The software can serve as a multi-use system that can install multiple implants on target computers. WikiLeaks breaks it down like this:

A single operation can register a harmless-looking cover domain (e.g. “we-like-sports.com” or “best-cat-videos.com” etc). The server running the domain is rented from “commercial hosting providers as a VPS (virtual private server)” and its “software is customized according to CIA specifications.” The servers connect through a VPN that is connected to a CIA server called 'Blot'.

Without going into technical details, it essentially allows the CIA to spy on targets by using malware. The documentation for Hive is available from the WikiLeaks Vault7 series.

The software also has a self-termination capability, allowing it to destroy itself if it is not signaled for a predetermined amount of time. It is only detectable by finding specific binary information located somewhere in the kernel of the target system.

According to Russia Today, WikiLeaks has previously said that “anti-virus companies and forensic experts have noticed ‘possible state-actor’’ malware using similar back-end infrastructure, but were unable to connect the back-end to CIA operations.”

RT also noted that Hive was created through the CIA’s Embedded Development Branch (EDB) which is responsible for projects detailed in WikiLeaks’ “Dark Matter” leak that revealed the CIA’s attacks on Apple firmware.