As per WikiLeaks Vault 7 documents, included in the dump reveal that the CIA used code from public malware samples.
According to the documents, a specialized group named Umbrage was tasked to review public malware code and embedding selected features into custom CIA hacking tools.
As per one of the documents, the Umbrage team maintains a library of application development techniques borrowed from in-the-wild malware. Their primary objective is for this repository of codes is to easily provide functional code snippets that can be easily combined and deployed. Instead of building their own tools which can be costly, this endeavor primarily focuses on developing smaller and targeted solutions to fit their needs.
It has been said that the CIA reused code from Shamoon, and Nuclear EK among a long list of others.
The Vault 7 dump, which WikiLeaks claims it received from government contractors and hackers, did not include any actual malware samples, but only the internal CIA documentation.
There are hints that the CIA might have made a Frankenstein style code from multiple malware familes. Which in turn are now attributed to using generic known malware tags and the malware name shows up while being investigated.
Listed below are some of the malware they have borrowed code from:
* Shamoon – a malware family that wipes hard drives after stealing data. The CIA used parts of the Shamoon code to delete locked files.
* UpClicker – a trojan that binds itself to mouse clicks. The CIA used parts of the trojan to detect sandboxed environments by waiting for a user’s click before continuing.
* Nuclear Exploit Kit – a defunct exploit kit. The CIA used one of its functions to evade Kaspersky’s sandbox environment.
* HiKit – a rootkit discovered in 2012. The CIA Umbrage team used one of its DLL hijacking techniques to gain persistence on infected hosts.
The WikiLeaks Vault 7 Umbrage file documents that the CIA had explored the possibility of using code from the Hacking Team, who is known to be an Italian spyware maker that has been selling malware to government agencies which has hacked in 2015 and the malware code was dumped online.
This document would reveal that the CIA explored the idea of running tests and documenting its potential from the Hacking Team data they have collected.
By catching the interest of the CIA, it means that they found something useful and intersting they can utilize from the said code. There are redacted documents which shows that by September 2015, CIA decided to expand its efforts to search through all the Hacking Team files, emails and internal docs and not just from the exploit samples they have gathered.
Although there are hints of cost cutting on the CIA’s part, WikiLeaks has a different theory altogether.
Their theory mainly suggests that the code has been reused from public malware samples for misdirection so that the fingerprints for the attacks will still point to the groups where the malware originated from.
WikiLeaks also said the Umbrage group reused code from malware stolen from other states, including the Russian Federation, information which many publications are now using to question the US’ attribution of last year’s DNC hacks to Russia.