The deeper story behind CIA's attempt to 'impersonate' Russian cybersecurity company using hacking tool Hive
In
9 November 2017, WikiLeaks published the source code and development
logs to Hive, a major component of the CIA infrastructure to control
its malware.
According
to WikiLeaks,
Hive uses the uncommon Optional Client Authentication so that the
user browsing the website is not required to authenticate - it is
optional. But implants talking to Hive do authenticate themselves and
can therefore be detected by the Blot server. Traffic from implants
is sent to an implant operator management gateway called Honeycomb
(see graphic above) while all other traffic go to a cover server that
delivers the insuspicious content for all other users.
Digital
certificates for the authentication of implants are generated by the
CIA impersonating existing entities. The three examples included in
the source code build a fake certificate for the anti-virus company
Kaspersky Laboratory, Moscow pretending to be signed by Thawte
Premium Server CA, Cape Town. In this way, if the target organization
looks at the network traffic coming out of its network, it is likely
to misattribute the CIA exfiltration of data to uninvolved entities
whose identities have been impersonated.
This
CIA cybertool could be proven very useful for accusing foreign
agencies and organizations for hacking US facilities and processes,
but beyond that, there is a deeper reason for which CIA has targeted
the specific Russian company and it is related to the first
discovered malware that spies on and subverts industrial systems.
Former
British intelligence officer and Whistleblower, Annie Machon, reveals
why CIA has targeted Kaspersky Lab:
Obviously,
the CIA will be interested in a very successful Russian-based company
that offers protection on the Internet. But it goes back a bit
further because, it was 2010 the very first proven cyberwarfare
weapon was deployed. And this was against the Iranian domestic
civilian nuclear development capability. And this was at the time
when the Americans were drumming up the war against Iran.
There
was an attack made against their civilian nuclear capability, and in
this case, this virus, which was called Stuxnet, was deployed against
the centrifuges that enriched the Uranium. Nobody knew where it came
from. It seemed to be very weaponized, a state level. And it was
actually Kaspersky that unveiled who had developed it. It was the
Americans and the Israeli intelligence agencies. So, Kaspersky has
been very much in the cross-chairs of both the American and the
Israeli intelligence agencies.
From
Wikipedia,
Stuxnet is a malicious computer worm, first uncovered in 2010 by
Kaspersky Labs, the antivirus company. Thought to have been in
development since at least 2005, stuxnet targets SCADA systems and
was responsible for causing substantial damage to Iran's nuclear
program. Although neither country has admitted responsibility, since
2012 the worm is frequently described as a jointly built
American/Israeli cyberweapon.
Stuxnet,
discovered by Sergey Ulasen, initially spread via Microsoft Windows,
and targeted Siemens industrial control systems. While it is not the
first time that hackers have targeted industrial systems, nor the
first publicly known intentional act of cyberwarfare to be
implemented, it is the first discovered malware that spies on and
subverts industrial systems, and the first to include a programmable
logic controller (PLC) rootkit.
Comments
Post a Comment