All postsWho is behind the CIA’s hacking tools? Surprisingly ordinary geeks, it seems.
At the start of March came the first part of yet another Wikileaks document dump. This time is details the CIA’s hacking capabilities. The world suddenly feared spooks watching them through their TVs and smartphones. It all made for great headlines.
The Agency has developed scores of interesting projects, not to mention a stash of hitherto unknown zero day vulnerabilities. The dump also gives notes on how to create well-behaved, professional malware. Malware that stands the least chance of detection, analysis and attribution to Langley.
We’ve also learned some useful techniques for defeating antivirus software, which the Agency calls Personal Security Products (PSPs).
Official geekiness
There’s also a deeper tale to tell. It’s about the personalities behind the redacted names working on these tools and techniques. They don’t seem so different from anyone else working in infosec.
User #524297 says he is a “Coffee addict, Connoisseur of International Barbecues, and Varied Malt Beverage Enthusiast”. Thanks to his comments, we know an ex-boss (nicknamed “Panty-Raider”) was considered “really odd”. Another had a large, carved wooden desk that went with him from job to job.
User #524297 also maintains a page dedicated to some interesting ideas. One is to use the OpenDNS DNSCrypt service to hide DNS requests emanating from a compromised host.
Crash overload
Another fun-loving User is #71473. He has a page called “List of ideas for fun and interesting ways to kill/crash a process“, which enumerates a dozen homebrew techniques and variations. Most are still at the concept stage, but the list of uses to which they may be put includes “Knockover (sic) PSPs” and “Troll people”.
He also describes several proof-of-concept tools for his process crashing techniques. One is called DisorderlyShutdown. This waits a programmable amount of time (plus a random offset to make things seem natural). It then selects a random process to crash, in the hope of leading to “data loss and gnashing of teeth”. Another is WarheadsToForeheads, which attempts to crash processes. The author was “considering making this an infinite enumeration to squash all user processes and make the user experience especially horrific.”
The folk behind the CIA’s hacking tools break the law
Revealingly, User #71473 also likes to hack the home pages of other Users. “Its 11:30… time to deface people’s unprotected user pages…”
User #11628962 was deeply impressed by Subramaniam and Hunt’s “Practices of an Agile Developer”, and went to great lengths to enumerate the principles behind the work for others in his group.
Meanwhile, we learn that User # 71475 loves to listen to music online and lists several streaming services and YouTube channels. He’s also an avid collector of ASCII-based emoticons. Everyone needs a hobby, right? ¯_(ツ)_/¯
Amusingly, User #20873595 is keen for people understand that his last name does not begin with C, implying that it is in fact Hunt. There was also some debate about what User #72907’s office nickname should be. “Monster Lite” was the apparent front runner.
We also learned from the dump that some of the Users are heavily into the online card game Hearthstone, which unfriendly foreign state actors are likely now feverishly trying to hack.
It’s all a game
The public at large has moved on, and the first of the vulnerabilities highlighted in the dump has been patched, but the industrious CIA hackers who originally found them are still beavering away, creating new tools to replace the old ones, finding new zero-days, thinking up new nicknames, trolling each other, and of course playing Hearthstone.
