Documents released by WikiLeaks on Thursday detail an alleged CIA program that uses implanted code to spy on Apple computers. The files are the second batch of the “Vault 7” data dump, which WikiLeaks claims is the largest ever publication of confidential documents about the CIA. The first release of documents detailed methods the intelligence agency uses to hack into iPhone and Android smartphones, Windows computers, Cisco routers, and other devices, while the latest release focuses almost exclusively on Mac exploits.
Apple addressed the newest Vault 7 dump, or what WikiLeaks calls “Dark Matter,” in a statement to TechCrunch on Thursday. It claims, based on its initial analysis, that the Mac vulnerabilities were fixed in 2013, while its iPhone vulnerabilities were patched in ’09.
“We have preliminary assessed the Wikileaks disclosures from this morning. Based on our initial analysis, the alleged iPhone vulnerability affected iPhone 3G only and was fixed in 2009 when iPhone 3GS was released. Additionally, our preliminary assessment shows the alleged Mac vulnerabilities were previously fixed in all Macs launched after 2013.”
These are the four methods outlined in the leaks for how the CIA has allegedly been spying on Mac computers. (Try to ignore the Doctor Who references and what sound like indie superheroes names, this is serious stuff.)
The Sonic Screwdriver is a method allegedly used by the CIA for executing code on a Mac while it is booting. It stores its code on a Thunderbolt-to-Ethernet adapter and installs malware, even if a firmware password is enabled. According to the documents, the purpose of Sonic Screwdriver is to install tools from the CIA’s Engineering Development Group or Applied Engineering Department.
The files say this method is compatible with any Mac laptop with a Thunderbolt port, but only mentions 2011 and 2012 models.
Once the components are ready to go, the steps for executing the attack are simple: plug the Ethernet adapter into a Thunderbolt port, plug in the media source of the boot file, and power on the machine.
Once that is complete, the user can commence their attack and infect the firmware with malware (see below).
Triton + Der Starke
Triton is an automated implant for Mac OS X that received files and folders from an infected computer. It sits hidden inside and, when triggered, compresses and encrypts the data from the hard drive and places it into an LP, or the URL of the script that the implant is speaking with. If the LP hasn’t triggered the implant successfully in three months, it will perform a forced “beacon.” The implant will uninstall itself on its fourth consecutive failed attempt, which happens after about a year.
Der Starke (the strong one in German) is a disk-less version of Triton, which means it doesn’t show up on the hard drive. It hides in plain site as a browser process, so it would look like you are simply loading something on the computer. This keeps it from being picked up by network monitors like Little Snitch.
This method was created in 2009 so that the CIA could take the file gathering malware it created for the iPhone, and use it to target MacBook Airs. DarkSeaSkies enables three other operations for this to happen: DarkMatter, SeaPea, and NightSkies.
DarkMatter is used to provide “persistence,” the term used to suggest a target is being continuously monitored while data is being extracted. SeaPea is used to hide the network, and NightSkies is used for beaconing, or sending traffic outside a network at regular intervals.
What this means
While the CIA is reluctant to confirm the leaks, tech companies like Cisco have already warned customers that their products are vulnerable to the exploits mentioned within. Do note that the methods outlined in this latest leak are several years old and of limited use to potential hackers, as they require physical access to a targeted device.
As with any malware attack, the best advice one can give is for users to adopt strong passwords and change them out on a regular basis. Tech companies like Apple, Google, and Microsoft continually update their products with patches to vulnerabilities, so it is also extremely important that users update to the latest version of whatever operating system they’re using.
How the CIA responded to the leaks
The CIA is directing inquiries about the leaks to a statement it posted earlier this month that describes its job of protecting the country as “innovative, cutting-edge.” You can read the full statement below:
We have no comment on the authenticity of purported intelligence documents released by Wikileaks or on the status of any investigation into the source of the documents. However, there are several critical points we would like to make.
CIA’s mission is to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries. It is CIA’s job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad. America deserves nothing less.
It is also important to note that CIA is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and CIA does not do so. CIA’s activities are subject to rigorous oversight to ensure that they comply fully with U.S. law and the Constitution.
The American public should be deeply troubled by any Wikileaks disclosure designed to damage the Intelligence Community’s ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize U.S. personnel and operations, but also equip our adversaries with tools and information to do us harm.
We have reached out to the CIA and Apple for further comment.