Recently, details of three new CIA hacking tools that target macOS and Linux operating systems were published by Wikileaks.
Tools called Achilles and SeaPea target MacOS, while Aeris targets Linux. These three tools were a part of the CIA project named Imperial.
According to Wikileaks, what Achilles does is enables agents of the CIA to “trojan an OS X disk image installer with one or more desired operator specified executables for a one-time execution”.
The details published suggest that physical access to the machine in question is needed. On the other hand, SeaPea provides a MacOS rootkit that lets agents into systems once they are rebooted.
When launched, SeaPea gives secrecy and tool-launching capabilities, Wikileaks says, letting the CIA agents monitor and overtake targets’ Macs without the person knowing.
SeaPea was first talked about in a Vault 7 dump dubbed DarkSeaSkies, whose specialty is CIA hacking tools targeting Apple Macs and iPhones.
When it comes to the Linux malware, Aeris, the tool targets a number of distributions including Debian, Red Hat, CentOS, as well as Solaris Unix and FreeBSD.
The malware has features meant for data exfiltration and can be used to build customized attacks.
Wikileaks described Aeris as an automated implant written in C which supports various POSIX-based systems, like Red Hat, Solaris, Debian, CentOS and FreeBSD.
“It supports automated file exfiltration, configurable beacon interval and jitter, standalone Collide-based HTTPS LP support and SMTP protocol support – all with TLS encrypted communications with mutual authentication”, Wikileaks states.
“It is compatible with the NOD cryptographic specification and provides structured command and control that is similar to that used by several Windows implants.”
Wikileaks has also put out the full user guides to all three of malware tools.
This all comes one week after Wikileaks exposed US defense contractor Raytheon’s Umbrage Component Library project that submitted in November of 2014 to the CIA.
According to Wikileaks, these contain ideas and estimates for malware attack vectors that are partially based on security researchers and private enterprises in the computer security field’s public documents.
Wikileaks added that the company was used as a technology scout for the Remote Development Branch (RDB) of the CIA because it analyzed malware attacks and gave recs to the CIA development teams to investigate further and use for their own malware projects.
Essentially, Raytheon makes analyses of using these malware tools in the wild, which could mean they also used tools by other intelligence agencies but didn’t share details about them to US agencies when they should have informed the makers of the software that was being exploited.
Now, with details of these tools being public, all kinds of malware attackers could use this information to their advantage.