CIA Has Tools to Mimic Known Hacker Groups for Cyberattacks

March 7, 2017 Updated: March 8, 2017

The CIA has been developing a trove of cyberweapons to be able to monitor consumer electronics, seize control of vehicles, and mask cyberattacks so that they appear to be launched by other known hacker groups.

These are among the many revelations from website WikiLeaks, which on March 7 released 8,761 documents and files obtained from the CIA’s Center for Cyber Intelligence in Langley, Virginia.

According to WikiLeaks, the files—code-named the “Vault 7” files—come from a CIA archive that had already been in circulation among unauthorized users, one of whom provided WikiLeaks with a portion of the files for release.

Among the more significant leaks is information about a program under the UMBRAGE group of the CIA’s Remote Devices Branch, which may throw a wrench into current claims that Russian cyberattacks influenced the 2016 U.S. presidential elections.

Under the program, the CIA allegedly maintains a digital library of attacks and techniques found in malware produced by other countries—including the Russian Federation.

It’s common practice among even low-level hackers to use various methods to hide the origin of their cyberattacks, typically by routing their connections through networks in other countries.

If the documents released by WikiLeaks prove to be true, however, they will show that the CIA developed a new method that is far more advanced, with the ability to mimic the traits of known hacker groups. This could significantly impact the entire field of cyber forensics.

The current method for investigating a cyberattack typically involves examining the code that was used and the method of operations to see what hacker group profile they match. By using the same code as a known hacker group, and mimicking their methods, a threat actor could send investigators after the wrong culprit.

A WikiLeaks press release describes each technique as being a kind of “fingerprint” that is used by forensics investigators.

It says that with the UMBRAGE group, and related projects, the CIA can “misdirect attribution by leaving behind the ‘fingerprints’ of the groups that the attack techniques were stolen from.”

The CIA did not immediately respond to a request for comment by phone.

Follow Joshua on Twitter: @JoshJPhilipp