peshkova - Fotolia
WikiLeaks promised more documents from the CIA Vault 7 stockpile and the latest batch shows evidence of the CIA using obfuscation techniques to hide its cyber operations. However, experts said WikiLeaks went too far with allegations of false flag attacks.
The latest Vault 7 release, named Marble, includes 676 source code files for the CIA's Marble Framework, which WikiLeaks describes as anti-forensic code used "to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA."
Hector Monsegur, director of assessments at Rhino Security Labs, said he wasn't surprised by these obfuscation techniques.
"They use obfuscation techniques in the real world. CIA agents have been known to create fake identities, learn new languages, get suntans and wear makeup. It's the same concept," Monsegur told SearchSecurity. "The more sophisticated and targeted the attack is, the higher level of obfuscation you will see. And, if an attacker is focusing on a specific target, they would employ obfuscation to bypass filters, antimalware or virus signatures, etc."
However, experts said WikiLeaks went too far in alleging this data included evidence that the CIA was performing cyberattacks intended to be blamed on other agents, also known as "false flag attacks."
"The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi," WikiLeaks claimed in a blog post. "This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion -- but there are other possibilities, such as hiding fake error messages."
Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said on Twitter that he reviewed the code and disagreed "emphatically" with the assertion that Marble included evidence of false flag attacks.
"The Marble Framework is just a string obfuscation library. It is interesting, but not in the sense that it would allow for cyber false flag," Williams tweeted. "The Chinese and Russian examples noted by WL only show that the tool was tested for Unicode support, nothing more. [The] Marble Framework tests show that Russian strings could be obfuscated from plain view. The opposite of what you'd want for false flag [attacks]."
Nicholas Weaver, computer security researcher at the International Computer Science Institute in Berkeley, Calif., agreed the false flag attack allegations were unfounded and told SearchSecurity this was an example of WikiLeaks taking advantage of "not having been known to release fake documents as a way of laundering their bogus analysis."
And THIS is the point: Wikileaks wants the CIA to be attributed. Only "public" they serve in this dump is those targeted by the CIA. 🤷♂️ https://t.co/mZmTYrvLow— Nicholas Weaver (@ncweaver) March 31, 2017
Williams said this could be troublesome because "WikiLeaks is not interested in getting it right."
"If they were, they'd enlist the help of real experts before release of the material. As it stands they control the narrative at release time and everyone else is playing catch up," Williams said. "I think the allegations that the CIA is involved in false flag attacks serves to reassure Trump supporters, many of whom deny the Russians were involved in pre-election hacking."
Learn about the responsible disclosure issues surrounding the Vault 7 release.
Find out about the FBI investigation into Trump campaign ties to Russia.
Get info on the DOJ indictment of Russian hackers behind Yahoo breach.