lolloj - Fotolia
WikiLeaks released another CIA hacking tool from the Vault 7 collection that tracks the geolocation of Wi-Fi-enabled Windows devices.
The documents published this week are dated from 2013 and detail how, using a spyware package called ELSA, the CIA could infect devices running Windows with malware that determines which public Wi-Fi networks the device can currently connect to and the strength of the signals of those networks. By comparing that information to a database of public Wi-Fi networks, the malware determines the approximate geolocation of the targeted device. The CIA would then collect the location log data and store it.
"To perform the data collection, the target machine does not have to be online or connected to an access point; it only needs to be running with an enabled Wi-Fi device," the WikiLeaks post explained. "If it is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp."
The ELSA project user manual that WikiLeaks posted focuses on devices running Windows 7, but it's likely it could be adapted to other versions of Windows. The release does not include the actual malware executables used in the ELSA project. So while the public can now see how the ELSA project works, it cannot execute it without a little bit of work and some other CIA hacking tools.
"The malware itself does not beacon this data to a CIA back-end," WikiLeaks said. "Instead the operator must actively retrieve the log file from the device -- again using separate CIA exploits and backdoors."
The release of the ELSA project documents came only a week after another Vault 7 disclosure from WikiLeaks called Brutal Kangaroo. A USB malware tool suite for Windows, Brutal Kangaroo targets closed networks and could potentially be reverse engineered. Another Vault 7 disclosure, OutlawCountry, released the day after ELSA, described a tool for redirecting outbound network traffic from Linux systems to CIA-controlled systems.
In other news:
- U.S. senators have taken steps to try to ban the use of Kaspersky Lab's software by the U.S. military. The move was tacked onto the National Defense Authorization Act as part of a tactic to counter "Russian aggression." The amended bill from the Senate Armed Services Committee now reads that the Department of Defense should be prohibited from "using software platforms developed by Kaspersky Lab due to reports that the Moscow-based company might be vulnerable to Russian government influence." Eugene Kaspersky, founder and CEO of Kaspersky Labs, has previously denied that his company is tied to the Kremlin. This move from the Senate committee on Wednesday followed reports that FBI agents visited the homes of Kaspersky Lab employees in the U.S. Tuesday night. While the nature of the visits is unclear, the company did confirm that they happened and described them as "due diligence," according to Reuters. It is unknown whether the visits are tied to the special investigation into Russian interference in the 2016 presidential election.
- NATO confirmed it is establishing cyber as a military domain and it will join the ranks of land, air and sea. This means that a cyberattack will trigger Article 5 of the NATO treaty, and an attack on one NATO country will be treated as an attack on all NATO countries. "We have also decided that a cyberattack can trigger Article 5, ... and we are in the process of establishing cyber as a military domain [so] that we will have land, air, sea and cyber as military domains," NATO's secretary general Jens Stoltenberg said at a press conference in Brussels. "All of this highlights the advantage of being an alliance of 29 allies because we can work together, strengthen each other and learn from each other." Stoltenberg also noted that NATO has been helping the Ukraine to "improve its cyberdefenses" this week during the Petya-like malware attacks.
- Apple and Cisco are partnering to offer discounts on cyberinsurance for organizations that use products from both companies. "We're collaborating with insurance industry heavyweights to lead the way in developing the architecture that enables cyber insurance providers to offer more robust policies to our customers," Cisco Security vice president David Ulevitch wrote in a blog post. "We will do this by enabling continuous security monitoring and a measurable reference architecture that includes technologies from Apple and Cisco." Apple CEO Tim Cook spoke at an event this week saying that, "The thinking we share here is that if your enterprise or company is using Cisco and Apple, the combination of these should make that [cybersecurity] insurance cost significantly less." Details on how this will work are unclear, but Ulevitch noted that they will say more in the coming months.
Learn about the initial confusion around the leak of CIA hacking tools
Read about the WikiLeaks false flag attack allegations against the CIA
Discover more about the Vault 7 tools attribution