Wikileaks releases ‘Dark Matter’ the latest batch of documents in the #Vault7 series.
March 23rd, 2017 – Wikileaks has released CIA Vault7 “Dark Matter,” and the newest leak contains several documents of CIA projects that infect Apple Mac computer firmware. Developed by the CIA’s embedded Development Branch (EDB), these documents explain the techniques used by the CIA to gain ‘persistence’ on Apple Mac devices and iPhones. This means that the infection persists even if the operating system is reinstalled.
— WikiLeaks (@wikileaks) March 23, 2017
Included in these documents are projects such as “Sonic Screwdriver“, among others. Explained by the CIA, this project is a “mechanism for executing code on peripheral devices while a mac laptop or desktop is booting” allowing an attacker to boot its attack software, as an example, from a USB stick, “even when a firmware password is enabled”. The Sonic Screwdriver infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.
Dark Sea Skies
“DarkSeaSkies” is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants.
Triton, Dark Mallet, DerStake1.4
Documents included on the “Triton” MacOSX malware, it’s infector “Dark mallet” and it’s EFI-persistent version “DerStake” can also be found in this release. DerStake1.4 manual released today dates to 2013, other Vault 7 documents display that as of 2016 the CIA is continuing to rely on and update these systems. The production of DerStake2.0 is currently taking place.
The release also contains the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool”, for the Apple iPhone. Note that NightSkies reached 1.2 by 2008 and is expressly designed to be physically installed onto factory restored phones. The iPhone supply chain is targeted and has been infected by the CIA since 2008.
While in the custody of a target, CIA assets are sometimes used to physically infect systems. It is very likely that many CIA physical access attacks have infected the targeted organization’s supply chain by interdicting mail orders and other shipments. Meaning to open, infect and resend which then leaves the United States or otherwise.