- WikiLeaks announces “Vault 8”.
- WikiLeaks publishes the source code for toolkit named Hive.
- Hive is the most sophisticated framework of CIA infrastructure.
- Hive provides a secret communications platform for a whole range of CIA malware.
WikiLeaks publishes the source code for toolkit named Hive, a significant component of the CIA infrastructure to control its malware.
Vault 8 includes Source code and analysis for CIA software projects including those described in the Vault 7 series. WikiLeaks says Hive is just the first of a long string of similar releases, a series WikiLeaks calls Vault 8, which consist of source code for tools previously released in the Vault 7 series.
Hive, the most sophisticated framework of CIA infrastructure
The most sophisticated malware implant on a target computer is vain if there is no way for it to reach with its operators in a secure manner that does not draw attention. Hive solves this critical problem for the malware operators at the CIA. Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is hard by just watching the malware communication with other servers on the internet.
Hive provides a secret communications platform for a whole range of CIA malware to send exfiltrated data to CIA servers and to receive new directions from operators at the CIA.
Hive serves various operations using multiple implants on target computers. Every operation anonymously registers at least one cover domain for its use.
A visitor does not suspect that it is anything else but a regular website. If somebody browses cover domains, it delivers ‘innocent’ content.
According to Wikileaks, “These servers are the public-facing side of the CIA back-end infrastructure and operate as a relay for HTTP(S) traffic over a VPN connection to a ‘hidden’ CIA server called Blot.”
The server running the domain website as Virtual Private Server, VPS is rented from commercial hosting providers and its software is customized according to CIA specifications.
Hive uses the uncommon a HTTPS server option, Optional Client Authentication so that the user browsing the website is not required to authenticate. However, implants talking to Hive do confirm themselves and can, therefore, be detected by the Blot server. Traffic from implants sent to an implant operator management gateway called Honeycomb while all other traffic goes to a cover server that delivers the unsuspicious content for all other users.
Hive does not possess an immediate danger to end users, as they cannot be used to compromise computers, but they can be used to set up a backbone infrastructure for the delivery and control of other more potent threats.