Wikileaks has released Vault 8 series, a sequel of Vault 7. This series contain the source codes of alleged CIA (Central Intelligence Agency) hacking tools. Hive is the first tool featured in the Vault 8 series.
The intention of Wikileaks behind this release is to “enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components.”
Details on Hive were first revealed on 14th April, 2017 as part of WikiLeaks’ release of CIA hacking tool documentation known as Vault 7. Wikileaks stated “Hive aids the agency in controlling malware installed on target devices.” Source code published in this series contains software designed to run on servers controlled by the CIA. Released source codes do not contain codes which can be utilized for zero day attacks.
Wikileaks further claims “Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet”.
Functioning of the Hive has been described by Wikileaks as “Hive can serve multiple operations using multiple implants on target computers. Each operation anonymously registers at least one cover domain (e.g. “perfectly-boring-looking-domain.com”) for its own use. The server running the domain website is rented from commercial hosting providers as a VPS (virtual private server) and its software is customized according to CIA specifications. These servers are the public-facing side of the CIA back-end infrastructure and act as a relay for HTTP(S) traffic over a VPN connection to a “hidden” CIA server called ‘Blot’.
The cover domain delivers ‘innocent’ content if somebody browses it by chance. A visitor will not suspect that it is anything else but a normal website. The only peculiarity is not visible to non-technical users – a HTTPS server option that is not widely used: Optional Client Authentication. But Hive uses the uncommon Optional Client Authentication so that the user browsing the website is not required to authenticate – it is optional. But implants talking to Hive do authenticate themselves and can therefore be detected by the Blot server. Traffic from implants is sent to an implant operator management gateway called Honeycomb (see graphic above) while all other traffic go to a cover server that delivers the insuspicious content for all other users.”
Furthermore, Wikileaks alleged CIA for impersonating existing entities by generating digital certificates for the authentication of implants. For example Kaspersky Laboratory, Moscow, use to receive digital certificates pretending signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.
The CIA continues to state that they have “no comment on the authenticity of purported intelligence documents released by Wikileaks.