WikiLeaks dumped 12 new documents today that provide a more in-depth look at the hacking techniques the CIA allegedly used to hack Apple devices, such as Macs and iPhones.

This dump, which WikiLeaks identifies under the Dark Matter codename, is part of a series of dumps called Vault 7, which WikiLeaks claims are hacking tools obtained from the CIA.

The first Vault 7 dump, named Year Zero, came to light at the start of March and included wiki pages from the CIA's intranet, containing documentation for some of the CIA's cyber-weapons.

Dark Matter includes details on lots of EFI/UEFI implants

Included in this original leak were documents related to CIA's alleged arsenal of OS X and iOS hacking tools. Today's Dark Matter dump provides 12 new documents that contain a lot more information on those tools.

Dark Matter list

For example, Sonic Screwdriver is a hacking tool that CIA operators can deploy from an Apple Thunderbolt-to-Ethernet adapter.

This hacking tool allows the operator to execute malicious code from an USB, CD, DVD, or portable hard drive, during a Mac's boot-up, even if the Mac's firmware is password-protected.

Another tool, named DarkSeaSkies, "is an implant that persists in the EFI firmware of an Apple MacBook Air computer, installs a Mac OSX 10.5 kernel-space implant and executes a user-space implant." Furthermore, DarkSeaSkies includes smaller components.

DarkSeaSkies consists of three different tools:
1. DarkMatter: An EFI driver that persists in firmware and installs the other two tools.
2. SeaPea: A Mac OSX kernel-space implant that executes, and provides stealth and privilege to user-space implants.
3. NightSkies: A Mac OSX user-space implant that beacons to a listening post and provides command and control.

The two other tools, Triton and DerStarke, are related. Triton is an automated implant for Mac OS X, while DerStarke is a diskless, EFI-persistent version of Triton.

As you can see, all tools target the EFI/UEFI (Unified Extensible Firmware Interface) specification, which is a software component that assists with the initialization of hardware components while booting up the operating system.

Placing malicious code in EFI/UEFI assures an attacker the ability to execute that malicious code on every boot-up, even if users reinstall their operating system.

CIA was targeting iPhones one year after their launch

While not prominently featured in the tool's description, the DarkSeaSkies module NightSkies also comes with support for iPhone devices.

A document dated July 2008, one year after the iPhone's launch, details how NightSkies could provide "upload, download and execution capability" on Apple iPhone 3G v2.1 devices.

The document says CIA operators needed physical access to install the NightSkies implant, but once installed, NightSkies would only work when it detected user activity on the device, hiding any traffic among the user's own actions. This provides a state-sponsored attacker like the CIA with the advantage all APTs crave the most, which is stealth.

Albeit leaked documents don't particularly mention this detail, WikiLeaks claims NightSkies "is expressly designed to be physically installed onto factory fresh iPhones," and that "the CIA has been infecting the iPhone supply chain of its targets since at least 2008."

At the time of writing the CIA has never officially acknowledged the authenticity of the leaked WikiLeaks documents. Nonetheless, Motherboard noted yesterday that the Agency had asked a judge not to allow documents dumped by WikiLeaks in a case, as they were "classified content," accidentally acknowledging their authenticity.

Related Articles:

Apple Launches iPhone XR, iPhone XS, iPhone XS Max and Watch Series 4

Apple's New Data & Privacy Portal Lets You Download Your Data

Apple Releases Security Updates for iOS and iCloud, Fixes Passcode Bypass

Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones

APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild