After a two-week hiatus, WikiLeaks dumped new files as part of the Vault 7 series that supposedly contains CIA-made hacking tools the organization claims it received from hackers and agency insiders.
Today's dump includes the documentation for a CIA tool named CherryBlossom, a multi-purpose framework developed for hacking hundreds of home router models.
The tool is by far one of the most sophisticated CIA malware frameworks in the CIA's possession. The purpose of CherryBlossom is to allow operatives to interact and control SOHO routers on the victim's network.
The most complex part of using CherryBlossom is by far deploying the tool on a target's routers. This can be done by a field operative, or remotely using a router flaw that allows CIA operators to install new firmware on the targeted device.
Internally, CherryBlossom is made up of different components, each with a very precise role:
According to the CherryBlossom manual, CIA operators can send "missions" to infected devices from the CherryTree C&C server via the CherryWeb panel.
Mission types vary wildly, which speaks volumes about the tool's versatility. For example, missions can:
According to the CIA docs, FlyTraps can be installed on both WiFi routers and access points. There is a separate document that lists over 200 router models that CherryBlossom can target, most of which are older models. This 24-page document is not dated, but the rest of the CherryBlossom manuals are — between 2006 and 2012.
You'll find a list of all WiFi equipment vendors that were included in this document at the bottom of this article. For the full vendor-series list, please refer to the original WikiLeaks document here.
In addition, French security researcher X0rz noticed a small detail that might help investigators track down CherryBlossom installations. According to the tool's installation guide, the default URL for the CherryWeb control panel is is "https://CherryTree-ip-address/CherryWeb/" (e.g.: https://10.10.10.10/CherryWeb/). Scanning the Internet for CherryWeb web folders will reveal how many CherryBlossom installations are currently deployed online.
WikiLeaks claims the CIA co-developed CherryBlossom together with a US nonprofit named Stanford Research Institute (SRI International), but SRI's name only appears in one document — the manual for a tool named Sundew, a Linux-based wireless scanner used to identify the make and model of wireless devices. It is unclear at this moment what was SRI's role.
In May, WikiLeaks published documents revealing that US cyber-security company Siege Technologies had helped the CIA develop a tool called Athena, a versatile implant (CIA term for "malware").
Unlike the Shadow Brokers, who dumped the actual hacking tools they claim to have stolen from the NSA, WikiLeaks only published the CherryBlossom documentation, without dumping the actual tool.
You can read our previous WikiLeaks Vault 7 coverage here. Below is a list of the most notable WikiLeaks Vault 7 dumps:
List of WiFi router/AP vendors included in the CherryBlossom docs: