WikiLeaks Vault7

Documents included in yesterday's WikiLeaks Vault 7 dump reveal the CIA used code from public malware samples to advance its technical capabilities.

A special operational group existed in the CIA named Umbrage, which was tasked with reviewing public malware and embedding selected features into custom CIA hacking tools. According to one document, the Umbrage team and its purpose were described as follows:

The UMBRAGE team maintains a library of application development techniques borrowed from in-the-wild malware. The goal of this repository is to provide functional code snippets that can be rapidly combined into custom solutions. Rather than building feature-rich tools, which are often costly and can have significant CI value, this effort focuses on developing smaller and more targeted solutions built to operational specifications.

CIA reused code from Shamoon, Nuclear EK

The Vault 7 dump, which WikiLeaks claims it received from government contractors and hackers, did not include any actual malware samples, but only the internal CIA documentation.

The Umbrage documentation hints the CIA may have reused malware code from multiple malware families. Most entries are attributed using a generic "Known Malware" tag, but for some, the malware's name is included. According to leaked documents, the CIA "borrowed" code from:

Shamoon - a malware family that wipes hard drives after stealing data. The CIA used parts of the Shamoon code to delete locked files. (source)
UpClicker - a trojan that binds itself to mouse clicks. The CIA used parts of the trojan to detect sandboxed environments by waiting for a user's click before continuing. (source)
Nuclear Exploit Kit - a defunct exploit kit. The CIA used one of its functions to evade Kaspersky's sandbox environment. (source)
HiKit - a rootkit discovered in 2012. The CIA Umbrage team used one of its DLL hijacking techniques to gain persistence on infected hosts. (source)
Carberp - a rootkit used by the Carberp gang in robbing banks across the world. The CIA used it as the base for StolenGoods, a persistence module for malware-laced installers. (source)

CIA might have used some of Hacking Team's code

According to another Umbrage file, the CIA had also explored the idea of using code from the Hacking Team, an Italian spyware maker that sold malware to government agencies, which was hacked in 2015 and its malware dumped online.

The dumped document reveals the CIA collected the Hacking Team data and in August 2015, two months after the hack, explored the idea of running tests and mapping its capabilities.

The CIA must have found something interesting, because the redacted document reveals that by September 2015, the Agency decided to expand its search to all the Hacking Team files, including emails and internal docs, not just the malware and exploit samples.


While the leaked files hint the CIA reused some of this code to cut costs, WikiLeaks proposes another theory.

According to the organization, the CIA reused code from public malware samples to "misdirect attribution by leaving behind the 'fingerprints' of the groups that the attack techniques were stolen from."

WikiLeaks also said the Umbrage group reused code from malware stolen from other states, including the Russian Federation, information which many publications are now using to question the US' attribution of last year's DNC hacks to Russia.