WikiLeaks dumped today "Vault 7," 930 MB of manuals and documentation files for exploits, zero-days, and hacking tools the organization claims belong to the CIA.
Along the tens of hacking tools included, there was one that was different from the others. Named "Fine Dining," this isn't a zero-day exploit or vulnerability like most, but a collection of malware-laced applications.
Fine Dining is a collection of malware-laced applications
Designed for field operations, Fine Dining is for situations where the agent has to infect a computer while being watched by the victim.
CIA field agents receive one or more of these decoy applications, which they store on an USB. While on a mission, they insert the USB in a target's computer and run one of the applications.
Just like in the movies, while the agent is using the app, let's say to show a slideshow presentation in Prezi, the decoy app also runs malicious code that scans the victim's storage space and steals a list of selected file types. Exfiltration can be via the Internet, or by storing the stolen data on the USB itself.
Currently, Fine Dining includes modules that can be used to weaponize applications such as:
VLC Player Portable
Kaspersky TDSS Killer Portable
McAfee Stinger Portable
Sophos Virus Removal
Libre Office Portable
Sandisk Secure Access
Portable Linux CMD Prompt
According to WikiLeaks, Fine Dining was developed by OSB (Operational Support Branch), a division of the CIA's Center for Cyber Intelligence.
Fine Dining decoy apps generated on a per-mission basis
Another WikiLeaks document reveals that Fine Dining is extremely versatile and can be configured for a wide range of deployment scenarios.
Before every mission, CIA agents have to answer a form with 20 questions. Based on their answers, a case officer generates a custom version of the final decoy app(s).
Questions included in the survey query the agent on details such as the target's operating system, if the target uses any security software, if the machine is Internet connected, if the agent can access the target's PC more than once, and more. The full survey is below.
- Who will be the operator of the tool?
- Case Officer or TIO (Only allow case officers to run removable media collection
- Liaison or Liaison Asset
- Who is the target of the collection?
- Liaison Asset
- Foreign Information Operations
- Foreign Intelligence Agency
- Foreign Government Entity
- System Administrator or Comparable Technical Target
- Will the operator of the tool be watched while the collection is occurring?
- Does the target machine reside in a Hard Target country?
- Do you intend to collect data from the targets Removable Media (Thumb Drive, SD Cards, CDs, etc) or from the targets machine (Laptop, Desktop, Surface, or Server)?
- Removable Media
- What is the target?
- Windows Server
- Microsoft Surface
- What is the Operating System running on the target machine?
- Windows XP
- Windows Vista
- Windows Seven
- Windows 8/8.1
- Windows 10
- If known, check applications running on the machine (will have a list of known PSPs, Data Loss Prevention Software, USB protection, and monitoring tools)
- DLP, USB Guard?
- Monitoring Tools
- Is the machine connected to the internet?
- Will you have recurring access to the target?
- How much time will you have on target?
- < 1 minutes
- < 5 minutes
- 5 - 10 minutes
- 10 - 30 minutes
- 30+ minutes
- Data Path (internal routing)?
- Would you like a survey of the target machine to be collected (recommended)?
- What information about the machine would you like to obtain?
- Geo-locational (How aggressive?)
- User Information / Positive Identification
- Counter Intelligence / ARMS
- Pattern Of Life
- Return Information
- General Machine Information (How aggressive should network be?)
- Would you like to collect files on the target machine?
- What types of files would you like to collect?
- Office Documents (Microsoft Office, Open Office, Adobe PDF Documents (Word, Excel, Powerpoint granularity?)
- Custom File Formats
- Does the operator have administrator access on the machine?
- Questions regarding cover application
- Operation Crypt and/or Asset Crypt (Internal Tracking Purposes Only)
- Feature Request (Internal Uses Only)