Vault7 Reveals that Even the CIA Reverse Engineers Malware to Re-Use Code

Malware

The recent CIA data dump from Wikileaks named Vault7, reveals many things about the CIA’s cyber intelligence efforts. For my part, the revelation that much of the malicious code that the CIA uses to spy on foreign nationals from around the world, uses “snippets” of code from known public malware was among one of the most important and significant insights.

Recently, WikiLeaks released documents named Vault7 that contain information regarding the CIA’s cyber intelligence program. The CIA has a sub-division, based in Langley, VA, known as the CCI or Center for Cyber Intelligence (see organization chart below). This division is responsible for developing its own cyber surveillance program independent of the NSA. This data dump reveals this program has developed malware that infects iPhone’s, Windows systems, Android phones, and even, Samsung TV’s.

Within the CCI at CIA, there is another group referred to as the Umbrage Group. As the document below indicates, the Umbrage Group was assigned the task of maintaining a library of re-usable code from other known public malware. In this way, the CIA could rapidly develop malware from snippets of other known malware. The documents indicate that the CIA re-used code from Shamoon, Upclicker, Nuclear Exploit Kits and HiKit among others. They used other known malware that was redacted from these documents. In addition, the CIA likely used all or portion of the zero-day exploits of the Hacking Team, the Italian private exploit development company who sells their exploits to governments.

This strongly argues strongly for enhancing your skills as a cyber security professional by studying Reverse Engineering Malware. From my experience, neither the NSA or the CIA reinvent the wheel when developing new malware. They simply re-engineer and re-purpose the malware by first using debugger and dis-assemblers to find code sections that they can then re-use. Among the many advantages of such an approach is to misdirect forensic analysts as to the source of the malware (forensic analysts often trace the origin of malware from re-used code snippets).

This is one of the primary reasons why I have begun a new series on Reverse Engineering Malware. In an earlier article, I pointed out the many reasons you should study Reverse Engineering Malware, but I believe these documents reveal that many organizations reverse engineer malware, including the CIA.

To achieve the pinnacle of exploit development and malware forensics you need to understand Reverse Engineering Malware.