Wikileaks Reveals Hive: The CIA’s Top Secret Virus Control System
Wikileaks Reveals Hive: The CIA’s Top Secret Virus Control System from The Anti-Media
Early Friday morning, Wikileaks released its fifth batch of Vault 7 documents exposing the U.S. Central Intelligence Agency’s hacking techniques. The latest release, titled “Hive,” exposes the agency’s multi-platform malware suite that allows the CIA to monitor targets via malware as well as the ability to realize specific tasks on compromised machines.
Hive is said to provide customizable implants for a variety of operating systems for distinct types of devices, not just computers, tablets, and phones. Among the platforms vulnerable to Hive include Linux, Windows, Solaris, MikroTik (used in Internet routers), and AVTech Network Video Recorders (often used in CCTV recording). First released in 2010, Hive is essentially an “implant” that functions as both a beacon and shell, allowing CIA hackers to gain a foothold in devices that allow them to deploy any number of other tools, such as those detailed in previous releases.
Wikileaks has described Hive’s function as a “back-end infrastructure malware” that uses public HTTPS interfaces which provide “unsuspicious-looking cover domains” to hide its presence on infected devices. Each of those domains is linked to an IP address at a commercial Virtual Private Server (VPS) provider, which forwards all incoming traffic to what is termed a “Blot” server. All re-directed traffic is then examined by CIA hackers to see if it contains a valid beacon. If it does, then a tool handler – called Honeycomb in the released documents – and the CIA then begins initiating other actions on the target computer. The released user guide shows that Hive allows for the uploading and deleting of files as well as the execution of applications on the device.
Unlike some other Vault 7 tools which can persist indefinitely on targeted devices, Hive comes with a “self-delete” function that allows the malware to destroy itself if it receives no signal from the CIA for a set amount of time. The self-deletion leaves only a log and configuration file, containing only a time-stamp behind. Apparently this feature posed difficulties to CIA developers as the self-deletion can “be problematic due to the inability to accurately assess the reliability of the host’s system clock,” according to the Hive Developers Guide.