WikiLeaks, under its new Vault 8 series of released documents, has rolled out what it says is the source code to a previously noted CIA tool, called Hive, that is used to help hide espionage actions when the Agency implants malware.
Hive supposedly allows the CIA to covertly communicate with its software by making it hard or impossible to trace the malware back to the spy organisation by utilising a cover domain. Part of this, WikiLeaks said, is using fake digital certificates that impersonate other legitimate web groups, including Kaspersky Labs.
Kaspersky Labs CEO Eugene Kaspersky confirmed WikiLeaks statement.
WikiLeaks said the CIA registers a nondescript cover domain for each of its operations and runs these domains from a rented commercial server as a VPS that is modified with CIA code.
“These servers are the public-facing side of the CIA back-end infrastructure and act as a relay for HTTP(S) traffic over a VPN connection to a "hidden" CIA server called 'Blot',” WikiLeaks said in a statement.
The CIA's cover is maintained by having the domain delivering innocent content in case someone stumbles across the site. This is handled by having the server use Optional Client Authentication. This means a bystander who comes to the domain does not have to authenticate, but if the CIA's malware does authenticate itself and thus be detected by the Blot server. All other traffic is shunted to a cover server that delivers benign content.
WikiLeaks alleges that as part of the CIA's obfuscation methodology it uses faked digital certificates that are created by impersonating legitimate organisations
“In this way, if the target organisation looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated,” the group wrote.