WikiLeaks has released a new batch of documents from the Vault 7 leak that details a CIA tool, dubbed OutlawCountry, used by the agency to remotely spy on computers running Linux operating systems.

According to the documentation leaked by WikiLeaks, the OutlawCountry tool was designed to redirect all outbound network traffic on the targeted computer to CIA controlled systems for exfiltrate and infiltrate data.

The OutlawCountry Linux hacking tool consists of a kernel module for Linux 2.6 that CIA hackers load via shell access to the targeted system.

The principal limitation of the tool is that the kernel modules only work with compatible Linux kernel below the list of prerequisites included in the documentation:

(S//NF) The target must be running a compatible 64-bit version of CentOS/RHEL 6.x

(kernel version 2.6.32).

(kernel version 2.6.32). (S//NF) The Operator must have shell access to the target.

(S//NF) The target must have a “nat” netfilter table

The module allows the creation of a hidden Netfilter table with an obscure name on a target Linux user.

” The OutlawCountry tool consists of a kernel module for Linux 2.6. The Operator loads the module via shell access to the target. When loaded, the module creates a new netfilter table with an obscure name. The new table allows certain rules to be created using the “iptables” command. These rules take precedence over existing rules, and are only visible to an administrator if the table name is known.” reads the OutlawCountry User Manual. “When the Operator removes the kernel module, the new table is also removed.”

In the following diagram, the CIA operator loads OutlawCountry on the target (TARG_1), then he may add hidden iptables rules to modify network traffic between the WEST and EAST networks. For example, packets that should be routed from WEST_2 to EAST_3 may be redirected to EAST_4.