Short Bytes: The non-profit whistleblower Wikileaks has published 6 new documents disclosing information about Hive, a back-end infrastructure used to manage CIA implants. It is used to transfer data collected by implants to CIA and ask the implant to run specified commands. A public HTTPS interface is used to hide Hive in plain site.

A

nother Friday passed on April 14 and Wikileaks dropped another stack of Vault 7 documents in the wild. CIA is really pissed off at Wikileaks by now and it’s clear from CIA director’s mindset . The latest leak includes 6 new documents revealing a CIA project called Hive

Before you read further, you might want to go take a refresher of the Vault 7 stories happened till now:

Link to Longhorn

Grasshopper Framework

Marble Framework

Dark Matter

Hive is basically a back-end infrastructure designed by CIA to keep an eye on their malware implants out there in the wild. According to Wikileaks, it’s used by “CIA implants to transfer exfiltrated information from target machines to the CIA and to receive commands from its operators to execute tasks on targets.”

A surprising thing about the Hive malware control system is that it purports to have an HTTPS interface, taking advantage of “unsuspicious-looking cover domains to hide its presence.”

The user guide included in the documents describes two primary Hive functions as “beacon” and “interactive shell”. It further says that the functions, “limited in features”, behave like a launchpad for other “full featured tools.”

Hive provides implants for various CPU architectures and operating systems, including Windows (XP, Server 2000/2003), Linux x86, Solaris, Mikrotik, etc.

The release of the documents related to Hive also facilitates the missing string to a recent finding by Symantec researchers. Although, not naming directly, they were able to link 40 cyber attacks conducted by Longhorn to CIA after analyzing the Vault 7 documents.

They indicated the possibility of a “nation-state attacker” behind such attacks, considering the type of organizations targeted. Now, according to Wikileaks, the back-end infrastructure described in Hive documents resembles the one mentioned by Symantec researchers in their blog post.

If you have something to add, drop your thoughts and feedback.