WikiLeaks’ latest publication details the workings of a man-in-the-middle (MitM) hacking tool named Archimedes.
Archimedes is allegedly another CIA creation built specifically to target computers sharing a local network.
The latest WikiLeaks release has been termed lackluster by many who are used to highly controversial leaks from the whistleblowing organization.
However, the Archimedes has still received a lot of attention, particularly from people familiar with its previous version, dubbed Fulcrum.
This release marks the seventh publication from Wikileaks’ “Vault 7” cache of data.
The CIA’s Archimedes is a hacking tool built to target computers sharing a Local Area Network (LAN).
The leak reveals it is actually an updated version of Fulcrum that comes with several improvements, including a smoother way to shut it down on demand.
The change log of the hacking tool also indicates that the new version is compatible with a new iFrame-based HTTP injection method as well.
According to the leaked documents, the Archimedes hacking tool allows attackers to covertly redirect LAN computer traffic from a specific target via an attacker-controlled computer—in this case, the attacker is the CIA— laced with malware before finally being passed on to the gateway in what is a very well-orchestrated MitM attack.
Meanwhile, the target computer’s browser continues to display what appears like a normal browsing session even while the traffic is redirected to an exploitation server.
This allows the attacker to fully compromise all the other computers that are connected to the Local Area Network (LAN).
A user guide released in December 2012 details the whole process using language that’s a lot more formal than what was used to describe the capabilities of Archimedes’ predecessor hacking tool, Fulcrum.
Since the Archimedes hacking tool allows attackers to redirect LAN computer traffic to malware-laced websites without changing the contents of webpages viewed on the target’s browser, it takes a bit of examination of the page’s source to detect malware.
Nothing to Write Home About
Archimedes is a bizarrely plain hacking tool for something that was allegedly used by the CIA.
It mimics the dozens of other options available on the internet for download and as such, there is nothing quite special about it, according to many experts.
The founder of Rendition Infosec Jake Williams attributes its simplicity to the fact that the hacking tool was in fact not created by the CIA but looks to be a repackaged version of the open source MitM toolkit referred to as Ettercap.
Its less-than-enthusiastic reception notwithstanding, WikiLeaks’ latest release could have significance, particularly to potential CIA targets who could be affected by the hacking tool in the near future.
According to Williams, the leaked information could be used to detect an infiltration by the Archimedes hacking tool on computers connected via LAN.
WikiLeaks’ Previous Releases
One of the reasons why the Archimedes dump was not received with the expected amount of vigor is because it came shortly after the release of source code for Scribbles, a more “interesting” CIA tool designed to leave web beacons inside some confidential documents, thereby making it possible to track any inside spies and whistleblowers who got access to said documents.
Previously dumped batches from the WikiLeaks Vault 7 series include: a cache of CIA hacking exploits dubbed “Year Zero,” a smart TV spying tool that covertly activates microphones (called “Weeping Angel”), source code to the CIA’s malware packaging resource “Marble,” the framework for “Grasshopper” which was used by the CIA to create custom malware that could bypass Windows’ security systems, and a cache of documents that detailed the CIA’s iPhone and Mac hacking exploits called “Dark Matter.”
Archimedes and Fulcrum Are Not Malware
WikiLeaks’ release clarified that Archimedes, just like Fulcrum, cannot be categorized as a worm.
Despite their infiltrative natures, the hacking tools are not designed to explicitly attack programs and crash operating systems like a typical self-replicating “worm” malware would.
The WikiLeaks release also featured a user guide for the previous version of the hacking tool that was dated December 2011.
In comparison to the guide for the latest hacking tool, the language in Fulcrum’s user manual appeared to be extra casual as it detailed the various steps to be taken when configuring data and also packaging applications using the hacking tool.