On Thursday, March 23rd, WikiLeaks released the second part of its Vault 7 series of leaks from the CIA. The new leaks were released under the name “Dark Matter”. The Dark Matter leaks contain information on how the CIA targets and hacks the firmware of Apple’s Mac computers and OS X. Leaks from the first Vault 7 release showed how the CIA targets and exploits Apple’s iPhone and other devices which run iOS, and the Dark Matter release contains additional information on how the CIA is hacking Apple’s mobile hardware and software.
The new leaks expose how the CIA’s Embedded Development Branch has developed ways to infect the firmware on Macs and iPhones infecting a device’s EFI/UEFI firmware with malware. Since at least 2008, the agency has been infecting the supply chain of iPhones of people they are targeting. The NSA conducts a similar program through its Tailored Access Operations (TAO) unit to intercept and install backdoors in routers, servers, and other networking equipment. The infected devices are then repackaged the devices and have the factory seal replaced.
The name of this series of leaks refers to DarkMatter, which along with SeaPea and NightSkies make up a series of EFI/UEFI firmware malware which is known as DarkSeaSkies. Once the CIA has physical access to a device they can implant these malware. The DarkMatter firmware hack enables the CIA to gain “persistence” on Apple’s devices, so that even if the operating system is reinstalled, the device will remain infected and compromised. The CIA’s NightSkies malware acts as a beacon, allowing the agency to both monitor activity and execute commands and programs on the infected device. The agency’s SeaPea malware is a kernel-space implant designed to keep all files, processes, and network events hidden from the user, and to launch NightSkies upon booting the device.
Another malware exposed in WikiLeaks’ Dark Matter release is Sonic Screwdriver. This malware is implanted through the use of a Thunderbolt to Ethernet adaptor which had its firmware infected by the malware.
Sonic Screwdriver remains effective even on Macs that have a firmware password. Sonic Screwdriver scans all media devices for a specific volume name, and if it finds the volume name it was looking for, it executes a UEFI boot of that device. The firmware of the Mac would then be infected with other malware, such as Triton or Der Starke. According to the Triton user guide, the malware can be used to execute tasks, and allows the CIA to access files and folders on the infected device. Der Starke is a much more powerful version of Triton. Der Starke is a diskless and persistent firmware malware, and it extracts data from the infected device through a browser process, which enables the malware to evade detection through programs like Little Snitch.
Apple, in a statement released to the press, claims to have addressed the vulnerabilities the CIA’s malware exploits in their devices years ago. Apple also refused to cooperate with WikiLeaks under the conditions they have demanded manufacturers agree to in order for them to be provided with the CIA’s malware. “We have preliminarily assessed the Wikileaks disclosures from this morning. Based on our initial analysis, the alleged iPhone vulnerability affected iPhone 3G only and was fixed in 2009 when iPhone 3GS was released. Additionally, our preliminary assessment shows the alleged Mac vulnerabilities were previously fixed in all Macs launched after 2013. We have not negotiated with Wikileaks for any information. We have given them instructions to submit any information they wish through our normal process under our standard terms. Thus far, we have not received any information from them that isn’t in the public domain. We are tireless defenders of our users’ security and privacy, but we do not condone theft or coordinate with those that threaten to harm our users,” Apple said in their statement.
WikiLeaks has also begun to compile a list of companies, products, and tools which are hacking targets of the CIA. Companies which WikiLeaks have confirmed to be hacking targets of the CIA include Apple, ASUS, Avira, CABLEVISION, Cisco, DLP, ESET, F-Secure, HTC, Huawei, Macronix, Microsoft, Nokia, Samsung, Siemens, Sony, and others. The list also includes tools which have been determined not to be targeted.