14 DAY TRIAL // WikiLeaks has published new documents revealing CIA’s hacking tools, this time aimed at Windows and Linux SSH clients.
Specifically, the leaked papers reveal that the agency turned to software called BothanSpy and Gyrfalcon to steal user credentials for active SSH sessions, with both Windows and Linux said to be targeted.
First of all, it’s BothanSpy, which WikiLeaks says has been aimed at hacking Xshell, a popular SSH client for Windows. This hack allowed the CIA to steal username and passwords extract from password-authenticated SSH session, as well as usernames, filename of private SSH key and key password in the case of public key authentication.
“BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an encrypted file for later exfiltration by other means. BothanSpy is installed as a Shellterm 3.x extension on the target machine,” WikiLeaks says.
Linux systems also attacked after previously infected
In the case of Gyrfalcon, this hacking tool was aimed at OpenSSH client for Linux, with all popular platforms said to be affected, including Ubuntu and SUSE. Once again, user credentials can be stolen, and WikiLeaks claims that some other data can also be accessed before being placed in an encrypted file to be later transmitted to the CIA.
“The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine,” today’s leak reveals.
In other words, CIA agents can use Gyrfalcon only after compromising the Linux system with the rootkit, though previous leaks have also shown that the agency has several other hacking tools that could be used to break into a computer.