How the CIA infects air-gapped networks

Enlarge / A configuration screen found in the Drifting Deadline exploit. (credit: WikiLeaks)

Documents published Thursday purport to show how the Central Intelligence Agency has used USB drives to infiltrate computers so sensitive they are severed from the Internet to prevent them from being infected.

More than 150 pages of materials published by WikiLeaks describe a platform code-named Brutal Kangaroo that includes a sprawling collection of components to target computers and networks that aren't connected to the Internet. Drifting Deadline was a tool that was installed on computers of interest. It, in turn, would infect any USB drive that was connected. When the drive was later plugged into air-gapped machines, the drive would infect them with one or more pieces of malware suited to the mission at hand. A Microsoft representative said none of the exploits described work on supported versions of Windows.

The infected USB drives were at least sometimes able to infect computers even when users didn't open any files. The so-called EZCheese exploit, which was neutralized by a patch Microsoft appears to have released in 2015, worked anytime a malicious file icon was displayed by the Windows explorer. A later exploit known as Lachesis used the Windows autorun feature to infect computers running Windows 7. Lachesis didn't require Explorer to display any icons, but the drive of the drive letter the thrumbdrive was mounted on had to be included in a malicious link. The RiverJack exploit, meanwhile, used the Windows library-ms function to infect computers running Windows 7, 8, and 8.1. Riverjack worked only when a library junction was viewed in Explorer.

Read 4 remaining paragraphs | Comments

Meet USBee, the malware that uses USB drives to covertly jump airgaps

Enlarge / Illustration of USBee, in which an ordinary, unmodified USB drive (A) transmits information to a nearby receiver (B) through electromagnetic waves emitted from the drive data bus. (credit: Guri et al.)

In 2013, a document leaked by former National Security Agency contractor Edward Snowden illustrated how a specially modified USB device allowed spies to surreptitiously siphon data out of targeted computers, even when they were physically severed from the Internet or other networks. Now, researchers have developed software that goes a step further by turning unmodified USB devices into covert transmitters that can funnel large amounts of information out of similarly "air-gapped" PCs.

The USBee—so named because it behaves like a bee that flies through the air taking bits from one place to another—is in many respects a significant improvement over the NSA-developed USB exfiltrator known as CottonMouth. That tool had to be outfitted with a hardware implant in advance and then required someone to smuggle it into the facility housing the locked-down computer being targeted. USBee, by contrast, turns USB devices already inside the targeted facility into a transmitter with no hardware modification required at all.

"We introduce a software-only method for short-range data exfiltration using electromagnetic emissions from a USB dongle," researchers from Israel's Ben-Gurion University wrote in a research paper published Monday. "Unlike other methods, our method doesn't require any [radio frequency] transmitting hardware since it uses the USB's internal data bus."

Read 7 remaining paragraphs | Comments