Naked Security

Latest WikiLeaks dump shows CIA targeting Apple earlier than others

As a reporter covering security a decade ago, most of the focus was on the latest Windows threats. That’s where all the serious attacks were happening.

As Apple rolled out each new product, particularly the iPhone in 2007, I waded into the age-old debate over who was more secure: Apple or Microsoft.

The experts would tell me much the same thing as they do now: that Macs are targeted less frequently because Windows has the greater market share, not necessarily because it’s more secure. Nevertheless, cases of Apple-oriented malware were few and far between, written about in theoretical terms and not as a clear and present danger until the last couple years.

Looking at the latest avalanche of documents stolen from the CIA and made public by WikiLeaks, we now see that the CIA was targeting Apple devices well ahead of everyone else. And those involved were quite nerdy about it, showing off their sci-fi fan credentials by naming projects after such items as the Doctor’s trusty Sonic Screwdriver.

The latest leak

The latest document dump shows the agency has been creating tools to bypass devices from Apple for at least a decade.

This release is called “Dark Matter” and is the second from an archive known as “Vault7” – from which the first leak was posted by WikiLeaks earlier this month. After the first dump was posted, detailing attacks that would require physical access to devices, vendors pointed out that many of the exploits detailed in the documents had since been patched.

Earlier this week, WikiLeaks offered to work with technology companies including Apple, Google and Microsoft to help them patch the vulnerabilities detailed in the CIA documents in return for a list of demands.

Apple responded with this less-than-friendly reply:

Night Skies and Sonic Screwdrivers

As we delve into the details, let’s begin with the Dark Matter homepage. There, WikiLeaks describes the latest release this way:

Today, March 23rd 2017, WikiLeaks releases Vault 7 “Dark Matter,” which contains documentation for several CIA projects that infect Apple Mac firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.

Here’s a breakdown of the tools documented and their purpose:

Sonic Screwdriver: Fans of Doctor Who know that the Sonic Screwdriver is the Doctor’s trusty device for analysis and defense. In the CIA’s world, it’s a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting,” allowing attackers to “boot its attack software even when a firmware password is enabled”. The CIA’s Sonic Screwdriver infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter. The documentation for this was released internally at CIA headquarters November 29 2012.

DarkSeaSkies: This is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, plus EFI, kernel-space and user-space implants. Internal documents show a January 26 2009 release date.

NightSkies: In a December 2008 document describing the NightSkies malware for an iPhone 3G running iOS 2.1, the CIA explains that once exploited, it granted the agency complete control over an infected device. One passage notes: “The tool operates in the background providing upload, download and execution capability on the device. NS is installed via physical access to the device and will wait for user activity before beaconing. When user activity is detected, NS will attempt to beacon to a preconfigured LP [listening post] to retrieve tasking, execute the instructions, and reply with the responses in one session.”

SeaPea: This document, last updated in November 2008, shows that while NightSkies ran on Mac OS X 10.5.2 and higher, a rootkit named SeaPea was running on Mac OS X Tiger 10.4, launched 12 years ago.

Mac security expert Pedro Vilaca, who specializes in reverse engineering and rootkits, told Forbes that the leaked documents show the CIA as an early adopter of Mac hacking. “They have a good interest in Mac targets, which makes sense since many high-value targets love to use Macs.”

Is there a silver lining in these leaks?

Since WikiLeaks began leaking stolen documents several years ago, many in the security industry have warned that the releases were a threat to national security. But since the leaks have happened and there’s no turning back, the question is if any good can come of this.

It’s a question we asked security experts after the first Vault7 leak a few weeks ago. Eric Cowperthwaite, former VP of strategy for Core Security and now director of managed risk services for Edgile, said at the time that he was conflicted on that question.

As an example he brought up the case of Chelsea Manning, a United States Army soldier convicted by court-martial in 2013 for violating the Espionage Act and other offenses, after giving WikiLeaks nearly three-quarters of a million classified and/or sensitive military and diplomatic documents:

There is good and bad in this. We know that some of the Manning leaks had impacts on military operations. That was part of Manning’s trial. I also found it interesting that Wikileaks alleges that the US intelligence community has a problem keeping its cyberwar tools off the black market. And if the CIA, NSA, etc. can’t keep these things under control, that is something that citizens should know.

That’s why Naked Security will continue to cover the leaks here.