WikiLeaks Vault 7

WikiLeaks dumped today the documentation of two CIA hacking tools codenamed BothanSpy and Gyrfalcon, both designed to steal SSH credentials from Windows and Linux systems, respectively.

Both tools are "implants," a term the CIA uses to describe malware payloads. Once installed through various means on a target's computer, these two implants hook into SSH-related processes and steal credentials or session traffic, where possible.

BothanSpy targets Windows

The first — BothanSpy — was designed for Windows computers. According to a 12-page manual dated in March 2015, the malware will hook into the process of Xshell, a Windows SSH client.

BothanSpy will use this access to steal user credentials for all active SSH sessions. This data can be sent right away to a remote server, or stored on disk in an encrypted file.

Gryfalcon targets Linux

The second — Gyrfalcon  — is an implant for Linux systems. According to a 27-page manual dated in November 2013, this malware can target distros such as RHEL, Ubuntu, Suse, Debian, and CentOS.

Gryfalcon works by targeting the OpenSSH client, from where it can extract user credentials for active SSH sessions and full or partial OpenSSH session traffic. The stolen data is saved locally into an encrypted file, and is exfiltrated at a later date.

CIA operatives need root privileges to install Gryfalcon, but the tool itself can operate from a regular account.

Today's dump is part of a larger series called Vault 7 contains documents WikiLeaks claims were stolen from the CIA by hackers and insiders. You can follow the rest of our WikiLeaks Vault 7 coverage here. Below is a list of the most notable WikiLeaks "Vault 7" dumps:

Weeping Angel - tool to hack Samsung smart TVs
Fine Dining - a collection of fake, malware-laced apps
Grasshopper - a builder for Windows malware
DarkSeaSkies - tools for hacking iPhones and Macs
Scribble - beaconing system for Office documents
Archimedes - a tool for performing MitM attacks
AfterMidnight and Assassin - malware frameworks for Windows
Athena - a malware framework co-developed with a US company
Pandemic - a tool for replacing legitimate files with malware
CherryBlossom - a tool for hacking SOHO WiFi routers
Brutal Kangaroo - a tool for hacking air-gapped networks
ELSA - malware for geo-tracking Windows users
OutlawCountry - CIA tool for hacking Linux systems

Related Articles:

Windows 11, Tesla, and Ubuntu Linux hacked at Pwn2Own Vancouver

Magnet Goblin hackers use 1-day flaws to drop custom Linux malware

Stealthy GTPDOOR Linux malware targets mobile operator networks

New SSH-Snake malware steals SSH keys to spread across the network

Ubuntu 'command-not-found' tool can be abused to spread malware