Up until this week, WikiLeaks’ “Vault 7” releases of files from a Central Intelligence Agency software development server have largely consisted of documentation for the various malware projects the CIA’s Engineering Development Group created to aid the agency’s mission. But on Friday afternoon, WikiLeaks began actually releasing portions of the CIA’s development library. And while the release contains no malware, it’s potentially the most damaging information released so far in that it could undermine ongoing CIA operations.
The release was of a repository of code for the CIA EDG’s obfuscation tools called Marble. The tools were used to conceal the signature of the implants developed by CIA from malware scans, to make it more difficult to reverse-engineer them if they were detected, and to figure out where the malware came from. University of California at Berkeley computer security researcher Nicholas Weaver told the Washington Post’s Ellen Nakashima, “This appears to be one of the most technically damaging leaks ever done by WikiLeaks, as it seems designed to directly disrupt ongoing CIA operations.”
There’s nothing particularly magical about the CIA’s tools, other than that they were developed and tested by a professional team and the code itself is extremely well-documented. Implant code for Windows systems was obfuscated with a tool called Marbler, a C++ application that obscures text strings and binary objects within implants in a number of ways. Those methods include “scrambling” binary content using a number of bit-shifting techniques, and inserting snippets of foreign languages(such as Chinese or Farsi) with a feature called “WARBL.”
The existence code itself is not that revelatory, since documentation of the techniques in the code were included in WikiLeaks’ large initial dump. And code obfuscation is a fundamental part of the malware author’s art of “anti-forensics”—making it difficult for an adversary to reverse-engineer what is going on with the code, and in turn to attribute where the nasty code came from. But using the code in this WikiLeaks release, developers could potentially create tools to search for existing CIA implants. It could also be used by malware developers to obfuscate their own code.