Vault 7 Leak: CIA Collected Biometric Data from Partner Agencies

New Vault 7 Documents by WikiLeaks Show How CIA Collected Biometric Data from Partner Agencies.

The latest treasure trove of Vault 7 files, which refer to the confidential documents belonging to the United States’ Central Intelligence Agency or the CIA, has been released publicly by WikiLeaks.

The files, published on Thursday, are dated 2009 and once again depict how the CIA performed its espionage campaigns on its targets, which this particular time included other intelligence agencies.

The documents show the way CIA spied upon other intelligence agencies using a program dubbed as ExpressLane. It is worth noting that the software was designed for working on Windows XP based systems, but it is yet unclear if the tool is still being used and if yes then what changes have been made to its functionality.

The released or rather leaked documents are ticked as “Secret,” and have exposed the methodology of the CIA. The files revealed that two divisions of CIA’s Directorate of Science and Technology namely the Office of Technical Services (OTS) and Identity Intelligence Center (I2C) were involved in the covert collection of biometric data. ExpressLane discreetly copied data using the biometric software and disabled the software if the targeted agency didn’t require continued access.

The tool was developed so that the CIA could get the information, which its partner organizations were holding out, without even asking for it. The ExpressLane program is capable of accessing biometric data and copying it for the agency by appearing as a software update. The CIA handed over the program to its technicians called agents while the update didn’t make any changes to the program at all but just played the role of a siphon that provided the required data to the CIA.

ExpressLane was able to secretly collect data from intelligence organizations primarily because the targets use a biometric collection system that has been provided by the OTS. The agencies targeted include the FBI (Federal Bureau of Investigation), DHS (Department of Homeland Security) and NSA (National Security Agency) along with various liaison services across the globe. However, these are mere speculations as none of the targets that ExpressLane spied upon have been named in the released documents. What is confirmed is the fact that ExpressLane collected biometric data from the target partner agencies.

As per the leaked documents, an OTS agent installed ExpressLane on the targeted system using a USB device claiming to carry out an upgrade to the system. The software displayed fake update screen for a specific duration that is determined by the agent. In the background, the required biometric data was compressed, encrypted and copied to the USB drive that belonged to the agent. The collected data is later extracted at the CIA headquarters using the ExitRamp utility.

ExpressLane also allowed the CIA to make sure that the biometric software gets disabled after a certain number of days through Kill Date switch, which is enabled when the tool is getting installed. Kill Date specifies the date when the software will stop functioning. Usually, this duration was six months from the date of installation.

If the agent doesn’t return with the USB drive during these six months or whatever the duration is the biometric software’s license expires. However, if ExpressLane is run on the computer, the Kill Date gets extended. The purpose is to ensure that the CIA gets the data it needs.

WikiLeaks stated that the Florida based company Cross Match was responsible for manufacturing the core components of the biometric system. Cross Match is known for providing the field devices that helped in identifying al-Qaeda leader Osama bin Laden; it is the key firm that provides biometric software to intelligence and law enforcement agencies.

Vault 7 documents previously leaked by Wikileaks:

BothanSpy and Gyrfalcon: Steals SSH credentials from Linux & Windows devices
OutlawCountry and Elsa: Malware targeting Linux devices and tracking user geolocation
Brutal Kangaroo: CIA hacking tools for hacking air-gapped PCs
Cherry Blossom: CherryBlossom & CherryBomb: Infecting WiFi routers for years
Pandemic: A malware hacking Windows devices
AfterMidnight and Assassin: CIA remote control & subversion malware hacking Windows
Dark Matter: CIA hacking tool infiltrating iPhones and MacBooks
Athena: A malware targeting Windows operating system
Archimedes: A program helping CIA to hack computers inside a Local Area Network
HIVE: CIA implants to transfer exfiltrated information from target machines
Grasshopper: A malware payloads for Microsoft Windows operating systems
Marble: A framework used to hamper antivirus companies from attributing malware
Dark Matter: A CIA project that infects Apple Mac firmware
Highrise: An Android malware spies on SMS Messages
Aeris, Achilles, SeaPea: 3 malware developed by CIA targeting Linux and macOS
Dumbo Project: CIA’s project hijacking webcams and microphones on Windows devices
CouchPotato Tool: Remotely Collects Video Streams from Windows devices

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.