As you may know, WikiLeakes has been releasing sensitive documentation associated with CIA’s hacking tools as part of its Vault 7 series. This time round, the whistleblowing website made public documentation related to two hacking tools called OutlawCountry and Elsa.
OutlawCountry is a tool that allows CIA to hack into Linux-based systems and perform a cyberespionage on the victims. According to the leaked documents, it essentially lets the agency to secretly monitor the activities of the victim by manipulating network traffic.
RELEASE: #CIA 'Outlaw Country' covert kernel module for #Linux https://t.co/RnNjT8EutT #RHAT #redhat #vault7 pic.twitter.com/trdhc4VbJ2
— WikiLeaks (@wikileaks) June 29, 2017
How does it work?
The tool works by injecting a Kernel module into the target system through accessing the shell and subsequently creating a Netfilter table that contains rules. The table is created using the iptables command, and these rules can only be seen if the administrator of the affected device knows the table name.
However, since the table name is already hidden, the administrator of the victim has no means to know the name. Furthermore, the CIA uses usual backdoor exploits to infiltrate the system with the tool.
Once installed, the tool simply redirects outbound network traffic to CIA’s computers and allows the CIA operator to extract and perform analysis on the data.
The documentation released also reveal certain limitations of the tool. Primarily, OutlawCountry’s Kernel modules only work with compatible Linux Kernels. These kernels are usually the default ones since the tool works with the 64-bit CentOS/RHEL 6.x module.
Details related to ELSA were released last week in which it was revealed that this tool could track down a person’s exact geo-location using a Windows PC through public Wi-Fi hotspot even if the system is not connected to it.
RELEASE: CIA 'ELSA' malware can geolocate your Windows laptop or desktop by listening to surrounding WiFi signals https://t.co/XjyyXIqXAz pic.twitter.com/WCw6dgF9ql
— WikiLeaks (@wikileaks) June 28, 2017
The documents show that ELSA works by firstly getting into the system through certain exploits and then scans the infected computer’s Wi-Fi hardware to see if there are any Wi-Fi hot spots nearby, along with the MAC address and the signal strength.
It then stores the information in an encrypted form. The CIA operator can then download these files using further exploits and decrypt them for further analysis.
Essentially, once the CIA operator has the data, he/she can run a quick search on Google’s database using back-end software to see all the locations of Wi-Fi hotspots and match the hotspot extracted from the data to filter out its exact address.
As such, the CIA can know your exact location even if you are not connected to the internet per say.