CIA steals SSH credentials from Windows and Linux with BothanSpy and Gyrfalcon tools
The latest addition to WikiLeaks’ Vault 7 cache of CIA tools and documents gives details of tools used by the agency to attack Windows and Linux computers. The BothanSpy and Gyrfalcon projects can be used to intercept and exfiltrate SSH (Secure Shell) credentials.
BothanSpy is used to target Windows, while Gyrfalcon is used for Linux machines, with both working in different ways. A number of popular distros can be hit by Gyrfalcon, including CentOS, Debian, RedHat, openSUSE and Ubuntu, and both tools function as implants that steal credentials before transmitting them to a CIA server.
The leaked documentation for the tools was updated as recently as March 2015, and the file relating to BothanSpy reveals that XShell needs to be installed as it itself installs as a Shellterm extension. There are smatterings of humor throughout the file, with a warning that: “It does not destroy the Death Star, nor does it detect traps laid by The Emperor to destroy Rebel fleets.” There is also the introductory quip: “Many Bothan spies will die to bring you this information, remember their sacrifice.”
Writing about the Windows tools, BothanSpy, WikiLeaks says:
BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an encrypted file for later exfiltration by other means. BothanSpy is installed as a Shellterm 3.x extension on the target machine.
The Linux tool is different, and the guide warns that anyone using it must “obtain a thorough understanding of the Linux/UNIX command line interface and shells such as bash, csh, and sh.” There is the additional note that: “Both the library and application must be installed with root privileges, however, they do not need root privilege to execute successfully on the Linux platform. Therefore, the operator must be confident with their understanding of Linux to use root privileges and not muck up the Linux platform’s configuration.”
About Gyrfalcon WikiLeaks says:
Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos, debian, rhel, suse, ubuntu). The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine.