WikiLeaks has published a new batch of documents belonging to the Vault 7 leak, the last archive includes the documentation related to a tool dubbed Brutal Kangaroo used by the CIA for Microsoft Windows that targets air-gapped networks.
Air-gapped networks are separated from the Internet for security reasons and mainly implemented in high-security environments and critical infrastructures.
“Today, June 22nd 2017, WikiLeaks publishes documents from the Brutal Kangaroo project of the CIA. Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives.” states Wikileaks.”Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables.”
Wikileaks released the documentations for Brutal Kangaroo v1.2.1 version that is dated back 2012.
A previous version of Brutal Kangaroo was code-named EZCheese and according to the documentation, it was exploiting a vulnerability discovered in March 2015.
The Brutal Kangaroo tool suite is composed of the following components:
According to the documents, CIA agents can infiltrate a closed network within an organization or enterprise without direct access, anyway, the attack chain starts infecting an Internet-connected machine within the organization. When a user plugs a USB stick into the infected machine, the thumbdrive itself is infected with a separate malware called Drifting Deadline (also known as ‘Emotional Simian’ in the latest version) that could propagate within the closed network every time users insert the USB stick in its computers.
“The documents describe how a CIA operation can infiltrate a closed network (or a single air-gapped computer) within an organization or enterprise without direct access. It first infects a Internet-connected computer within the organization (referred to as “primary host”) and installs the BrutalKangaroo malware on it. When a user is using the primary host and inserts a USB stick into it, the thumbdrive itself is infected with a separate malware. If this thumbdrive is used to copy data between the closed network and the LAN/WAN, the user will sooner or later plug the USB disk into a computer on the closed network. By browsing the USB drive with Windows Explorer on such a protected computer, it also gets infected with exfiltration/survey malware.” continue Wikileaks.
When the malware spreads among the air-gapped networks, infected computers compose a covert network that is able to coordinate attackers’ activities and data exchange.
“If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked,” WikiLeaks said.
“Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables,” a leaked CIA manual reads.
(Security Affairs – Wikileaks, Brutal Kangaroo)