“An implanted device [called Flytrap] can then be used to monitor the internet activity of and deliver software exploits to targets of interest.” reads the CherryBlossom — Users Manual (CDRL-12).

“The wireless device itself is compromised by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection,” WikiLeaks says.

The CherryBlossom is composed of four main components:

CIA cyber spies use Cherry Blossom framework to compromise wireless networking devices on the targeted networks and then run man-in-the-middle attacks to eavesdrop and manipulate the Internet traffic of connected devices.

FlyTrap could perform the following malicious tasks:

• Monitoring network traffic to gather data of interest such as email addresses, MAC addresses, VoIP numbers, and chat user names.
• Hijack users to malicious websites.
• Injecting malicious content into the data traffic to deliver malware.
• Setting up VPN tunnels to access clients connected to Flytrap’s WLAN/LAN for further exploitation

According to the documents, the CherryTree C&C server must be located in a secure sponsored facility and deployed on Dell PowerEdge 1850 powered virtual servers, running Red Hat Fedora 9, with at least 4GB of RAM.
The documents include a list of more 200 router models that CherryBlossom can target, experts noticed that most of them are older models from various vendors, including Belkin, D-Link, Linksys, Aironet/Cisco, Apple AirPort Express, Allied Telesyn, Ambit, AMIT Inc, Accton, 3Com, Asustek Co, Breezecom, Cameo, Epigram, Gemtek, Global Sun, Hsing Tech, Orinoco, PLANET Technology, RPT Int, Senao, US Robotics and Z-Com.

For the full list of devices in included in a WikiLeaks document .

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Cherry Blossom, CIA)

[adrotate banner=”13″]