The Wikileaks Vault 7 Leak – What We Know So Far

By Omar Santos, Cisco Principal Engineer - Product Incident Response Team (PSIRT) - Security Research and Operations

March 08, 2017

On March 7th, 2017, Wikileaks made public a set of documents that is being referred to as the “Vault 7 leak”.  The set contains a large collection of documents purported to belong to the United States Central Intelligence Agency (CIA) Center for Cyber Intelligence. According to Wikileaks, this disclosure is the first one – and additional disclosures will be coming the near future.

At the time of the initial release, Wikileaks has not released any of the tools or exploits associated with the disclosure. Quoting from the Wikileaks Vault 7 release announcement:

Wikileaks has carefully reviewed the “Year Zero” disclosure and published substantive CIA documentation while avoiding the distribution of ‘armed’ cyber weapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.

Since none of the tools and malware referenced in the initial Vault 7 disclosure have been made available by Wikileaks, the scope of action that can be taken by Cisco is limited.  An ongoing investigation and focused analysis of the areas of code that are alluded to in the disclosure is underway. Until more information is available, there is little Cisco can do at this time from a vulnerability handling perspective.

What we can do, have been doing, and will continue to do is to actively analyze the documents that were already disclosed. Based on our preliminary analysis of the disclosed documents:

  • Malware exists that seems to target different types and families of Cisco devices, including multiple router and switches families.
  • The malware, once installed on a Cisco device, seem to provide a range of capabilities: data collection, data exfiltration, command execution with administrative privileges (and without any logging of such commands ever been executed), HTML traffic redirection, manipulation and modification (insertion of HTML code on web pages), DNS poisoning, covert tunneling and others.
  • The authors have spent a significant amount of time making sure the tools, once installed, attempt to remain hidden from detection and forensic analysis on the device itself.
  • It would also seem the malware author spends a significant amount of resources on quality assurance testing – in order, it seems, to make sure that once installed the malware will not cause the device to crash or misbehave.

As mentioned above, no actual binaries or technical details of any malware has been released at this time, hence limiting the analysis to the test results/quality assurance testing logs from the disclosure. Cisco Product Security Incident Response Team (PSIRT) assumes that the associated malware will eventually be released by Wikileaks – at that time, Cisco PSIRT will proceed to analyze it and determine if the malware tries to exploit any vulnerability on a Cisco product or service. If that was to be the case, then we would make sure it is fixed and our customers are appropriately notified, by following our established security vulnerability policy.

Terms of Use | Copyright © 2002 - 2017 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement