WikiLeaks has released a new round of Vault 7 files. The latest dump, dubbed “Dark Matter,” details some of the tools allegedly used by the CIA to target Apple devices.
The tools are named Sonic Screwdriver, Der Starke, Triton, DarkSeaSkies, NightSkies and SeaPea and, based on the descriptions provided in the files made available by WikiLeaks, they can be used to spy on iPhones and Mac computers. However, in most cases, deploying them requires physical access to the targeted device.
Sonic Screwdriver, for instance, is a tool that can be used to execute code from a USB thumb drive or other external disk connected to a Mac laptop even if the firmware is protected by a password. The documents obtained by WikiLeaks show that Sonic Screwdriver is stored on the firmware of a Thunderbolt-to-Ethernet adapter.
The DarkSeaSkies implant is designed for targeting the EFI on MacBook Air computers, and it’s meant to be delivered via “a supply chain intercept or a gift to the target.” DarkSeaSkies relies on the DarkMatter EFI driver for persistence and installing other tools, and the SeaPea OS X rootkit for stealth and execution of other implants. One such implant is NightSkies, which provides command and control capabilities.
The documents show DarkSeaSkies can be installed by booting the targeted system with an external flash drive. The implant is persistent across OS upgrades and reinstalls, but it can be removed by the attacker using a special command. Under certain conditions, the implant may also remove itself automatically.
Another set of tools includes a piece of OS X malware dubbed Triton, its infector Dark Mallet, and Der Starke, the EFI-persistent version of Triton.
One version of the NightSkies tool is designed for targeting iPhones. Once installed on a device, it can be used to execute arbitrary commands, download additional tools to the phone, and steal various types of files, including the address book, SMS messages and call logs. NightSkies, which also requires physical access to the targeted device, is recommended for “factory fresh” devices.
The documents are dated 2008, 2009 and 2012, but WikiLeaks claims other Vault7 files show the CIA has continued to improve these tools. The organization also pointed out that the files show the intelligence agency has been “infecting the iPhone supply chain of its targets since at least 2008.”
“While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization's supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise,” WikiLeaks said.