{"id":94046,"date":"2017-06-19T12:00:43","date_gmt":"2017-06-19T11:00:43","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=94046"},"modified":"2017-06-17T19:40:56","modified_gmt":"2017-06-17T18:40:56","slug":"vault-7-cherry-blossom","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2017\/06\/vault-7-cherry-blossom\/","title":{"rendered":"Vault 7: Cherry Blossom"},"content":{"rendered":"<p style=\"padding-left: 30px;\"><a href=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2017\/04\/wikileaks-logo.png\" ><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-thumbnail wp-image-90223\" src=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2017\/04\/wikileaks-logo-150x150.png\" alt=\"\" width=\"150\" height=\"150\" \/><\/a>Today, June 15th 2017, WikiLeaks publishes documents from the <em>CherryBlossom<\/em> project of the CIA that was developed and implemented with the help of the US nonprofit <a target=\"_blank\" href=\"https:\/\/www.sri.com\" >Stanford Research Institute (SRI International)<\/a>.<\/p>\n<p><em>CherryBlossom<\/em> provides a means of monitoring the Internet activity of and performing software exploits on <em>Targets<\/em> of interest. In particular, <em>CherryBlossom<\/em> is focused on compromising wireless networking devices, such as wireless routers and access points (APs), to achieve these goals. Such Wi-Fi devices are commonly used as part of the Internet infrastructure in private homes, public spaces (bars, hotels or airports), small and medium sized companies as well as enterprise offices. Therefore these devices are the ideal spot for &#8220;Man-In-The-Middle&#8221; attacks, as they can easily monitor, control and manipulate the Internet traffic of connected users. By altering the data stream between the user and Internet services, the infected device can inject malicious content into the stream to exploit vulnerabilities in applications or the operating system on the computer of the targeted user.<\/p>\n<p>The wireless device itself is compromized by implanting a customized <em>CherryBlossom<\/em> firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection. Once the new firmware on the device is flashed, the router or access point will become a so-called <em>FlyTrap<\/em>. A <em>FlyTrap<\/em> will beacon over the Internet to a Command &amp; Control server referred to as the <em>CherryTree<\/em>. The beaconed information contains device status and security information that the <em>CherryTree<\/em> logs to a database. In response to this information, the <em>CherryTree<\/em> sends a <em>Mission<\/em> with operator-defined tasking. An operator can use <em>CherryWeb<\/em>, a browser-based user interface to view <em>Flytrap<\/em> status and security info, plan <em>Mission<\/em> tasking, view <em>Mission<\/em>-related data, and perform system administration tasks.<\/p>\n<p><em>Missions<\/em> may include tasking on <em>Targets<\/em> to monitor, actions\/exploits to perform on a <em>Target<\/em>, and instructions on when and how to send the next beacon. Tasks for a <em>Flytrap<\/em> include (among others) the scan for <em>email addresses<\/em>, <em>chat usernames<\/em>, <em>MAC addresses<\/em> and <em>VoIP numbers<\/em> in passing network traffic to trigger additional actions, the copying of the full network traffic of a <em>Target<\/em>, the redirection of a <em>Target<\/em>\u2019s browser (e.g., to Windex for browser exploitation) or the proxying of a <em>Target<\/em>\u2019s network connections. <em>FlyTrap<\/em> can also setup VPN tunnels to a <em>CherryBlossom<\/em>-owned VPN server to give an operator access to clients on the <em>Flytrap<\/em>\u2019s WLAN\/LAN for further exploitation. When the <em>Flytrap<\/em> detects a <em>Target<\/em>, it will send an <em>Alert<\/em> to the <em>CherryTree<\/em> and commence any actions\/exploits against the <em>Target<\/em>. The <em>CherryTree<\/em> logs <em>Alerts<\/em> to a database, and, potentially distributes <em>Alert<\/em> information to interested parties (via <em>Catapult<\/em>).<a href=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2017\/04\/logo@400-nsa.png\" ><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-medium wp-image-90672\" src=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2017\/04\/logo@400-nsa-300x212.png\" alt=\"\" width=\"300\" height=\"212\" srcset=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2017\/04\/logo@400-nsa-300x212.png 300w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2017\/04\/logo@400-nsa.png 399w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<h2 style=\"padding-left: 30px;\">Leaked Documents:<\/h2>\n<p style=\"padding-left: 30px;\"><a target=\"_blank\" href=\"https:\/\/wikileaks.org\/vault7\/document\/SRI-SLO-FF-2012-177-CherryBlossom_SystemReqSpecDoc_CDRL-10_SLO-FF-2012-176\/\" >CherryBlossom &#8212; System Req Spec (CDRL-10) <\/a><\/p>\n<p style=\"padding-left: 30px;\"><a target=\"_blank\" href=\"https:\/\/wikileaks.org\/vault7\/document\/SRI-SLO-FF-2012-177-CherryBlossom_QuickStartGuide_SLO-FF-2012-170\/\" >CherryBlossom &#8212; Quick Start Guide <\/a><\/p>\n<p style=\"padding-left: 30px;\"><a target=\"_blank\" href=\"https:\/\/wikileaks.org\/vault7\/document\/WiFi_Devices\/\" >WiFi Devices <\/a><\/p>\n<p style=\"padding-left: 30px;\"><a target=\"_blank\" href=\"https:\/\/wikileaks.org\/vault7\/document\/SRI-SLO-FF-2012-177-CherryBlossom_InstallationGuide_SLO-FF-2012-172\/\" >CherryBlossom &#8212; Installation Guide <\/a><\/p>\n<p style=\"padding-left: 30px;\"><a target=\"_blank\" href=\"https:\/\/wikileaks.org\/vault7\/document\/Cherry-Blossom-Operating-Environment\/\" >CherryBlossom &#8212; Operating Environment (S\/\/NF) <\/a><\/p>\n<p>______________________________________________<\/p>\n<p><em><strong>All Releases:<\/strong><\/em><\/p>\n<p><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/06\/vault-7-pandemic\/\" >Vault 7: Pandemic<\/a> \u2013 1 Jun 2017<\/em><\/p>\n<p><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/05\/vault-7-athena\/\" >Vault 7: Athena<\/a> \u2013 19 May 2017<\/em><\/p>\n<p><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/05\/aftermidnight-assassin-frameworks\/\" >Vault 7: AfterMidnight &amp; Assassin Frameworks<\/a> \u2013 12 May 2017<\/em><\/p>\n<p><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/05\/vault-7-archimedes\/\" >Vault 7: Archimedes \u2013<\/a> 5 May 2017<\/em><\/p>\n<p><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/05\/vault-7-scribbles-project\/\" >Vault 7: Scribbles Project<\/a> \u2013 28 Apr 2017<\/em><\/p>\n<p><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/04\/vault-7-weeping-angel\/\" >Vault 7: Weeping Angel<\/a> \u2013 21 Apr 2017<\/em><\/p>\n<p><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/04\/vault-7-hive-project\/\" >Vault 7: Hive Project<\/a> \u2013 14 Apr 2017<\/em><\/p>\n<p><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/04\/grasshopper\/\" >Vault 7: Grasshopper Framework<\/a> \u2013 7 Apr 2017<\/em><\/p>\n<p><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/04\/marble-framework\/\" >Vault 7: Marble Framework<\/a> \u2013 31 Mar 2017<\/em><\/p>\n<p><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/04\/dark-matter\/\" >Vault 7: Project Dark Matter<\/a> \u2013 23 Mar 2017<\/em><\/p>\n<p><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/03\/vault-7-cia-hacking-tools-revealed\/\" >Vault 7: CIA Hacking Tools Revealed<\/a> \u2013 7 Mar 2017<\/em><\/p>\n<p><a target=\"_blank\" href=\"https:\/\/wikileaks.org\/vault7\/#Cherry%20Blossom\" >Go to Original \u2013 wikileaks.org<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today, June 15th 2017, WikiLeaks publishes documents from the CherryBlossom project of the CIA that was developed and implemented with the help of the US nonprofit Stanford Research Institute (SRI International). CherryBlossom provides a means of monitoring the Internet activity of and performing software exploits on Targets of interest. In particular, CherryBlossom is focused on compromising wireless networking devices, such as wireless routers and access points (APs), to achieve these goals.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[],"class_list":["post-94046","post","type-post","status-publish","format-standard","hentry","category-whistleblowing-surveillance"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/94046","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=94046"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/94046\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=94046"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=94046"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=94046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}