{"id":94793,"date":"2017-07-03T12:01:35","date_gmt":"2017-07-03T11:01:35","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=94793"},"modified":"2017-07-03T12:33:05","modified_gmt":"2017-07-03T11:33:05","slug":"vault-7-elsa","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2017\/07\/vault-7-elsa\/","title":{"rendered":"Vault 7: Elsa"},"content":{"rendered":"<p style=\"padding-left: 30px;\"><a href=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2017\/04\/wikileaks-logo.png\" ><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-thumbnail wp-image-90223\" src=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2017\/04\/wikileaks-logo-150x150.png\" alt=\"\" width=\"150\" height=\"150\" \/><\/a>Today, June 28th 2017, WikiLeaks publishes documents from the <em>ELSA<\/em> project of the CIA. <em>ELSA<\/em> is a geo-location malware for WiFi-enabled devices like laptops running the Micorosoft Windows operating system. Once persistently installed on a target machine using separate CIA exploits, the malware scans visible WiFi access points and records the ESS identifier, MAC address and signal strength at regular intervals. To perform the data collection the target machine does not have to be online or connected to an access point; it only needs to be running with an enabled WiFi device. If it is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp. The collected access point\/geo-location information is stored in encrypted form on the device for later exfiltration. The malware itself does not beacon this data to a CIA back-end; instead the operator must actively retrieve the log file from the device &#8211; again using separate CIA exploits and backdoors.<\/p>\n<p>The <em>ELSA<\/em> project allows the customization of the implant to match the target environment and operational objectives like sampling interval, maximum size of the logfile and invocation\/persistence method. Additional back-end software (again using public geo-location databases from Google and Microsoft) converts unprocessed access point information from exfiltrated logfiles to geo-location data to create a tracking profile of the target device.<\/p>\n<p><a href=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2017\/04\/logo@400-nsa.png\" ><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-medium wp-image-90672\" src=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2017\/04\/logo@400-nsa-300x212.png\" alt=\"\" width=\"300\" height=\"212\" srcset=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2017\/04\/logo@400-nsa-300x212.png 300w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2017\/04\/logo@400-nsa.png 399w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<h2 style=\"padding-left: 30px;\">Leaked Documents:<\/h2>\n<p style=\"padding-left: 30px;\"><a target=\"_blank\" href=\"https:\/\/wikileaks.org\/vault7\/document\/Elsa_User_Manual\/\" >ELSA User Manual <\/a><\/p>\n<p>__________________________________________<\/p>\n<p><em><strong>All Releases:<\/strong><\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/06\/vault-7-brutal-kangaroo\/\" >Vault 7: Brutal Kangaroo<\/a> \u2013 22 Jun 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/06\/vault-7-cherry-blossom\/\" >Vault 7: Cherry Blossom<\/a> \u2013 15 Jun 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/06\/vault-7-pandemic\/\" >Vault 7: Pandemic<\/a> \u2013 1 Jun 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/05\/vault-7-athena\/\" >Vault 7: Athena<\/a> \u2013 19 May 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/05\/aftermidnight-assassin-frameworks\/\" >Vault 7: AfterMidnight &amp; Assassin Frameworks<\/a> \u2013 12 May 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/05\/vault-7-archimedes\/\" >Vault 7: Archimedes \u2013<\/a> 5 May 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/05\/vault-7-scribbles-project\/\" >Vault 7: Scribbles Project<\/a> \u2013 28 Apr 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/04\/vault-7-weeping-angel\/\" >Vault 7: Weeping Angel<\/a> \u2013 21 Apr 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/04\/vault-7-hive-project\/\" >Vault 7: Hive Project<\/a> \u2013 14 Apr 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/04\/grasshopper\/\" >Vault 7: Grasshopper Framework<\/a> \u2013 7 Apr 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/04\/marble-framework\/\" >Vault 7: Marble Framework<\/a> \u2013 31 Mar 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/04\/dark-matter\/\" >Vault 7: Project Dark Matter<\/a> \u2013 23 Mar 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/03\/vault-7-cia-hacking-tools-revealed\/\" >Vault 7: CIA Hacking Tools Revealed<\/a> \u2013 7 Mar 2017<\/em><\/p>\n<p><a target=\"_blank\" href=\"https:\/\/wikileaks.org\/vault7\/#OutlawCountry\" >Go to Original \u2013 wikileaks.org<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today, June 28th 2017, WikiLeaks publishes documents from the ELSA project of the CIA. ELSA is a geo-location malware for WiFi-enabled devices like laptops running the Micorosoft Windows operating system. Once persistently installed on a target machine using separate CIA exploits, the malware scans visible WiFi access points and records the ESS identifier, MAC address and signal strength at regular intervals.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[],"class_list":["post-94793","post","type-post","status-publish","format-standard","hentry","category-whistleblowing-surveillance"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/94793","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=94793"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/94793\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=94793"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=94793"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=94793"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}