{"id":95163,"date":"2017-07-10T12:00:44","date_gmt":"2017-07-10T11:00:44","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=95163"},"modified":"2017-07-09T08:30:47","modified_gmt":"2017-07-09T07:30:47","slug":"vault-7-bothanspy","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2017\/07\/vault-7-bothanspy\/","title":{"rendered":"Vault 7: BothanSpy"},"content":{"rendered":"<p style=\"padding-left: 30px;\"><a href=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2017\/04\/wikileaks-logo.png\" ><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-thumbnail wp-image-90223\" src=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2017\/04\/wikileaks-logo-150x150.png\" alt=\"\" width=\"150\" height=\"150\" \/><\/a>Today, July 6th 2017, WikiLeaks publishes documents from the <em>BothanSpy<\/em> and <em>Gyrfalcon<\/em> projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors.<\/p>\n<p><em>BothanSpy<\/em> is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. <em>BothanSpy<\/em> can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted file for later exfiltration by other means. <em>BothanSpy<\/em> is installed as a Shellterm 3.x extension on the target machine.<\/p>\n<p><em>Gyrfalcon<\/em> is an implant that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu). The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC\/KitV) on the target machine.<a href=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2017\/04\/logo@400-nsa.png\" ><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-medium wp-image-90672\" src=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2017\/04\/logo@400-nsa-300x212.png\" alt=\"\" width=\"300\" height=\"212\" srcset=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2017\/04\/logo@400-nsa-300x212.png 300w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2017\/04\/logo@400-nsa.png 399w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<blockquote>\n<h2>Leaked Documents:<\/h2>\n<p><a target=\"_blank\" href=\"https:\/\/wikileaks.org\/vault7\/document\/BothanSpy_1_0-S-NF\/\" >BothanSpy 1.0 <\/a><\/p>\n<p><a target=\"_blank\" href=\"https:\/\/wikileaks.org\/vault7\/document\/Gyrfalcon-2_0-User_Guide\/\" >Gyrfalcon 2.0 User Guide <\/a><\/p>\n<p><a target=\"_blank\" href=\"https:\/\/wikileaks.org\/vault7\/document\/Gyrfalcon-1_0-User_Manual\/\" >Gyrfalcon 1.0 User Manual <\/a><\/p><\/blockquote>\n<p>_____________________________________________<\/p>\n<p style=\"padding-left: 30px;\"><strong><em>All Releases:<\/em><\/strong><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/07\/vault-7-outlawcountry\/\" >Vault 7: OutlawCountry<\/a> \u2013 29 Jun 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/07\/vault-7-elsa\/\" >Vault 7: Elsa<\/a> \u2013 28 Jun 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/06\/vault-7-brutal-kangaroo\/\" >Vault 7: Brutal Kangaroo<\/a> \u2013 22 Jun 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/06\/vault-7-cherry-blossom\/\" >Vault 7: Cherry Blossom<\/a> \u2013 15 Jun 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/06\/vault-7-pandemic\/\" >Vault 7: Pandemic<\/a> \u2013 1 Jun 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/05\/vault-7-athena\/\" >Vault 7: Athena<\/a> \u2013 19 May 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/05\/aftermidnight-assassin-frameworks\/\" >Vault 7: AfterMidnight &amp; Assassin Frameworks<\/a> \u2013 12 May 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/05\/vault-7-archimedes\/\" >Vault 7: Archimedes \u2013<\/a> 5 May 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/05\/vault-7-scribbles-project\/\" >Vault 7: Scribbles Project<\/a> \u2013 28 Apr 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/04\/vault-7-weeping-angel\/\" >Vault 7: Weeping Angel<\/a> \u2013 21 Apr 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/04\/vault-7-hive-project\/\" >Vault 7: Hive Project<\/a> \u2013 14 Apr 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/04\/grasshopper\/\" >Vault 7: Grasshopper Framework<\/a> \u2013 7 Apr 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/04\/marble-framework\/\" >Vault 7: Marble Framework<\/a> \u2013 31 Mar 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/04\/dark-matter\/\" >Vault 7: Project Dark Matter<\/a> \u2013 23 Mar 2017<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em><a href=\"https:\/\/www.transcend.org\/tms\/2017\/03\/vault-7-cia-hacking-tools-revealed\/\" >Vault 7: CIA Hacking Tools Revealed<\/a> \u2013 7 Mar 2017<\/em><\/p>\n<p><a target=\"_blank\" href=\"https:\/\/wikileaks.org\/vault7\/#BothanSpy\" >Go to Original \u2013 wikileaks.org<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today, July 6th 2017, WikiLeaks publishes documents from the BothanSpy and Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[],"class_list":["post-95163","post","type-post","status-publish","format-standard","hentry","category-whistleblowing-surveillance"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/95163","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=95163"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/95163\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=95163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=95163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=95163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}