นอกจากนี้ WikiLeaks ยังอ้างอีกว่า Standford Research Institute (SRI International) เป็นผู้พัฒนา CherryBlossom ร่วมกับ CIA แต่พบชื่อ SRI ในเอกสารเพียงแค่ 1 ฉบับเท่านั้น คือ คู่มือสำหรับเครื่องมือที่ชื่อว่า Sundew ตัวสแกนระบบเครือข่ายไร้สายบน Linux
After a two-week hiatus, WikiLeaks dumped new files as part of the Vault 7 series that supposedly contains CIA-made hacking tools the organization claims it received from hackers and agency insiders.
Today’s dump includes the documentation for a CIA tool named CherryBlossom, a multi-purpose framework developed for hacking hundreds of home router models.
The tool is by far one of the most sophisticated CIA malware frameworks in the CIA’s possession. The purpose of CherryBlossom is to allow operatives to interact and control SOHO routers on the victim’s network.
CherryBlossom installed via tainted firmware updates
The most complex part of using CherryBlossom is by far deploying the tool on a target’s routers. This can be done by a field operative, or remotely using a router flaw that allows CIA operators to install new firmware on the targeted device.
Internally, CherryBlossom is made up of different components, each with a very precise role:
FlyTrap – beacon (compromised firmware) that runs on compromised device CherryTree – command and control server where FlyTrap devices report CherryWeb – web-based admin panel running on CherryTree Mission – a set of tasks sent by the C&C server to infected devices
According to the CherryBlossom manual, CIA operators can send “missions” to infected devices from the CherryTree C&C server via the CherryWeb panel.
Mission types vary wildly, which speaks volumes about the tool’s versatility. For example, missions can:
▻ snoop on the target’s Internet traffic
▻ sniff traffic and execute various actions based on predefined triggers (URLs, usernames, email, MAC addresses, etc.)
▻ redirect target’s Internet traffic through other servers/proxies
▻ create a VPN tunnel from operator to the target’s internal network
▻ alert operators when the target becomes active
▻ scan the target’s local network
CherryBlossom supports over 200 router models
According to the CIA docs, FlyTraps can be installed on both WiFi routers and access points. There is a separate document that lists over 200 router models that CherryBlossom can target, most of which are older models. This 24-page document is not dated, but the rest of the CherryBlossom manuals are — between 2006 and 2012.
You’ll find a list of all WiFi equipment vendors that were included in this document at the bottom of this article. For the full vendor-series list, please refer to the original WikiLeaks document here.
In addition, French security researcher X0rz noticed a small detail that might help investigators track down CherryBlossom installations. According to the tool’s installation guide, the default URL for the CherryWeb control panel is is “https://CherryTree-ip-address/CherryWeb/” (e.g.: https://10.10.10.10/CherryWeb/). Scanning the Internet for CherryWeb web folders will reveal how many CherryBlossom installations are currently deployed online.
Tool co-developed with US nonprofit?
WikiLeaks claims the CIA co-developed CherryBlossom together with a US nonprofit named Stanford Research Institute (SRI International), but SRI’s name only appears in one document — the manual for a tool named Sundew, a Linux-based wireless scanner used to identify the make and model of wireless devices. It is unclear at this moment what was SRI’s role.
In May, WikiLeaks published documents revealing that US cyber-security company Siege Technologies had helped the CIA develop a tool called Athena, a versatile implant (CIA term for “malware”).
Unlike the Shadow Brokers, who dumped the actual hacking tools they claim to have stolen from the NSA, WikiLeaks only published the CherryBlossom documentation, without dumping the actual tool.
You can read our previous WikiLeaks Vault 7 coverage here. Below is a list of the most notable WikiLeaks Vault 7 dumps:
ᗙ Weeping Angel – tool to hack Samsung smart TVs
ᗙ Fine Dining – a collection of fake, malware-laced apps
ᗙ Grasshopper – a builder for Windows malware
ᗙ DarkSeaSkies – tools for hacking iPhones and Macs
ᗙ Scribble – beaconing system for Office documents
ᗙ Archimedes – a tool for performing MitM attacks
ᗙ AfterMidnight and Assassin – malware frameworks for Windows
ᗙ Athena – a malware framework co-developed with a US company
ᗙ Pandemic – a tool for replacing legitimate files with malware
List of WiFi router/AP vendors included in the CherryBlossom docs:
3Com
Accton
Aironet/Cisco
Allied Telesyn
Ambit
AMIT, Inc
Apple
Asustek Co
Belkin
Breezecom
Cameo
D-Link
Gemtek
Global Sun
Linksys
Motorola
Orinoco
Planet Tec
Senao
US Robotics
Z-Com
