SC Media reported on November 10th that WikiLeaks, under its new Vault 8 series of released documents, has unveiled what it says is the source code to a CIA tool, called Hive, that is used to conceal espionage actions when the Agency implants malware.
Hive reputedly lets the CIA to covertly communicate with its software by making it hard or impossible to trace the malware back to the spy organization by utilizing a cover domain. Part of this, WikiLeaks said, is using fake digital certificates that impersonate other legitimate web groups, including Kaspersky Labs.
Kaspersky Labs CEO Eugene Kaspersky confirmed WikiLeaks' statement, saying, "We've investigated the Vault 8 report and confirm the certificates in our name are fake. Our customers, private keys and services are safe and unaffected."
WikiLeaks said the CIA registers a nondescript cover domain for each of its operations and runs these domains from a rented commercial server as a VPS that is modified with CIA code. "These servers are the public-facing side of the CIA back-end infrastructure and act as a relay for HTTP(S) traffic over a VPN connection to a "hidden" CIA server called 'Blot'," WikiLeaks said in a statement.
WikiLeaks alleges that part of the CIA's obfuscation methodology has it using faked digital certificates that are created by impersonating legitimate organizations – like Kaspersky Labs.
Now, even if the CIA believes this method is necessary, it could use faked digital certificates of non-controversial legitimate organizations. Tarring and feathering Kaspersky Labs seems like deliberate sullying of a major security player, one which is deeply respected by many cybersecurity folks. Remember when we used to think of ourselves as the good guys? I miss those days.
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology