Recently, the National Computer Virus Emergency Response Centerhoneycomb"(Hive) Malicious Code Attack Control Weapon Platform (hereinafter referred to as "Hive Platform") was analyzed. The Hive Platform was developed by the United StatesCIAThe Information Operations Center Engineering Development Group (EDG, hereinafter referred to as the "CIA Engineering Development Group") under the (CIA) Digital Innovation Center (DDI) and XETRON, a subsidiary of Northrop Grumman (NOC), a famous American military industrial enterprise, jointly Research and development, exclusively used by the United States Central Intelligence Agency (CIA). The Honeycomb platform is a "lightweight" network weapon. Its tactical purpose is to establish a covert foothold in the target network, secretly deliver malicious code programs in a targeted manner, and use the platform to perform background control on a variety of malicious code programs to prepare for subsequent continuous delivery of " Heavy" weapons create conditions for cyber attacks. The U.S. Central Intelligence Agency (CIA) uses this weapon platform to customize malicious code programs adapted to multiple operating systems based on the characteristics of the attack target, carry out attacks and intrusions on the border routers and internal hosts of the victim unit's information system, and implant various Trojans and backdoors. Achieve remote control and carry out indiscriminate cyber attacks on information systems around the world.
1. Technical analysis
(1) Attack target
In order to meet the U.S. Central Intelligence Agency's (CIA) attack requirements for multi-platform targets, the R&D unit developed adapted versions of the cellular platform with similar functions for different CPU architectures and operating systems. According to current information, the Honeycomb platform can support mainstream CPU architectures such as ARMv7, x86, PowerPC and MIPS, covering general operating systems such as Windows, Unix, Linux, Solaris, etc., as well as RouterOS (a network equipment-specific operating system developed by MikroTik) ) and other dedicated operating systems.
(2) System composition
The honeycomb platform adopts C/S architecture and is mainly composed of the main control terminal (hclient), the remote control platform (cutthroat, translated as: "cut throat"), the generator (hive-patcher), the controlled terminal program (hived), etc. . In order to cover related cyber espionage operations, the CIA's engineering development team also specially developed a management system called "honeycomb", which cooperates with multi-layer springboard servers to achieve remote covert control of a large number of victim hosts infected by the honeycomb platform. Data collection.
(3) Recurrence of attack scenarios
The National Computer Virus Emergency Response Center conducted an in-depth analysis of the technical details of the Honeycomb platform samples, combined with relevant information obtained through public channels, and basically completed the reproduction of typical attack scenarios on the Honeycomb platform.
1. Use the generator (hive-patcher) to generate customized controlled-side malicious code programs
The US Central Intelligence Agency (CIA) attackers first used a generator (hive-patcher) to generate a customized controlled-end malicious code program (i.e. hived) to be implanted based on mission requirements and target platform characteristics. Before generating the controlled end program, parameters can be configured according to actual task requirements (as shown in Table 1).
After the CIA attacker completes the above parameter configuration, the generator (hive-patcher) can generate a new controlled end implant (as shown in Figure 1).
It is worth noting that in terms of attack target types, the US Central Intelligence Agency (CIA) pays special attention to the MikroTik series of network equipment. MikroTik's network routers and other equipment are highly popular around the world, especially its self-developed RouterOS operating system, which is used by many third-party router manufacturers. The US Central Intelligence Agency (CIA) attacked this operating system The potential risks posed by capabilities are difficult to estimate.
2. Inject server-side malicious code programs into the target system
The US Central Intelligence Agency (CIA) specially developed a MikroTik router vulnerability exploitation tool called "Chimay-Red" and compiled detailed instructions for use. This exploit tool exploits the stack conflict remote code execution vulnerability that exists in MikroTikRouterOS 6.38.4 and below operating systems to achieve remote control of the target system. The instructions for using vulnerability exploitation tools are shown in Table 2.
According to public disclosures by U.S. government insiders, the U.S. Central Intelligence Agency (CIA) and the U.S. National Security Agency (NSA) both belong to the U.S. Department of Defense.cyber warfareThey often cooperate with each other during operations. The Special Intrusion Operations Office (TAO) of the US National Security Agency has vulnerability attack weapon platforms such as "FoxAcid" and systematic network attack tools, which can effectively support the US Central Intelligence Agency (CIA). Spyware implant operation.
3. Wake up the server-side malicious code program and perform command control
After the server-side malicious code program is implanted into the target system and runs normally, it will be in a silent latent state, monitoring the network communication traffic of the controlled information system in real time for data packets with trigger characteristics, waiting to be "awakened". CIA attackers can use the client to send "code words" to the server to "awaken" latent malicious code programs and execute related instructions. Attackers from the U.S. Central Intelligence Agency (CIA) used a console program called "cutthroat" to control the client. Its main command parameters are shown in Table 3.
After the master terminal and the controlled terminal establish a connection, they can execute corresponding control commands (as shown in Figure 2).
In order to avoid intrusion detection, the master control terminal sends a "code word" to wake up the malicious code program of the controlled terminal, and then imitates HTTP over TLS to establish an encrypted communication channel to confuse network monitors and circumvent technical monitoring methods (as shown in Figure 3).
At this point, the master control end has achieved complete control over the malicious code program of the controlled end, and can deliver other malicious payloads at any time in a hidden state, or carry out subsequent penetration and secret theft operations.
(4) Protective measures
In order to further improve the concealment of cyber espionage operations, the U.S. Central Intelligence Agency (CIA) has carefully deployed network infrastructure related to honeycomb platforms around the world. From the analysis of the monitored data, the US Central Intelligence Agency (CIA) has set up multi-layer springboard servers and VPN channels between the main control end and the controlled end. These servers are widely distributed in Canada, France, Germany, Malaysia and Turkey. country, effectively hiding their whereabouts. Even if the victim discovers that he has been attacked by the Honeycomb platform, it is extremely difficult to conduct technical analysis and trace the source.
2. Operation method
Based on the internal information of the U.S. Central Intelligence Agency (CIA) publicly disclosed by WikiLeaks, combined with the technical analysis results of the National Computer Virus Emergency Response Center, we can clearly understand the operation of the Honeycomb platform as follows:
(1) Development process and developers
The Honeycomb platform was developed and completed under the leadership of the Engineering Development Group (EDG) of the US Central Intelligence Agency (CIA). The project cycle lasted from at least October 2010 to October 2015. The software version was at least 2.9.1 and had been in use since at least 2011. Supports remote attacks on MikroTik system devices and related operating systems. Participating developers include but are not limited to: Mike Russell, Jack McMahon, Jeremy Haas and Brian Timmons (as shown in Figure 4).
In addition, the honeycomb platform project also incorporates the research and development results of partner institutions, including project code written by XETRON, a subsidiary of Northrop Grumman, a well-known American military industry company (as shown in Figure 5).
XETRON was founded in 1972 and was acquired by Westinghouse Electric Group in 1986. In 1996, it was acquired by Northrop Grumman Corporation of the United States together with Westinghouse Electric. Its headquarters is now located in the suburbs of Cincinnati, Ohio, USA. Public information shows that, In 2013 it had 68,000 employees. XETRON has long been a contractor for the U.S. Central Intelligence Agency (CIA), and its product range includes military sensors, communications systems andcyber securitySoftware etc. According to information disclosed by WikiLeaks, in addition to participating in the Honeycomb Platform project, XETRON also provided the U.S. Central Intelligence Agency (CIA) with the tool "Cinnamon" to hack into Cisco routers. According to Northrop Grumman's description, XETRON is committed to providing technical support for the actions of government customers and focuses on "computer network operations." Its advantageous technologies include: encryption, intrusion detection, reverse engineering and penetration attacks. XETRON has long recruited cybersecurity talent from the University of Cincinnati and the University of Dayton.
(2) Honeycomb platform network infrastructure
In the scripts in "honeycomb", researchers found a batch of server IP addresses that were once used by the US Central Intelligence Agency (CIA) to control malicious code programs on the controlled side of the Honeycomb platform (as shown in Table 4). The server location covers Europe, America and Asia (as shown in Figure 6).
3. Summary
The above analysis shows that the U.S. Central Intelligence Agency (CIA) launches cyber attacks against other countrieshackerThe attack weapon system has been systematic, large-scale, traceless and artificially intelligent. Among them, the Honeycomb platform, as the "vanguard" and "commando" among the CIA's attack weapons, assumes the important function of breaking through the target's defense line. Its wide adaptability and powerful penetration capabilities have issued a major warning to global Internet users.
(1) The U.S. Central Intelligence Agency (CIA) has a powerful and complete arsenal of cyber attack weapons
The Hive platform serves as the CIA’sMain combat network weaponsOne of the equipment, its powerful system functions, advanced design concepts and advanced operational thinking fully reflect the CIA's outstanding capabilities in the field of cyber attacks. Its network weapons cover the entire chain of network attack activities such as remote scanning, vulnerability exploitation, covert implantation, sniffing and stealing, file extraction, intranet penetration, system destruction, etc. It has unified command and control capabilities and has basically realized artificial intelligence. The U.S. Central Intelligence Agency (CIA) relies on the Honeycomb platform to build a spy intelligence system that covers the global Internet and is conducting indiscriminate network surveillance on high-value targets and celebrities around the world.
(2) The U.S. Central Intelligence Agency (CIA) implements indiscriminate attack control and communication theft on high-value targets around the world
The targets of the CIA's hacking attacks and cyber espionage activities involve governments, political parties, non-governmental organizations, international organizations and important military targets in Russia, Iran, China, Japan, South Korea and other countries around the world, as well as political figures, public figures, celebrities and technologies from various countries. Experts, education, scientific research, communications, and medical institutions have stolen a large amount of secret information from the victim country, gained a large amount of control over the important information infrastructure of the victim country, and mastered a large amount of personal privacy of citizens around the world to serve the United States in maintaining its hegemony.
(3) The global Internet and important information infrastructure around the world have become the “intelligence stations” of the U.S. intelligence agencies
From the recently revealed U.S. National Security Agency (NSA) "Operation Telescreen", "APT-C-40", "NOPEN" and "Quantum" cyber attack weapons recently revealed by China's cyber security agency, and the U.S. Central Intelligence Agency (CIA) "Hive Hive" exposed this time "Analysis of the technical details of the weapon platform, existing international Internet backbone network equipment and important information around the world, infrastructure (servers, switching equipment, transmission equipment and Internet terminals), as long as it contains hardware and operating systems provided by American Internet companies and application software, are very likely to contain zero-day or various backdoor programs (Backdoor), and are very likely to become targets of attacks and theft by U.S. intelligence agencies. All activities on the global Internet and all data stored will be " "Truthfully" is displayed in front of U.S. intelligence agencies and becomes its "handle" and "material" to carry out attacks and sabotage against global targets.
(4) The cyber attack weapons of the U.S. intelligence and governance departments have become artificial intelligence-based
The Honeycomb platform is a typical U.S. military product with a high degree of modularity, standardization, and good scalability, indicating that the United States has achieved the "integration of industry, academia, and research" for cyber weapons. These weapons can automatically launch network attacks based on the hardware and software configuration of the target network and the existence of backdoors and vulnerabilities. They can also rely on artificial intelligence technology to automatically increase privileges, automatically steal secrets, automatically hide traces, and automatically transmit data back to achieve fully automatic attacks on attack targets. control.
The National Computer Virus Emergency Response Center reminds Internet users that cyberattacks by U.S. intelligence agencies are an imminent and real threat, and attacks on computer software and hardware with U.S. "genes" are constantly following. The expedient way to avoid being attacked by American hackers is to use autonomous and controllable domestically produced equipment.
Original article by SnowFlake, if reproduced, please credit https://cncso.com/en/hive-malware-attack-on-weapon-platforms-html