In late May, WikiLeaks released another edition of their Vault 7 series of leaks from the CIA. Previous Vault 7 leaks exposed how the CIA targets Apple users. Earlier in May, WikiLeaks published leaks on the CIA’s “AfterMidnight” and “Assassin” malware for Windows. The new leak, which details malware called Athena and Hera, also exposes how the CIA is able to hack Windows users. The CIA developed the Athena and Hera malware for Windows with a private corporation from New Hampshire named Siege Technologies. In November of last year, Siege Technologies was bought by Nehemiah Security, which is based out of Virginia. Nehemiah Security’s headquarters is just outside of Washington DC, not far from the CIA’s headquarters, an area which is home to many corporations which are part of the military industrial complex.
Siege Technologies is developing a kill metric for the government’s cyber weapons, which would analyze how effective such cyber weapons are after they’ve been deployed. “I feel more comfortable working on electronic warfare. It’s a little different than bombs and nuclear weapons – that’s a morally complex field to be in. Now instead of bombing things and having collateral damage, you can really reduce civilian casualties, which is a win for everybody,” Jason Syversen, the founder of Siege Technologies, said in an article contained inside of an e-mail published by WikiLeaks. Siege Technologies website states that the company “focuses on leveraging offensive cyberwar technologies and methodologies to develop predictive cyber security solutions for insurance, government and other targeted markets.”
The CIA works with many private corporations beyond Siege Technologies. The agency even has it’s own venture capital arm, known as In-Q-Tel. In-Q-Tel invests in new technology, particularly information technology, for the CIA and the broader United States intelligence community. Some companies which have received funding from In-Q-Tel include Keyhole, Inc. (which ended up getting bought by Google and becoming Google Earth), FireEye, Palantir, among dozens of others. However, it doesn’t appear that Siege Technologies or Nehemiah Security received any funding through In-Q-Tel.
The CIA’s Athena/Hera malware hijacks support DLLs in Windows to gain persistence. It works on both 32bit and 64bit versions of Windows, from Windows XP on up. In older versions of Windows, Athena-Alpha uses the RemoteAccess service, using the IP support DLL iprtrmgr.dll. The Athena-Alpha installer enables the RemoteAccess service, which is disabled by default. In Windows 7, 8, 2008 Server, 2012 Server, and 10, Athena-Bravo/Hera uses the DNScache service, using the support DLL dnsext.dll. The DNScache service is enabled by default. By hijacking DNScache, Hera is able to “obfuscate its persistence.” Hera has limited access on systems running Windows 8.1 or Windows 10 until the infected computer is restarted. Hera is an extended version of Athena, which is used on versions of Windows from 7 to 10, and is also referred to as Athena-Bravo. Athena used TEA encryption, while Hera implemented AES encryption.
Athena and Hera can work in an offline mode and a RAM-only or diskless/fileless mode. The Athena and Hera malware are implanted via remote access, by infecting the supply chain, by using a CIA asset, or by using the CIA’s Windex tool. Once the target has been infected by the CIA’s Athena or Hera malware, the infected computer will communicate with a C&C server. Once the CIA has infected the target and gains remote access, they are then able to exfiltrate data from the target. Additional payloads can be delivered to the target’s computer from the C&C server. The documents on Athena and Hera published by WikiLeaks were created during 2015 and 2016. By January 19th of last year Siege Technologies had conducted a long run test of Athena and delivered its first release candidate of Athena.
The release of the Athena and Hera documents marked the ninth release in WikiLeaks Vault 7 series. For the past few months WikiLeaks has released a new series of Vault 7 leaks. It is expected WikiLeaks will continue to publish more documents from the CIA in the coming weeks.