WikiLeaks Vault 7 part VII: Watch out for Scribbles!
Today's Vault 7 release, titled "Scribbles", contains some of the most sensitive CIA documents released to date. Scribbles is described by the CIA itself as a, "batch processing tool for pre-generating watermarks and inserting those watermarks into documents that are apparently ebing stolen by FIO (foreign intelligence officers) actors." Strongly note the word, "ACTORS".
Furthermore, this document-watermarking preprocessing system can be used to embed "Web beacon"-style tags into documents that are likely to be copied by insiders, whistleblowers, journalists or others.
The released version of Scribbles (v1.0 RC1) is dated March, 1st 2016 and classified SECRET//ORCON/NOFORN until 2066.
Other parts to this series include:
- Part I: The CIA and NyanCat: The hackers and tools of Vault 7's "Year Zero"
- Part II: "Dark Matter" – All your Macintosh are belong to CIA
- Part III: Marble Framework – The CIA's cloaking device for hackers
- Part IV: Grasshopper and more research challenges!
- Part V: HIVE, Longhorn and the CIA's reign of cyberterror
- Part VI: Weeping Angel is listening…
Methods of operation
Scribbles is intended for off-line preprocessing of Microsoft Office documents. For reasons of operational security the user guide demands that "[t]he Scribbles executable, parameter files, receipts and log files should not be installed on a target machine, nor left in a location where it might be collected by an adversary."
According to the documentation, "the Scribbles document watermarking tool has been successfully tested on […] Microsoft Office 2013 (on Windows 8.1 x64), documents from Office versions 97-2016 (Office 95 documents will not work!) [and d]ocuments that are not be locked forms, encrypted, or password-protected".
The limitation to Microsoft Office documents seems to create problems, however: "If the targeted end-user opens them up in a different application, such as OpenOffice or LibreOffice, the watermark images and URLs may be visible to the end-user. For this reason, always make sure that the host names and URL components are logically consistent with the original content. If you are concerned that the targeted end-user may open these documents in a non-Microsoft Office application, please take some test documents and evaluate them in the likely application before deploying them."
More technical descriptions of Scribble's operations can be found in the User Guide. For instance, here's an example of how XML can be used to configure Scribble.
<code> <Scribble_WatermarkParameters> <URL_Scheme Value="http"\/> <HostServerNameList Value="watermarks.example.com"/> <HostRootPathList Value="rootPath1,rootPath2"/> <HostSubDirsList Value="subDir1,subDir2,subDir3"/> <HostFileNameList Value="fakeFileName1,fakeFileName2,fakeFileName3"/> <HostFileExtList Value=".jpg,.png,.gif"/> <Input__Directory Value=".\InputDir"/> <Output_Directory Value=".\OutputDir"/> <Input__WatermarkLog Value="Z:\WORK\Scribbles\Scribbles\bin\Debug\WatermarkLog.tsv"/> <Output_WatermarkLog Value="Z:\WORK\Scribbles\Scribbles\bin\Debug\WatermarkLog.tsv"/> </Scribble_WatermarkParameters> </code>
After configuration, several watermark image files are then created. For example, these are a few of the watermarks that would be generated using the parameters in the example above:
After the watermarks are generated, Scribbles can then be executed to watermark all files specified. This leaves each target file with a new, web-beaconing enabled watermark that can be used to track and identify the given file should it ever be leaked.
It would seem, then, that WikiLeaks has released one of the CIA's most sophisticated tools for preventing future leaks and whistleblowers from taking action. It's unknown if the CIA was able to target more than just Microsoft Office files, but that almost certainly was one of their objectives over time.
In addition, the functions outlined in Scribbles display yet another method the CIA can use to try and fake or stage "foreign" cyberattacks. For instance, if Scribbles was ran on a completely innocuous set of files and given to a foreign agent the CIA could then go back and "prove" that the files had been "stolen" from the CIA. The applications for this tool are endless.
Submitted April 28, 2017 at 07:48AM by RebelliousSkoundrel
via reddit http://bit.ly/2qeL6Iq