i ExpressLane – A CIA hacking project – All things in moderation

ExpressLane – A CIA hacking project

24 August, 2017 Wikileaks has publishes documents from the CIA ExpressLane project. These documents show how the CIA spies on their intelligence partners around the world, including Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS) and the National Security Agency (NSA), to covertly collect data from their systems.

Office of Technical Services (OTS) – the service that provides a biometric collection system to liaison services around the world “with the expectation for sharing of the biometric takes collected on the systems.

But since no agency share all of its collected biometric data with others, the Office of Technical Services (OTS) within CIA developed a tool to secretly exfiltrate data collections from their systems.

ExpressLane is installed and run under the guise of upgrading the biometric software by OTS agents that visit the liaison sites:

“ExpressLane 3.1.1 will overtly appear to be just another part of this system. It is called: MOBSLangSvc.exe and is stored in \Windows\System32.

It will covertly collect the data files of interest from the liaison system and store them compressed and encrypted in the covert partition on a specially watermarked thumb drive when it is inserted into the system. Additionally, it manages a “kill date” to disable the software by corrupting a specific configuration file associated with the software.”

ExpressLane includes two components:

1. Create Partition: This component allows the agent to create a partition secret on the target system that the crawlers (in the compressed and encrypted archive) will be stored on.

2. Exit Ramp: This component allows the collector data collect the archive in the partition by the use USB drive when they revisit.

The latest version ExpressLane v3.1.1 provides an ability to disable the biometric software if liaison doesn’t provide the Agency with continued access.

Previous CIA documents Leaked:

Dumbo – A tool that capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a PAG deployment.

Imperial – The CIA project Developed three hacking tools and implants designed to target computers running Apple Mac OS X and different flavours of Linux operating systems.

Raytheon – Raytheon Blackbird, the technologies for the Remote Development Branch (RDB) of the CIA by analysing malware attacks in the wild and giving recommendations to the CIA development teams for further investigation and PoC development for their own malware projects.

Highrise – an SMS messaging Android application designed for mobile devices running Android 4.0 to 4.3, that provides a communications channel between the HighRise field operator and the LP with a TLS/SSL secured internet communication.

BothanSpy – Two CIA project (BothanSpy and Gyrfalcon) that allowed the attacker to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors.

OutlawCountry – The project that targets computers running the Linux operating system allow hackers redirect all outbound network traffic on the targeted machine to CIA controlled computer systems for exfiltrate and infiltrate data.

Elsa – The CIA malware that tracks geo-location of targeted PCs and laptops running the Microsoft Windows operating system.

Brutal Kangaroo – A tool suite for Microsoft Windows that targets closed networks or air-gapped computer systems within an organization or enterprise without requiring any direct access.

Cherry Blossom – A framework, basically a remotely controllable firmware-based implant, used for spying on the Internet activity of the targeted systems by exploiting flaws in WiFi devices.

Pandemic – a CIA’s project that allowed the attacker to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.

Athena – a spyware framework that has been designed to take full control over Windows PCs remotely, and works against every version of Microsoft’s Windows operating systems, from Windows XP to Windows 10.

AfterMidnight and Assassin – Two apparent CIA malware frameworks for the Windows platform that has been designed to monitor and report back activities of the infected remote host computer and execute malicious actions.

Archimedes – Man-in-the-Middle attack tool created by the CIA to target computers inside a Local Area Network (LAN). Scribbles – Software reportedly designed to embed ‘web beacons’ into confidential files and documents, allowing the attacker to track whistleblowers and insiders.

Grasshopper – A framework which allowed the attacker to easily create custom malware for breaking into Windows operating system and bypassing antivirus protection.

Marble – The source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the spying attacker to hide the actual source of its malware.

Dark Matter – Revealed hacking exploits the CIA designed to target iPhones and Macs.

Year Zero – The first full part of the series includes several CIA hacking exploits for popular hardware and software (8,761 documents and files from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina).


Vault 7: Projects https://wikileaks.org/vault7/

Leave a Reply