CIA obfuscation revealed
WikiLeaks has released the source code it says the CIA uses to hide its tracks.
The documentation for the software dubbed ‘Marble Framework’ says it is “designed to allow for flexible and easy-to-use obfuscation when developing tools”.
WikiLeaks say this is the kind of software that would be used to make a piece of information or a cyberattack appear as though it comes from someone else – a valuable tool when you want to blame foreign agents, for example.
WikiLeaks claims “thousands of CIA viruses and hacking attacks can now be attributed”.
“Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA,” the website states.
“Marble does this by hiding text fragments used in CIA malware from visual inspection.”
The Marble source code also includes a ‘deobfuscator’ to reverse CIA text obfuscation.
“Combined with the revealed obfuscation techniques, a pattern or signature emerges which can assist forensic investigators attribute previous hacking attacks and viruses to the CIA,” WikiLeaks states.
The source code shows Marble test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi.
This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion.