Wednesday, 28 June 2017

Leaked documents show that CIA 'ELSA' implant geolocates laptops and desktops by intercepting the surrounding WiFi signals

Press release:

Today, June 28th 2017, WikiLeaks publishes documents from the ELSA project of the CIA. ELSA is a geo-location malware for WiFi-enabled devices like laptops running the Micorosoft Windows operating system. Once persistently installed on a target machine using separate CIA exploits, the malware scans visible WiFi access points and records the ESS identifier, MAC address and signal strength at regular intervals. To perform the data collection the target machine does not have to be online or connected to an access point; it only needs to be running with an enabled WiFi device. If it is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp. The collected access point/geo-location information is stored in encrypted form on the device for later exfiltration. The malware itself does not beacon this data to a CIA back-end; instead the operator must actively retrieve the log file from the device - again using separate CIA exploits and backdoors.

The ELSA project allows the customization of the implant to match the target environment and operational objectives like sampling interval, maximum size of the logfile and invocation/persistence method. Additional back-end software (again using public geo-location databases from Google and Microsoft) converts unprocessed access point information from exfiltrated logfiles to geo-location data to create a tracking profile of the target device.

Links:

Press release link: http://ift.tt/2uhY89w

Documents (html): http://ift.tt/2sQk3qk

Documents (download): http://ift.tt/2sQwN0g

Here's TL;DR of document (it's copied from r/hacking thread)

I read a couple of pages in the manual. Apparently the ELSA client is designed to be injected as a dll into an existing process, it's designed to run on machines running both 32 and 64 versions of Windows 7. Once it's injected, an encrypted log file is created but not sent to the operator, to get the log file you have to go get it using a backdoor. Also, the log files deletes older entries (locations) to make place for new ones. The operator has to setup the dll before injecting into the target. Here's how it's used:

  1. The operator configures the ELSA implant based on the target.

  2. The operator deploys the implant to the target and begins collection.

  3. The implant begins collecting WiFi access points based on the set schedule.

  4. The implant resolves WiFi data to a geolocation via the 3rd party database if it's configured to do so.

  5. The operator then connects to the target host to collect the encrypted log file.

  6. The operator then decrypt the log and analyze it.



by meditation_IRC http://ift.tt/2s1BdOK

No comments:

Post a Comment