Wikileaks released the fourth installment of Vault 7 today, revealing documents from the CIA’s “Grasshopper Framework.”

According to the press release provided by Wikileaks, Grasshopper allowed the CIA a maximum amount of flexibility and customization in targeting windows operating systems. Wikileaks pointed out that Grasshopper contained its own language.

Wikileaks tweeted on Grasshopper reinstalling itself every 22 hours – even when Windows Update is disabled:

The user guide in states:

An operator uses Grasshopper to build a custom installation… executable on a target computer, and (optionally) decode the results of that execution… Each payload installer is built from individually configured components that implement part of the installation procedure.

Grasshopper allowed for a high level of flexibility and specificity, customizable for individual target computers. Wikileaks described how the program gave the CIA the capability to construct “from 
very simple to very complex logic used to determine, for example, if the target device is running a specific version of Microsoft Windows, or if a particular Antivirus product is running or not.”

This is disturbing enough in terms of personal privacy concerns for Windows users; the revelations are made more disturbing in light of Wikileaks’ earlier allegations that tools released in Vault 7 had escaped control of the Central Intelligence Agency.

Wikileaks’ March 7 press release alleged: “.. the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation.”

This would potentially give foreign states, criminal organizations or terrorist groups dangerous access to sophisticated cyber weapons, including those in Grasshopper.

Wikileak’s Press Release also points out Grasshopper’s design “puts special attention on PSP avoidance,” so that personal security products would not detect it.

Grasshopper includes its own language.  By bypassing security programs, the CIA would be able to (do whatever it wants?? phrasing?) to a windows operating system. This is especially concerning in that if the program was accessed by foreign states or terrorist groups.  This would pose a significant threat to national security given the capabilities of Grasshopper.

Wikileaks also alleged that the CIA ‘recycled’ some malware whose ‘components’ may have originated with Russian organized crime. Wikileaks press release explained that some ‘persitence mechanisms,’were ‘Stolen Goods’ -with components taken from “malware known as Carberp, a suspected Russian organized crime rootkit.”

Wikileaks tweeted: “CIA malware “Grasshpper” includes “Stolen Goods” which was taken from “suspected Russian organized crime”

The CIA files state:”Stolen Goods 2.1 (SG2) is a persistence module for Grasshopper and Shellterm based on components from 3rdparty malware.  The components were taken from malware known as Carberp, a suspected Russian rootkit used by organized crime.  The source of Carberp was published online, and has allowed AED\RDB to easily ‘borrow’ components as needed from the malware... The persistence method, and parts of the installer, were taken and modified to fit our needs… vast majority of the original Carberp code that was used has been heavily modified.  Very few pieces of the original code exist unmodified.”

Wikileaks’s release of Grasshopper and other Vault 7 documents are not only concerning in terms of privacy and personal security, but also for National Security.



Writer and Associate Editor at Disobedient Media.

Leave a Reply