A few days ago, Wikileaks published Vault 8, which includes the source code for Wikileaks’ earlier Vault 7 publication. Wikileaks made clear that, like Vault 7, Vault 8 does not include ‘zero day’ exploits. Wikileaks‘ press release explains Vault 8’s inclusion source code and development logs of Hive, a “major component of the CIA infrastructure to control its malware.” Despite the importance of Vault 8’s content, legacy press has largely ignored news of its release.
Utter media silence surrounding Wikileaks’ latest publication may be somewhat explained by the shadow it casts on claims that Kaspersky Lab was involved in some sort of attempt at Russian interference, as establishment media claimed recently as part of their ongoing Russian hacking narrative. That the CIA actively impersonated Kaspersky Lab raises many questions regarding the impersonation of Russian and other groups by the CIA.
Increasing anti-Russia hysteria on the part of the media appears to have increased in recent weeks. This comes despite the issue having been largely debunked by the work of the Forensicator, first reported by this author at Disobedient Media.
Wikileaks’ press release notes that: “Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.”
Wikileaks wrote of Vault 8: “This publication will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components. Source code published in this series contains software designed to run on servers controlled by the CIA.” Wikileaks also tweeted on the subject:
One of the key points that can be drawn from Wikileaks’ release of Vault 8 is that the CIA had the capability to pretend to be Kaspersky Lab, and that in fact they did impersonate them, among others. This is significant because it directly illustrates the capability of US intelligence agencies to create false attribution. Likewise, the publication of Vault 7’s ‘Marble Framework‘ earlier this year revealed issues of misattribution.
Wikileaks wrote that Marble Framework was “[D]esigned to allow for flexible and easy-to-use obfuscation” as “string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop.”
Vault 8 and earlier Vault 7 publications also shed light on the issue previously raised by Adam Carter, who repeatedly indicated over the last few months that Guccifer 2.0’s data was created in such a way that it demonstrated an intentional attempt to impersonate Russian hacking “fingerprints.”
It should also be noted that while the recent publication of Vault 8 and the earlier publication of Vault 7 sheds important light on issues of misattribution, it is not directly related to Carter or the Forensicator’s studies of the Guccifer 2.0 material. Carter told Disobedient Media that very similar mimicry methods are observed in both cases.
This similarity can be seen in Carter’s assessment of the available evidence regarding Guccifer 2.0, where he concluded that it was much more likely that Crowdstrike, in association with the DNC, created the Guccifer 2.0 persona, rather than Russian state actors or Eastern European hackers.
Press reports indicate that since Vault 8’s release, Kaspersky Lab has confirmed that: “leaked digital authentication certificates issued in its name were fake after WikiLeaks published more proof of CIA online spying.”
Eugene Kaspersky confirmed the information via Twitter:
The publication of Vault 8 comes shortly after news of an October meeting between Bill Binney and CIA Director Mike Pompeo caused a furor in legacy press. Networks including CNN and NBC outrageously referred to former NSA Technical Director Bill Binney as a “conspiracy theorist,” despite his long and spotless record of absolute integrity.
Like the release of Vault 8, Binney’s statements and support of a Veteran Intelligence Professionals for Sanity (VIPS) memorandum raise significant concerns regarding the Russian hacking theory. This correlation may explain to some extent the viciousness with which Binney has been smeared, as well as the absolute silence that has met Vault 8 upon its release.
Thanks to the publication of Vault 8, as well as the previous work of VIPS, the Forensicator and Adam Carter, it has become increasingly clear that not only is there no evidence that Russia hacked the election, there is no indication at the time of writing that any such hypothetical theories have taken intelligence misattribution methods into account.
This means that, in addition to the fact that no evidence has been produced showing that a Russian hack of the DNC occurred, there would potentially be a serious problem of attribution if any such evidence would be produced.
This coincides with Disobedient Media’s previous coverage of the work of Adam Carter, which illustrated the methods by which ‘Russian fingerprints’ left on Guccifer 2.0’s publications appear to be a rather obvious, blundering attempt at misattribution.
Carter wrote in his latest article: “Many other discoveries have been made this year that show Guccifer 2.0’s actions go beyond being careless and were clearly indicators of signal-mimicry (a misdirection intended to coerce flawed attribution).” In this way, Carter’s findings correlate with the false attribution abilities described in both Vault 8 and the previously published ‘Hive’ sub-release from Vault 7.
Over the last few months, establishment interests seem to have grown increasingly sensitive regarding the Russian hacking narrative, which can be seen in the language used to attack VIPS and Bill Binney, as well as the silence hanging over the release of Vault 8.