Skip to main content
banner image
venafi logo

Who Can Steal Your SSH Keys? Newest WikiLeaks Vault 7 Dump Highlights Importance of Strong SSH Key Management.

Who Can Steal Your SSH Keys? Newest WikiLeaks Vault 7 Dump Highlights Importance of Strong SSH Key Management.

CIA steals ssh keys
July 14, 2017 | David Bisson

A new document dump by WikiLeaks contains two tools presumably used by the U.S. Central Intelligence Agency to steal targets' Secure Shell (SSH) keys. With these utilities now available online, it's more important than ever for companies to implement strong SSH key management.

In early July, WikiLeaks published a new round of documents for "Vault 7," its ever-evolving series of leaks pertaining to the CIA. This batch exposed the details of two hacking tools designed to target machines running Linux or Windows. Both utilities are capable of stealing SSH credentials, information which an unauthorized actor could leverage to gain remote access to business-critical systems and assets.

The first tool, known as BothanSpy, infiltrates the SSH, TELNET, and RLOGIN Windows emulator XShell. Once it's hooked into that program, BothanSpy abuses that access to steal user credentials for active SSH sessions. At that point, it either exfiltrates the data to a remote server or stores it as an encrypted file on a disk.

Those credentials targeted by BothanSpy include usernames, passwords, and details associated with the SSH keys for each SSH session.

The second SSH-stealer exposed by WikiLeaks is called Gyrfalcon. To use this utility, an attacker must first acquire root privileges on a machine running Ubuntu, Debian, or another Linux platform. They can then load the tool and use it to steal the same information targeted by BothanSpy along with full or partial session traffic generated by the OpenSSH client. Gyrfalcon saves all this information locally as an encrypted file, allowing an attacker to exfiltrate the data at a later date.

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, says the disclosure of BothanSpy and Gyrfalcon points to a worrying trend: 

"Whether it's the CIA or NotPetya in Ukraine, considered by many a Russian cyber operation, nation states are seeking the most sensitive machine identities that can be used to surveil and potentially knock out businesses and governments. Many businesses – banks, retailers, transportation – that might not have considered themselves as targets, may now have to revise their thinking."

As part of their growing scope, attackers are going after and abusing SSH keys for malicious purposes. For instance, hackers used a backdoor created with the insertion of a Russian SSH key to turn off parts of Ukraine's power grid in December 2015. Ukrainian cyberpolice no doubt considered his type of exploit before it recently urged businesses to change out their machine identities controlling authentication and encryption following the NotPetya outbreak

But following the Ukrainian cyberpolice's warning isn't always easy. As Bocek explains:

"Unfortunately, almost all businesses, including the world’s largest banks, retailers and transportations companies, have no idea what is happening with their machine identities – like TLS digital certificates and SSH keys. They also have no means to respond to weaknesses and change out vulnerable machine identities. This increases the likelihood of broader chaos – not just in the Ukraine but in Europe and North America."

To know what's happening with their machine identities, businesses need to implement strong SSH key management. That effort begins with discovering all keys and certificates in their encryption environments. Once they have a comprehensive encryption inventory, organizations can then monitor their SSH keys and other assets for misuse.

Achieve complete visibility and control over your SSH keys.

Like this blog? We think you will love this.
Featured Blog

Most Common SSH Vulnerabilities & How to Avoid Them

Most common SSH vulnerabilities

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more