On November 8th, WikiLeaks published a new collection of documents reportedly originating from the CIA. And, this batch of information revealed how the federal agency may have used fake web certificates to cloak clandestine activities.
According to the International Business Times: “The latest [WikiLeaks] release outlines the inner-workings of a ‘back-end’ malware tool called Hive…It is allegedly used by the clandestine service to ‘transfer exfiltrated information from target machines’ to CIA servers… The CIA uses the Hive malware system to build fake web certificates and stop anti-virus companies from accurately attributing its hacking operations.”
Overall, these revelations from WikiLeaks demonstrate how sophisticated adversaries can use machine identities, like digital certificates, to subvert traditional security controls.
“This batch from WikiLeaks is just one more example of how machine identities can be used to create deceptive attacks,” said Kevin Bocek, chief security strategist for Venafi. “But, this is not a new method of data exfiltration, state actors have been using fake machine identities for years now. For example, the APT1 group from China used fake digital certificates to trick security systems into thinking command and control systems were from IBM, Yahoo and other trusted businesses.”
So, what lessons can we learn from these new WikiLeaks revelations?
“Ultimately, the CIA’s Hive operation demonstrates why organizations need complete machine identity intelligence to protect themselves,” concludes Kevin. “This includes not only finding all certificates you use on a network, in the cloud and across the Internet, but scoring them to establish a certificate reputation. It’s like using a credit score, you need a basis to establish if certificates are real or fake, trusted or malicious.”