WikiLeaks has come out with its monthly dose of exposés, with a familiar suspect, the Central Intelligence Agency. The autonomous organization has claimed that the US government agency has been planting exploits on unassuming websites while impersonating the Russian anti-virus company, Kaspersky Laboratory.
The CIA, reportedly, did the mimicking with the help of a covert platform called Hive that allowed them to stay anonymous. Even if someone managed to spot the agency's malware, it'd be somewhat challenging to trace it back to them. The platform enables them to send multiple operations using multiple implants on target systems, with individual operations running under an inconspicuous domain name. The website's server is then put to use for CIA's own work via a VPS (virtual private server) rented from commercial hosting providers.
The site, which appears like just another website to a user, applies Optional Client Authentication which allows compromised machines to identify themselves via Hive to a Blot server while all other website visitors are simply server benign web content.
To top it all off, the CIA threw in a red herring when it came to data exfiltration, leveraging digital certificates that would seem legitimate at a glance. In one of the given examples, the organization mentions Kaspersky Labs:
"Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated."
While it remains unknown as to the extent the platform and the covert approach was leveraged, the non-profit has made available documentation on Hive itself, should you seek it.