Described as a multi-platform malware suite, Hive provides “customisable implants” for Windows, Solaris, MikroTik (used in Internet routers), Linux platforms, and AVTech Network Video Recorders, used for CCTV recording. Such implants allow the CIA to communicate specific commands.
— WikiLeaks (@wikileaks) April 14, 2017
A 2015 User Guide reveals the initial release of Hive came in 2010, and describes the software implant as having two primary functions – a beacon and interactive shell. Both are designed to provide an initial foothold to deploy other “full featured tools.”
The implants communicate via HTTPS with the webserver of a cover domain. Each cover domain is connected to an IP address at a commercial Virtual Private Server (VPS) provider. This forwards all incoming traffic to what’s called a ‘Blot’ server.
The redirected traffic is examined to see if it contains a valid beacon. If it does, it’s sent to a tool handler, known as Honeycomb, where the CIA can initiate other actions on the target computer.
The user guide details the commands that are available, including uploading and deleting files and executing applications on the computer.
— RT (@RT_com) April 14, 2017
To hide the presence of such malware, WikiLeaks notes that the public HTTPS interface (a protocol for secure communication over a computer network within an encrypted connection) “utilizes unsuspicious-looking cover domains,” meaning those targeted would be unaware of the CIA’s interference.
A ‘self-delete’ function is described in documentation accompanying Hive, revealing that the implant destroys itself if it’s not signalled for a predetermined amount of time. Binary information regarding Hive is deleted from the host, leaving a log and configuration file containing only a timestamp.
The self-delete was known to cause issues for the developers after running into complications caused by disparities in system clocks.
— RT (@RT_com) April 10, 2017
WikiLeaks says anti-virus companies and forensic experts have noticed “possible state-actor” malware using similar back-end infrastructure, but were unable to connect the back-end to CIA operations.
The Hive documents released Friday may allow experts to examine this kind of communication between malware implants and backend servers, WikiLeaks says.
The CIA’s Hive project was created by its Embedded Development Branch (EDB). This branch was also responsible for projects detailed in WikiLeaks’ ‘Dark Matter’ leak, revealing the CIA’s attacks on Apple firmware.