Latest WikiLeaks Release Exposes Marble Framework, CIA’s Anti-Forensics Tool

Rafia Shaikh
wikileaks cia

Following the release of Year Zero and Dark Matter, WikiLeaks has now released the third episode of stolen CIA documents. Codenamed Marble, the vault contains 676 source code files of the agency's anti-forensic Marble Framework. The framework was used to make it difficult for forensic investigators to attribute viruses, trojans, and cyberattacks to the CIA. WikiLeaks noted that the latest documents don't include any exploit, but focus on the agency's obfuscation techniques.

CIA anti-forensics tools revealed in latest WikiLeaks release - the agency knows too many languages...

The third trove of leaked CIA documents focuses on anti-forensics tools. WikiLeaks had released the first set of documents earlier in March, revealing details of several outdated security vulnerabilities that the CIA had stocked against iOS, Android, Samsung TVs, and several other products. Apple, Google, Microsoft, and other tech companies mentioned in the first release had all said that the flaws were patched years ago. Security experts had said that the release wasn't as groundbreaking as Julian Assange said it would be (he had claimed it'd eclipse Snowden leaks) and that the release just confirmed what everyone already knew CIA was doing in its targeted attacks.

Related StoryRafia Shaikh
Intelligence Coup of the Century: How CIA Secretly Sold Compromised Encryption Devices Through a Swiss Company to Over 120 Countries

The second release came last week. Codenamed Dark Matter, it exclusively focused on Apple products, generally thought to be more secure than others. WikiLeaks had subtly suggested that the CIA could be infecting Apple products right in the factory, a claim that wasn't supported by any of the leaked documents. Apple again said no security flaws mentioned in the release were active. One of the most astonishing - but expected - revelations included the fact that the CIA has been attacking iPhones since the very year they were launched.

"Based on our initial analysis, the alleged iPhone vulnerability affected iPhone 3G only and was fixed in 2009 when iPhone 3GS was released. Additionally, our preliminary assessment shows the alleged Mac vulnerabilities were previously fixed in all Macs launched after 2013." - Apple on release of Dark Matter.

Today's release doesn't focus on tech companies, but the agency itself. In its press release, WikiLeaks wrote that the agency hides text fragments to make attribution harder, a standard in the criminal or state-sponsored hacking communities.

Marble does this by hiding ("obfuscating") text fragments used in CIA malware from visual inspection. This is the digital equivalent of a specalized CIA tool to place covers over the english language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA.

Marble forms part of the CIA's anti-forensics approach and the CIA's Core Library of malware code. It is "[D]esigned to allow for flexible and easy-to-use obfuscation" as "string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop."

The press release also mentions a deobfuscator tool using which the CIA could reverse text obfuscation. Marble framework also has text examples in Chinese, Russian, Korean, Arabic, and Farsi, helping the agency further make it difficult for investigators to attribute an attack to the CIA.

WikiLeaks has stopped getting as much attention and trust as it did initially when it talked about releasing the Vault 7 documents. After repeatedly trying to exaggerate security situations to presenting demands to the tech companies before it could share source code, the organization has done little like the famous Edward Snowden, who unequivocally shared all the documents with the public without making any demands to the publications or companies.

Apple and Microsoft have previously said that the organization has to share security vulnerabilities like everyone else, and won't be treated differently. After the release of Dark Matter, Apple gave the following statement.

We have not negotiated with Wikileaks for any information. We have given them instructions to submit any information they wish through our normal process under our standard terms. Thus far, we have not received any information from them that isn’t in the public domain. We are tireless defenders of our users’ security and privacy, but we do not condone theft or coordinate with those that threaten to harm our users.

It appears that WikiLeaks is finally moving away from its focus on tech companies and their products and to the agency itself. You can read more about the Marble Framework in these released documents.

Share this story