Wikileaks has released a new set of documents as a part of its ‘Vault 7’ series which give an expose of CIA’s covert activities between 2013 and 2016. The release called Vault 7 “Dark Matter” contains information about several CIA projects that the organisation used to infect Apple devices and snoop on the owners.
The released documents show how CIA used EFI/UEFI (Unified Extensible Firmware Interface, which is a specification for a program that connects the operating system to the computer’s firmware) and firmware malware to gain control of Apple devices including Macs and iPhones.
Developed by Embedded Development Branch (EDB), Dark Matter contains details about CIA projects like “Sonic Screwdriver” and “DarkSeaSkies” that infect the firmware of Apple devices allowing them to persist even when the users have re-installed the operating system.
CIA’s “Sonic Screwdriver” project is essentially a technique ‘for executing code on peripheral devices while a Mac laptop or desktop is booting’. This would allow the attacker to boot his malware on to the system “even when a firmware password has been enabled”. The project called “DarkSeaSkies” which dates back to 2009 is used to infect the EFI (Extensible Firmware Interface) firmware of an Apple MacBook Air.
Dark Matter also contains details about CIA’s “Triton” and “DerStarke” projects. “Triton” uses a malware called “Dark Mallet” and infects the EFI firmware. CIA is now working on developing DerStarke 2.0 which is an upgraded and more robust version of DerStarke1.4, which dates back to 2013. The release further states that CIA relies on these projects till date.
Dark Matter also contains details about a project called “NightSkies 1.2”, which is being used by the CIA exclusively uses to infect iPhones. What’s concerning is the fact that most of these devices are infected when “the targeted organisation’s supply chain leave the United States or otherwise.”