WikiLeaks is continuing to release classified US intelligence documents obtained as part of the Vault 7 leaks, this time detailing a Central Intelligence Agency (CIA) initiative to compromise common routers and wireless access points to perform man-in-the-middle (MITM) attacks: CherryBlossom.
Following a partial Vault 7 document release earlier this year
, the team at WikiLeaks has been continuing to mine the remaining files for items of interest. Its latest release reveals a programme dubbed CherryBlossom, which it claims is the work of the US Central Intelligence Agency (CIA) and Stanford Research Institute to take control of wireless routers and access points as a means of performing man-in-the-middle (MITM) attacks against surveillance targets - including both monitoring network traffic and redirecting traffic to specific sites.
According to WikiLeaks' analysis of the documents: 'The wireless device itself is compromised by implanting a customised CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection. Once the new firmware on the device is flashed, the router or access point will become a so-called FlyTrap. A FlyTrap will beacon over the Internet to a Command & Control server referred to as the CherryTree. The beaconed information contains device status and security information that the CherryTree logs to a database. In response to this information, the CherryTree sends a Mission with operator-defined tasking. An operator can use CherryWeb, a browser-based user interface to view Flytrap status and security info, plan Mission tasking, view Mission-related data, and perform system administration tasks.
'Missions may include tasking on Targets to monitor, actions/exploits to perform on a Target, and instructions on when and how to send the next beacon. Tasks for a Flytrap include (among others) the scan for email addresses, chat usernames, MAC addresses and VoIP numbers in passing network traffic to trigger additional actions, the copying of the full network traffic of a Target, the redirection of a Target’s browser (e.g., to Windex for browser exploitation) or the proxying of a Target’s network connections. FlyTrap can also setup VPN tunnels to a CherryBlossom-owned VPN server to give an operator access to clients on the Flytrap’s WLAN/LAN for further exploitation. When the Flytrap detects a Target, it will send an Alert to the CherryTree and commence any actions/exploits against the Target. The CherryTree logs Alerts to a database, and, potentially distributes Alert information to interested parties (via Catapult).
The documentation leaked in support of these claims includes a list entitled 'WiFi [sic] Vendor Equipment
' which, given the context, is fair to assume comprises a list of routers and access points for which CherryBlossom firmware was developed. Companies represented on the 12-page list include but are not limited to 3Com, Cisco, Asus, D-Link, Linksys, Orinoco, and US Robotics.
The CIA, as is to be expected, has neither confirmed nor denied the existence of the CherryBlossom programme nor the legitimacy of the leaked documents. Interested parties can find the documents on WikiLeaks' Vault 7 page
, though are warned that visiting the linked page will likely be flagged by government security services.