A new Wikileaks release called DarkMatter was released today, affirming that the Central Intelligence Agency has long targeted Apple Macs, creating malware designed to evade the tech giant's security mechanisms.
The leak also revealed the CIA had been targeting the iPhone since 2008, a year after the landmark device was released.
That slice of info was included in a small dump of information Wednesday, that included manuals for a handful of implants and rootkits - malware that can hide at the lowest level of Apple systems, the kernel and the firmware of the device. One of CIA's implants was called NightSkies, a manual for which noted there was a version for iPhone, then appearing to list the year 2008, though Wikileaks claimed the tool was operational in 2007, the year of launch. "NightSkies 1.1 exists for the iPhone," a CIA manual read, in a document entitled DarkSeaSkies that dated back to 2009. "Currently, NightSkies does not have stealth and persistence capabilities."
In a document describing the NightSkies malware for an iPhone 3G running iOS 2.1, released in 2008, the CIA wrote that it effectively granted the agency full control over an infected device: "The tool operates in the background providing upload, download and execution capability on the device. NS is installed via physical access to the device and will wait for user activity before beaconing. When user activity is detected, NS will attempt to beacon to a preconfigured LP [listening post] to retrieve tasking, execute the instructions, and reply with the responses in one session."
And in detailing how a combination of tools including NightSkies would work on a Mac, the CIA wrote that it would act as "a beacon/implant that runs in the background of a MacBook Air that provides us with command and control capabilities. The implant will beacon periodically." Essentially, once the MacBook Air had been compromised following a physical installation, the CIA could access it whenever, and it would beacon out looking to be controlled by snoops within the agency.
'Early adopter' of Mac hacking
That same document showed the CIA Embedded Development Branch has been hacking Macs since as far back as 2005. While NightSkies ran on Mac OS X 10.5.2 and above, another rootkit called SeaPea was running on Mac OS X Tiger 10.4, launched 12 years ago. To Mac security expert Pedro Vilaca, the leaked documents showed that the CIA was an early adopter of Mac hacking. "They have a good interest in Mac targets, which makes sense since many high-value targets love to use Macs," Vilaca told Forbes.
Also included in Wikileaks' release was the Sonic Screwdriver from 2012, which would run on the firmware of an Apple Thunderbolt to Ethernet adapter and install low-level malware on the Mac from there. That's not dissimilar to an attack known as Thunderstrike, which was shown off by researchers in 2014.
As Vilaca said, it appears the CIA was ahead of the game when it came to deep Mac hacking. But there was some good news for Apple fans: all the malware required physical access to the device. There was, however, the potential for the CIA to intercept devices on the factory line.
Wikileaks working with tech companies?
As of this week, after some delay, Wikileaks was in touch with Apple, Google, Microsoft and other tech companies about the leaks, the aim being to help them release patches. But Wikileaks issued a list of demands before handing over information, such as a promise to fix the bugs within 90 days. Experts have asked Wikileaks how the collaboration is going. As yet it's unclear if any information has been handed over.
Google declined to comment on the issue yesterday, while Apple hadn't responded to a request for comment today. A Microsoft spokesperson said: "WikiLeaks made initial contact via firstname.lastname@example.org and we have followed up, treating them as we would any other finder."
A CIA spokesperson would not comment on the authenticity of the documents, providing a canned statement from the previous Wikileaks release, concluding: "The American public should be deeply troubled by any Wikileaks disclosure designed to damage the intelligence community's ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize U.S. personnel and operations, but also equip our adversaries with tools and information to do us harm."
110 Reykjavik, Iceland