WikiLeaks Releases Details on CIA’s Athena Program

WikiLeaks has continued to release the details of US Intelligence Cyberwarfare tools and programs. They recently released the program known as "Athena." This program is designed to grant access to any Windows Operating System (OS) from Windows Vista up to Windows 10. Athena is composed of two programs that work together known as Athena-Alpha and Athena-Bravo, or Athena and Hera. Central Intelligence Agency hacker code was part of what was used in the recent WannaCry Cyber-attack.

Athena grants access to any device running Windows XP and Windows Vista, while Hera grants access to Windows 7 through Windows 10. Both of these programs provide the same capabilities to the owner of the malware, which is beaconing capability.

This beaconing capability allows Athena’s controller to alter critical parts of the OS. Namely, they can change the configuration of the OS as well as how it handles tasks. They can download data stored on the infected device at will, storing it on a hidden CIA server somewhere. Athena also grants them the ability to upload data or other programs into the infected device, allowing more viruses to be installed onto the machine.

The release of the details on Athena are part of a campaign by WikiLeaks to reveal US Intelligence Cyberwarfare tools, Athena was the 9th such program to be revealed by WikiLeaks. The others are (in order of release): Dark Matter, Marble, Grasshopper, Hive, Weeping Angel, Scribbles, Archimedes and After Midnight. These programs are part of WikiLeaks "Vault 7" program.

Dark Matter is a program aimed at infecting any Apple devices, which use their proprietary iOS. Dark Matter utilizes an infected USB that attacks the device while it is booting up, bypassing the normal login process to grant control. Dark Matter primarily targets Apple Macs and Macbooks but could be used to gain access to an iPhone or other portable iOS devices.

Marble (Full Name: Marble Framework), is a framework applied to CIA programs to hide their identity. Marble scrambles the code inside viruses in an attempt to keep their creator hidden. This would allow the CIA to infect machines without raising suspicion, or at least slow down anyone trying to find the real perpetrator. Marble also contains a tool that unscrambles any program through it, which means anyone possessing the leaked version of Marble Framework could reveal any malicious software as belonging to the CIA or potentially other Federal Intelligence Agency. Marble works by changing any English text over to a different language such as Russian, Chinese, Arabic or Kurdish. This would throw off automated scans and checks by generating false leads as to the country of origin. It doesn’t encrypt the virus in anyway, it only acts as a smoke screen.

Grasshopper (Full Name: Grasshopper Framework), is a framework used by the CIA to create custom targeted viruses for any Windows OS. Grasshopper allows the viruses to be custom tailored to specific machines and their configurations. If a Grasshopper produced virus is loaded into a machine that doesn’t match its targeting parameters, the virus will not infect the machine, instead, it loiters inside.

Hive isn’t an infiltration program, but rather a management service for them. Hive collects the data gathered by machines infected with CIA programs. It allows them to download files, or send them out to infected machines. It also allows for someone to issue commands to the infected computer, beyond just uploading or downloading data. Hive supposedly uses an HTTPS interface to control and monitor the malicious programs, allowing access from anywhere with an internet connection.

Finally we have Weeping Angel, named after the iconic Doctor Who villain. An interesting note is that there are several references to the series in the CIA’s released documents. “Sonic Screwdriver” is part of the access kit in Dark Matter. Weeping Angel is a program that takes over a smart television, such as those produce by Samsung. Weeping Angel requires physical access to do any harm, meaning that TVs can only be infected via a USB or other memory device being connected to them. Once infected the TV records and sends the audio data it collects with its inbuilt microphone. This data is stored in the USB or memory device for later collection. It is possible for the TV to be forced to set up a WiFi hot-spot that would transfer the data wirelessly. Weeping Angel also includes an option for “Real-Time Listening” which uploads the audio to the internet where it can be listened to as it’s recorded.