How the CIA controls the acquired targets

September 29, 2018 | Staff

One of the goals of conducting intelligence activities is to obtain strictly protected information. There are probably cases where, when planning data steal operations, the need to periodically re-invoke such a task is not taken into account in order to determine whether the information collected has not lost its relevance. However, it seems more reasonable that the approach is based on maintaining constant access to data, thanks to which information from the acquired source can be downloaded and verified for a long time. Thanks to this, intelligence agency can obtain a non-sourcing source from a single source, which will send us fresh portions of collected information upon our request.

It is also good practice to protect yourself against a potential mishap. If someone discovers that his computer or even the entire network is a valuable source of information for foreign intelligence, it should be made as difficult as possible to determine to which agency the resources of the acquired network are transferred. In all of this, the issue of the scale of the entire undertaking is still taken into account. Otherwise, we will categorize the task, when the control will be subject to individual goals, and differently if we count them in hundreds or, more likely, thousands. The task seems to be non-trivial; fortunately, however, we have to learn from whom. As with the solution of such a complex problem, the CIA has managed to find out the WikiLeaks publication, which reveals information about the Hive project.

How to carry out intelligence campaigns without revealing identity?

The CIA decided to build a special infrastructure for this purpose. With this infrastructure, people who were responsible for controlling the acquired goals could conveniently send commands to perform and receive their results, which is important, without revealing who the referrals come from and who they are targeting the results to. In other words, Hive was (or continues to be) an infrastructure used and mediated between the CIA and computers taken over from around the world.

The most interesting part of the Hive structure seems to be the contact between the CIA infrastructure and the "public" infrastructure. While studying the documents published by WikiLeaks, we can learn that as the starting points for the public network, the CIA servers were used by VPS servers purchased from commercial suppliers of these services. CentOS, the VPN client, the Apache web server were installed on the servers and the entire operation ended with setting the appropriate firewall rules (iptables). All the steps necessary for the correct configuration of the environment, including good security practices, can of course be found in the Hive user manual. In addition, the appropriate domain was registered for each of the operations carried out.

One of the tasks faced by the CIA was to mask the VPS server so that it could not be easily identified as an intermediary between the public network and the CIA sites. To this end, the approach was based on optional authentication to the web server.

After going to a specific URL address, the browser asks user to enter the login and password or to present the appropriate client certificate. The CIA used a similar approach. The difference, however, was that by default, access to server resources did not require any authentication. If an incident surfer came across such a server and sent an HTTP request to him, he could see a static web page in response. However, if the client, e.g. a malware running on the acquired station, connecting to the server, tried to authenticate by presenting the appropriate certificate, was identified and then allowed to exchange data with internal systems (the so-called "Blot" server). In this way, the CIA decided to blur the traces of its activities.