WikiLeaks spills source code files for CIA’s Marble Framework

Late last week, WikiLeaks dropped a third batch of documents as part of its Vault7 project, this time detailing what the CIA called the “Marble Framework“. Its purpose: obfuscate text strings within CIA malware so forensic experts can’t trace its source back to the CIA.

The Marble leak is massive, with 676 source code files. In press reports, some security experts have called it the most “technically damaging” dump so far.

WikiLeaks describes how it works on its website. Among other things, they said:

Marble forms part of the CIA’s anti-forensics approach and the CIA’s Core Library of malware code. It is “[D]esigned to allow for flexible and easy-to-use obfuscation” as “string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop.” The Marble source code also includes a deobfuscator to reverse CIA text obfuscation. Combined with the revealed obfuscation techniques, a pattern or signature emerges which can assist forensic investigators attribute previous hacking attacks and viruses to the CIA. Marble was in use at the CIA during 2016. It reached 1.0 in 2015.

The website message does note that the framework is used for obfuscation only and does not contain any security holes or exploits by itself.

UC Berkeley researcher Nicholas Weaver told the Washington Post that this could be the most “technically damaging” document drop since Vault7 was launched, “as it seems designed to directly disrupt ongoing CIA operations and attribute previous operations”.

In the Post article, the CIA vented its anger over the ongoing leaks. Spokesman Dean Boyd told the publication:

Dictators and terrorists have no better friend in the world than Julian Assange, as theirs is the only privacy he protects. The American public should be deeply troubled by any WikiLeaks disclosure designed to damage the intelligence community’s ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize US personnel and operations but also equip our adversaries with tools and information to do us harm.

The Vault7 leaks

This was the third release in WikiLeak’s Vault7 operation. The second dump a couple weeks ago outlined a program called “Dark Matter” in which the agency created tools to bypass devices from Apple for at least a decade.

The first leak announced Vault7 and gave a “Year Zero” overview introducing the scope and direction of the CIA’s global covert hacking program, its malware arsenal and dozens of zero-day weaponized exploits against a wide range of US and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which were apparently turned into covert microphones.

Helping or hurting?

After the first leak, Naked Security asked security experts if they thought WikiLeaks was doing a valuable public service or doing serious damage to US security.

At the time, Eric Cowperthwaite, former VP of strategy for Core Security and now director of managed risk services for Edgile, said he was torn. He was reminded of the Chelsea Manning case. Manning was a United States Army soldier convicted by court-martial in 2013 for violating the Espionage Act and other offenses, after giving WikiLeaks nearly three-quarters of a million classified and/or sensitive military and diplomatic documents. Cowperthwaite said:

There is good and bad in this. We know that some of the Manning leaks had impacts on military operations. That was part of Manning’s trial. I also found it interesting that Wikileaks alleges that the US Intelligence Community has a problem keeping its cyberwar tools off the black market. And if the CIA, NSA, etc. can’t keep these things under control, that is something that citizens should know.

As to the extent of the damage these releases will mean for the CIA in the longer term, the jury is still out. Experts have determined that it’ll take some time for the CIA to assess. It’s unclear how the agency will adjust its techniques as a result.