[BreachExchange] Vault 7 Leak: CIA Collected Biometric Data from Partner Agencies

Mon Aug 28 19:21:11 EDT 2017

https://www.hackread.com/vault-7-expresslane-cia-
collected-biometric-data-from-partner-agencies/

New Vault 7 Documents by WikiLeaks Show How CIA Collected Biometric Data
from Partner Agencies.

The latest treasure trove of Vault 7 files, which refer to the confidential
documents belonging to the United States’ Central Intelligence Agency or
the CIA, has been released publicly by WikiLeaks.

The files, published on Thursday, are dated 2009 and once again depict how
the CIA performed its espionage campaigns on its targets, which this
particular time included other intelligence agencies.

The documents show the way CIA spied upon other intelligence agencies using
a program dubbed as ExpressLane. It is worth noting that the software was
designed for working on Windows XP based systems, but it is yet unclear if
the tool is still being used and if yes then what changes have been made to
its functionality.

The released or rather leaked documents are ticked as “Secret,” and have
exposed the methodology of the CIA. The files revealed that two divisions
of CIA’s Directorate of Science and Technology namely the Office of
Technical Services (OTS) and Identity Intelligence Center (I2C) were
involved in the covert collection of biometric data. ExpressLane discreetly
copied data using the biometric software and disabled the software if the
targeted agency didn’t require continued access.

The tool was developed so that the CIA could get the information, which its
partner organizations were holding out, without even asking for it. The
ExpressLane program is capable of accessing biometric data and copying it
for the agency by appearing as a software update. The CIA handed over the
program to its technicians called agents while the update didn’t make any
changes to the program at all but just played the role of a siphon that
provided the required data to the CIA.

ExpressLane was able to secretly collect data from intelligence
organizations primarily because the targets use a biometric collection
system that has been provided by the OTS. The agencies targeted include the
FBI (Federal Bureau of Investigation), DHS (Department of Homeland
Security) and NSA (National Security Agency) along with various liaison
services across the globe. However, these are mere speculations as none of
the targets that ExpressLane spied upon have been named in the released
documents. What is confirmed is the fact that ExpressLane collected
biometric data from the target partner agencies.

As per the leaked documents, an OTS agent installed ExpressLane on the
targeted system using a USB device claiming to carry out an upgrade to the
system. The software displayed fake update screen for a specific duration
that is determined by the agent. In the background, the required biometric
data was compressed, encrypted and copied to the USB drive that belonged to
the agent. The collected data is later extracted at the CIA headquarters
using the ExitRamp utility.

ExpressLane also allowed the CIA to make sure that the biometric software
gets disabled after a certain number of days through Kill Date switch,
which is enabled when the tool is getting installed. Kill Date specifies
the date when the software will stop functioning. Usually, this duration
was six months from the date of installation.

If the agent doesn’t return with the USB drive during these six months or
whatever the duration is the biometric software’s license expires. However,
if ExpressLane is run on the computer, the Kill Date gets extended. The
purpose is to ensure that the CIA gets the data it needs.

WikiLeaks stated that the Florida based company Cross Match was responsible
for manufacturing the core components of the biometric system. Cross Match
is known for providing the field devices that helped in identifying
al-Qaeda leader Osama bin Laden; it is the key firm that provides biometric
software to intelligence and law enforcement agencies.

RELEASE: CIA 'Express Lane' system for stealing the biometric databases of
its 'partner' agencies around the world. https://t.co/8FefOS2Ljl
pic.twitter.com/LPwlAd0Tgr

— WikiLeaks (@wikileaks) August 24, 2017

Vault 7 documents previously leaked by Wikileaks:

BothanSpy and Gyrfalcon: Steals SSH credentials from Linux & Windows devices
OutlawCountry and Elsa: Malware targeting Linux devices and tracking user
geolocation
Brutal Kangaroo: CIA hacking tools for hacking air-gapped PCs
Cherry Blossom: CherryBlossom & CherryBomb: Infecting WiFi routers for years
Pandemic: A malware hacking Windows devices
AfterMidnight and Assassin: CIA remote control & subversion malware hacking
Windows
Dark Matter: CIA hacking tool infiltrating iPhones and MacBooks
Athena: A malware targeting Windows operating system
Archimedes: A program helping CIA to hack computers inside a Local Area
Network
HIVE: CIA implants to transfer exfiltrated information from target machines
Grasshopper: A malware payloads for Microsoft Windows operating systems
Marble: A framework used to hamper antivirus companies from attributing
malware
Dark Matter: A CIA project that infects Apple Mac firmware
Highrise: An Android malware spies on SMS Messages
Aeris, Achilles, SeaPea: 3 malware developed by CIA targeting Linux and
macOS
Dumbo Project: CIA’s project hijacking webcams and microphones on Windows
devices
CouchPotato Tool: Remotely Collects Video Streams from Windows devices
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170828/1e98ba62/attachment.html>