A leaked version of spyware designed by the Central Intelligence Agency (CIA) to covertly exfiltrate data from targets has been spotted in the wild for the first time by analyst Netlabs.
The cyber watchdog claims it detected a variant of the CIA cyberattack kit Hive – no relation to the ransomware group of the same name – on October 21 after it caught it communicating with an internet protocol (IP) address using forged Kaspersky certificates.
“After further lookup, we confirmed that this sample was adapted from the leaked Hive project server source code from the CIA,” said Netlabs. “This is the first time we caught a variant of the CIA Hive attack kit in the wild.”
Netlabs describes the variant, which it nicknamed xdr33 after its digital certification code, as a backdoor designed to collect sensitive data “and provide a foothold for subsequent intrusions.”
xdr33 uses SSL, an internet security tool that allows data encryption, to relay sensitive information back to the threat actor in control of it.
Describing the variant as an unsophisticated take on the US agency original, Netlabs added: “We tend to rule out the possibility that the CIA continued to improve on the leaked source code and consider it to be the result of a cyberattack group borrowing it.”
Expertise-sharing forum GitHub describes the original Hive spyware as providing “a covert communications platform for a whole range of CIA malware” that enables stolen data to be sent to agency servers and instructions to be relayed to field operatives.
Your email address will not be published. Required fields are markedmarked