WikiLeaks has just published a new batch of the ongoing Vault 7 leak, and this time the whistleblowing website has unveiled a classified malware for that tracks geo-location of targeted PCs and laptops running the Microsoft Windows operating system.
In short, the malware does it by capturing the IDs of nearby public hotspots and then matching them with the global database of public Wi-Fi hotspots’ locations.
Dubbed ELSA, the alleged CIA's project consists of two main elements: the processing component (Operator Terminal) and the implant (Windows Target) which is typically being deployed on a target Windows host.
The malware then uses Wi-Fi hardware of the infected computer to scan nearby visible WiFi access points (AP) and records their ESSID – stands for Extended Service Set Identifier (IEEE 802.11 wireless networking), MAC address and signal strength at regular intervals.
In order to perform this data collection, the ELSA malware does not require the targeted computer to be connected to the Internet. Instead, it only requires the malware to be running on a device with Wi-Fi enabled.
"If [the target device] is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp," WikiLeaks notes.
The collected information is then stored in encrypted form on the targeted device for later exfiltration.
The CIA malware itself doesn't beacon (transfer) this data to the agency's server, instead, the operator (CIA hacker) downloads the encrypted log files from the device using separate CIA exploits and backdoors.
The operator then decrypts the log files and performs further analysis on their target.
The ELSA project allows CIA hackers to customize or modify the implant depending upon the target environment and operational objectives such as "sampling interval, the maximum size of the log file and invocation/persistence method."
The CIA hacker (operator) then uses additional back-end software to match collected access point data from exfiltrated log files with public geolocation databases (from Google and Microsoft) and finds the exact location of their target.
In short, the malware does it by capturing the IDs of nearby public hotspots and then matching them with the global database of public Wi-Fi hotspots’ locations.
Dubbed ELSA, the alleged CIA's project consists of two main elements: the processing component (Operator Terminal) and the implant (Windows Target) which is typically being deployed on a target Windows host.
Here's How the CIA's ELSA Malware Works
The Elsa system first installs the malware on a targeted WiFi-enabled machine using separate CIA exploits to gain persistent access on the device.The malware then uses Wi-Fi hardware of the infected computer to scan nearby visible WiFi access points (AP) and records their ESSID – stands for Extended Service Set Identifier (IEEE 802.11 wireless networking), MAC address and signal strength at regular intervals.
In order to perform this data collection, the ELSA malware does not require the targeted computer to be connected to the Internet. Instead, it only requires the malware to be running on a device with Wi-Fi enabled.
"If [the target device] is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp," WikiLeaks notes.
The collected information is then stored in encrypted form on the targeted device for later exfiltration.
The CIA malware itself doesn't beacon (transfer) this data to the agency's server, instead, the operator (CIA hacker) downloads the encrypted log files from the device using separate CIA exploits and backdoors.
The operator then decrypts the log files and performs further analysis on their target.
The ELSA project allows CIA hackers to customize or modify the implant depending upon the target environment and operational objectives such as "sampling interval, the maximum size of the log file and invocation/persistence method."
The CIA hacker (operator) then uses additional back-end software to match collected access point data from exfiltrated log files with public geolocation databases (from Google and Microsoft) and finds the exact location of their target.
COMMENTS