Enlarge / A screenshot of foreign language samples used by a CIA tool to hide the nation of origin of CIA code implants, leaked on Friday by WikiLeaks.
Up until this week, WikiLeaks’ “Vault 7” releases of files from a Central Intelligence Agency software development server have largely consisted of documentation for the various malware projects the CIA’s Engineering Development Group created to aid the agency’s mission. But on Friday afternoon, WikiLeaks began actually releasing portions of the CIA’s development library. And while the release contains no malware, it’s potentially the most damaging information released so far in that it could undermine ongoing CIA operations.
The release was of a repository of code for the CIA EDG’s obfuscation tools called Marble. The tools were used to conceal the signature of the implants developed by CIA from malware scans, to make it more difficult to reverse-engineer them if they were detected, and to figure out where the malware came from. University of California at Berkeley computer security researcher Nicholas Weaver told the Washington Post’s Ellen Nakashima, “This appears to be one of the most technically damaging leaks ever done by WikiLeaks, as it seems designed to directly disrupt ongoing CIA operations.”
There’s nothing particularly magical about the CIA’s tools, other than that they were developed and tested by a professional team and the code itself is extremely well-documented. Implant code for Windows systems was obfuscated with a tool called Marbler, a C++ application that obscures text strings and binary objects within implants in a number of ways. Those methods include “scrambling” binary content using a number of bit-shifting techniques, and inserting snippets of foreign languages(such as Chinese or Farsi) with a feature called “WARBL.”