Vault 8: Wikileaks Releases Source Code for CIA Project Hive

Wikileaks announced a release for Vault 8, the latest part of a series of CIA developed hacking tools, few months after releasing other leaks.

In these security news, Wikileaks published their first batch of Vault 8 leaks, releasing the code of Project Hive, a backend component used to control of one of CIA’s malwares.

Want to stay up to date with security news? Please subscribe to our LinkedIN group , like our Facebook page, or join our FREE Newsletter!
Do you have an idea to improve Security News? Email us:

According to a Wikileaks article, Hive solves a big problem for CIA malware operators.

The problem is that all malware versions, even sophisticated ones, need to communicate with a command and control server. When a malware is detected on a victim’s machine, the hackers behind such an attack are usually traced back, and that is an issue if the attacker is an agency like the CIA.

Hive solves this problem by providing a convert communications platform for a range of CIA malware to send information to CIA servers without attributing the attack to the agency itself.

Hive can serve multiple operations using multiple implants on target computers. Each operation anonymously registers at least one cover domain (e.g. “”) for its own use. The server running the domain website is rented from commercial hosting providers as a VPS (virtual private server) and its software is customized according to CIA specifications. These servers are the public-facing side of the CIA back-end infrastructure and act as a relay for HTTP(S) traffic over a VPN connection to a “hidden” CIA server called ‘Blot’.

The cover domain delivers ‘innocent’ content if somebody browses it by chance. A visitor will not suspect that it is anything else but a normal website. The only peculiarity is not visible to non-technical users – a HTTPS server option that is not widely used: Optional Client Authentication. But Hive uses the uncommon Optional Client Authentication so that the user browsing the website is not required to authenticate – it is optional. But implants talking to Hive do authenticate themselves and can therefore be detected by the Blot server. Traffic from implants is sent to an implant operator management gateway called Honeycomb (see graphic above) while all other traffic go to a cover server that delivers the unsuspicious content for all other users.

In order to avoid being detected, malware implants use fake digital certificates signed by Kaspersky Labs, pretending to be signed by Thawte Premium Server CA, Cape Town.

Wikileaks assured in their press release that the released source code doesn’t contain any 0-day security vulnerabilities that could be exploited by others.

Mohamad El Hout, MBA, M.Eng., CISSP

Mohamad is an entrepreneur and a Senior Security Consultant dealing with the design and delivery of standard and complex security gateway solutions, covering a wide range of cutting edge technologies. His interests include business, technology, leadership, sports, and the continuous pursuit of knowledge.

%d bloggers like this: