CIA Malware Targets Linux Systems

July 05, 2017 3 min read

cia linux outlaw country servers traffic

On June 29th, 2017, WikiLeakspublished leaked documents outlining the purpose and scope of a secret CIA project called ‘OutlawCountry’ that specifically targets Linux servers.

The news is somewhat disturbing due to the fact that Linux is often marketed as a much less vulnerable operating system than Windows or even Apple’s iOS.


How the CIA Controls Linux Servers Using OutlawCountry Malware

cia malware outlaw country linux servers

Now, this isn’t going to be the easiest to follow.  Nothing with these viruses and their operations inside computers ever is, but we’ll attempt to explain below:

Essentially,OutlawCountry is akernel module for Linux 2.6 (used to run servers) that allows a CIA agent to redirect or reroute traffic coming outbound from a server and point it towards a CIA-controlled server that they use to capture the information in order to analyze it.

A kernel module is a file that contains code to modify an existing kernel, which is a computer program that runs the core functions of a computer.  So in other words, they hijack a core piece of the computer’s operating system and get it to do something completely different than originally intended.  In this case, it’s sending traffic to the CIA instead of where it was actually intended to go.

This kernel module then creates something called anetfilter table and names it something really obscure so you wouldn’t guess it was hijacking all of your server traffic.  The CIA operator can then create a set of new filters which allow the traffic to be rerouted.

This malware is designed specifically for the Red Hat Enterprise Linux 6.x and CentOS 6.x systems that are running the 64-bit 2.6.32 version of that Linux kernel, and the only saving grace about this malware is it takes a physical desktop to be compromised first.  It cannot be installed remotely like a phishing attack, but once in place, gives the operator complete control over the traffic.

Instead of the server sending traffic to the appropriate computers and IP addresses, the CIA will run all of that server's traffic into their own server with the intent of capturing all of the data sent from the infected Linux server.  It can then be sent on to its original destination in a matter of seconds, and nobody ever knows the difference.

That’s a very basic version of what’s happening.

WikiLeaks Has Been Busy

cia wikileaks vault 7

Wikileaks first launchedVault 7 on Tuesday, March 7th 2017, and it is the first part of the full series that contained over 8750 documents that were lifted from a maximum security network inside the Center for Cyber Intelligence at the CIA’s buildings in Langley, VA.

A good portion of the CIA’s hacking arsenal was exposed during this leak.  It contained an impressive selection hacking tools that included weaponized “zero day” exploits, trojans, viruses, malware, and even malware remote control system.  As one might expect, it is extensive and gives the agency capabilities that most of us didn’t even know existed.

Outlaw Country is now the fourteenth malware program released in that series.  Earlier this month we got a look at the ‘CherryBlossom’ router attack, the ‘Brutal Kangaroo’ attack which allows a user to jump across air-gapped networks using only an infected USB stick, and finally the details surrounding ‘Elsa’ - a program designed to track the location of Windows’ PCs.

Now that Pandora's box has been opened, you can expect with certainty that hackers have these programs and codes in their possession and are figuring out ways to adopt them and attack us all on a grand scale.

And just like in the myth of Pandora, now that all of the computer world's evils have been let out, they cannot be put back in.

We're in for a bumpy digital ride in the near-future.

Josh Bare
Josh Bare

Leave a comment

Comments will be approved before showing up.