Pirated CIA spyware being used by threat actors, says analyst

A leaked version of spyware designed by the Central Intelligence Agency (CIA) to covertly exfiltrate data from targets has been spotted in the wild for the first time by analyst Netlabs.

The cyber watchdog claims it detected a variant of the CIA cyberattack kit Hive – no relation to the ransomware group of the same name – on October 21 after it caught it communicating with an internet protocol (IP) address using forged Kaspersky certificates.

“After further lookup, we confirmed that this sample was adapted from the leaked Hive project server source code from the CIA,” said Netlabs. “This is the first time we caught a variant of the CIA Hive attack kit in the wild.”

Netlabs describes the variant, which it nicknamed xdr33 after its digital certification code, as a backdoor designed to collect sensitive data “and provide a foothold for subsequent intrusions.”

xdr33 uses SSL, an internet security tool that allows data encryption, to relay sensitive information back to the threat actor in control of it.

Describing the variant as an unsophisticated take on the US agency original, Netlabs added: “We tend to rule out the possibility that the CIA continued to improve on the leaked source code and consider it to be the result of a cyberattack group borrowing it.”

Expertise-sharing forum GitHub describes the original Hive spyware as providing “a covert communications platform for a whole range of CIA malware” that enables stolen data to be sent to agency servers and instructions to be relayed to field operatives.

More from Cybernews:

Google AI to boost retail sales

Netflix to crack down on account sharing

Robot rockers nail Nirvana and Metallica classics

Artist builds GPT-3 typewriter that replies to you on paper

Biden pushes Republicans and Democrats “to hold Big Tech accountable”

Subscribe to our newsletter