Skip to main content

Apple responds to Wikileaks’ ‘Dark Matter’ release revealing CIA efforts to infect Macs

Cancillería del Ecuador/Flickr
Wikileaks isn’t done with its Vault 7 release of CIA hacking documents, which has already created quite a stir by outlining various exploits that the CIA created for a variety of platforms. While Wikileaks has not revealed sufficient detail to allow the exploits to be easily used by cybercriminals, it has pointed nefarious parties in the right directions.

Now, Wikileaks has released another bundle of documents, dubbed “Dark Matter.” This time, the organization turned an eye to Apple’s Mac, with a number of exploits that are both insidious and persistent, MacRumors reports.

The leak highlights a specific CIA program, “Sonic Screwdriver,” that was created by the agency’s innocuous-sounding Embedded Development Branch. The exploit uses infected USB drives to inject code that attacks a Mac while it’s starting up and bypasses a user password to instead “boot its attack software.” Allegedly, the code has even been installed to modified firmware on Apple’s own Thunderbolt-Ethernet adapter.

Sonic Screwdriver isn’t the only exploit contained in the Dark Matter leak:

“DarkSeaSkies” is an implant that persists in the EFI firmware of an Apple MacBook Air computer and consists of “DarkMatter,” “SeaPea” and “NightSkies,” which are ,respectively, EFI, kernel-space and user-space implants.

Documents on the “Triton” MacOSX malware, its infector “Dark Mallet,” and its EFI-persistent version “DerStake” are also included in this release. While the DerStake1.4 manual released Thursday dates to 2013, other Vault 7 documents show that as of 2016, the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.”

As MacRumors points out, Dark Matter also has iOS in its sights, with a number of iPhone-related exploits that are injected into target devices during the actual manufacturing process. These exploits have allegedly been underway since 2008, or soon after the iPhone was first released:

“While CIA assets are sometimes used to physically infect systems in the custody of a target, it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain, including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise.”

You can check out the Wikileaks source documents here. We’re likely to see additional leaks going forward, which, along with efforts to understand the documents that have already been leaked to date, will keep security analysts and the companies that make affected machines busy.

Apple has been quick to respond to the WikiLeaks Vault 7 leaks, and this one is no different. Apple provided a statement to Techcrunch, both about the Mac and iPhone exploits and Apple’s response to WikiLeaks in general:

“We have preliminarily assessed the Wikileaks disclosures … Based on our initial analysis, the alleged iPhone vulnerability affected iPhone 3G only and was fixed in 2009 when iPhone 3GS was released. Additionally, our preliminary assessment shows the alleged Mac vulnerabilities were previously fixed in all Macs launched after 2013.

“We have not negotiated with Wikileaks for any information. We have given them instructions to submit any information they wish through our normal process under our standard terms. Thus far, we have not received any information from them that isn’t in the public domain. We are tireless defenders of our users’ security and privacy, but we do not condone theft or coordinate with those that threaten to harm our users.”

Updated on 3-24-2017 by Mark Coppock: Added Apple’s statement.

Editors' Recommendations