Vault 8 source found?

Fri Dec 10 01:37:34 PST 2021

repository zip: https://wikileaks.org/vault8/document/repo_hive/hive.zip

my gmail app is misbehaving and there may be errors in the below paste of
text

Hive Repository

The files in this code repository were created between August 2013 and
October 2015, but the development of *Hive* started much earlier. Older
versions of the code are not available as the previous source code control
system (subversion) was not properly migrated to git.

The repository contains the following branches: 'armv5', 'autotools',
'debug', 'dhm', 'makemods', '*master*', 'mt6', 'polar-0.14.3',
'polar-1.1.8', 'polar-1.2.11', 'polar-1.3.4', 'solarisbug' and ' ubiquiti'.
Hive
9 November, 2017

Today, 9 November 2017, WikiLeaks publishes the source code and development
logs to *Hive*, a major component of the CIA infrastructure to control its
malware.

*Hive* solves a critical problem for the malware operators at the CIA. Even
the most sophisticated malware implant on a target computer is useless if
there is no way for it to communicate with its operators in a secure manner
that does not draw attention. Using *Hive* even if an implant is discovered
on a target computer, attributing it to the CIA is difficult by just
looking at the communication of the malware with other servers on the
internet. *Hive* provides a covert communications platform for a whole
range of CIA malware to send exfiltrated information to CIA servers and to
receive new instructions from operators at the CIA.

*Hive* can serve multiple operations using multiple implants on target
computers. Each operation anonymously registers at least one cover domain
(e.g. "perfectly-boring-looking-domain.com") for its own use. The server
running the domain website is rented from commercial hosting providers as a
VPS (virtual private server) and its software is customized according to
CIA specifications. These servers are the public-facing side of the CIA
back-end infrastructure and act as a relay for HTTP(S) traffic over a VPN
connection to a "hidden" CIA server called 'Blot'
<https://wikileaks.org/ciav7p1/cms/page_17760679.html>.

The cover domain delivers 'innocent' content if somebody browses it by
chance. A visitor will not suspect that it is anything else but a normal
website. The only peculiarity is not visible to non-technical users - a
HTTPS server option that is not widely used: *Optional Client
Authentication*. But *Hive* uses the uncommon *Optional Client
Authentication* so that the user browsing the website is not required to
authenticate - it is optional. But implants talking to *Hive* do
authenticate themselves and can therefore be detected by the *Blot* server.
Traffic from implants is sent to an implant operator management gateway
called *Honeycomb* (see graphic above) while all other traffic go to a
cover server that delivers the insuspicious content for all other users.

Digital certificates for the authentication of implants are generated by
the CIA impersonating existing entities. The three examples included in the
source code build a fake certificate for the anti-virus company Kaspersky
Laboratory, Moscow
<https://wikileaks.org/vault8/document/repo_hive/client/ssl/CA/client_crt/>
pretending
to be signed by Thawte Premium Server CA, Cape Town
<https://wikileaks.org/vault8/document/repo_hive/client/ssl/CA/ca_crt/>. In
this way, if the target organization looks at the network traffic coming
out of its network, it is likely to misattribute the CIA exfiltration of
data to uninvolved entities whose identities have been impersonated.

The documentation for *Hive* is available
<https://wikileaks.org/vault7/#Hive> from the WikiLeaks Vault7 series
<https://wikileaks.org/ciav7p1/>.