‘CIA used Brutal Kangaroo tool to infiltrate breakaway networks’

WikiLeaks has once again published CIA documents from its Vault 7 series. This time it concerns the so-called Brutal Kangaroo project, which makes it possible to penetrate air gapped networks by using USB drives.

According to WikiLeaks, Brutal Kangaroo is a Windows application. The accompanying manual shows that it is a collection of tools. For example, a user can use the Drifting Deadline tool to prepare a USB drive. The software offers a kind of wizard for this, which guides the user through the process. Once closed, the tool creates an XML configuration and the user can choose to infect a USB drive with the chosen configuration. Although the manual does not specifically describe the further process, this can be deduced from another manual of an older tool.

This shows that the USB drive is being used to infect a primary host. Then, when another drive is connected to that host, it checks to see if it meets preset requirements. If so, the new drive will be infected. After that, it is intended that the same USB drive is connected within the closed network, after which infection takes place. The so-called Shadow implant is then used if multiple systems are infected to create a closed network between the machines and send data back and forth, the document claims.

In this way it is possible to map the closed network and to collect data. Finally, the USB drive must be reconnected to the primary host, after which the collected data is copied to the hard disk and can be sent to a listening post. According to WikiLeaks, this process is similar to how the Stuxnet malware works. The documents report that certain antivirus programs detect a Drifting Deadline-processed USB drive, including Symantec, Avira, Rising, and BitDefender.

Description of the process behind the older tool