WikiLeaks Exposes CIA Targeting Linux Users With OutlawCountry Network Traffic Re-Routing Tool

CIA Logo Eagle Stealth Knowledge Innovation
Another day, another government spying exploit rises to the surface courtesy of Wikileaks, this time originating from the CIA. This WikiLeaks data dump specifically lets us know of a CIA-engineered spying tool called OutlawCountry (no space), which, interestingly enough, explicitly targets Linux users. You know, those digital freedom loving passionate penguin peeps that appreciate having great control over their computer? But don't worry, the CIA has targeted Windows users en masse in the past as well; absolutely no one has proven safe and they obviously don't discriminate.

OutlawCountry starts out as a Linux kernel module (nf_table_6_64.ko) that gets loaded into the system and subsequently creates a new entry in the iptables firewall configuration. After the deed is done, the original kernel module is no longer needed, so it's deleted.

Excerpt from CIA's OutlawCountry guide

At this point, an attacker could run an iptables command to reroute all of the traffic through a designated CIA data mining server, allowing the agency to spy on user activities and communications. The biggest threat here isn't winding up with the attack on a home PC, but more so a web server that could have thousands or even millions of people routing through it.

What's not clear at this point, is how the CIA expected to infect computers with this malware. Access to the machine is required, so it seems another exploit would allow an attacker to get in and then elevate to a privileged account to execute the attack. Falling victim to this particular attack, given its implementation, would pose almost no risk being sent as an email attachment, unless it was packaged as a script and still somehow managed to be run with root access.

OutlawCountry is just one of the many CIA leaks that WikiLeaks has released out as part of its Vault 7 series of data dumps, which have had more than a dozen separate leaks since the first back in March of this year.