Wikileaks Posts CIA's Imperial Hacking Tools Targeting OS X And Linux

For the past several months, WikiLeaks has been publishing information related to exploits and hacking tools that had been used by the United States government at some point. The project is known as Vault 7 and seems to contain mostly older exploits, though it is not clear if some of the malware has been updated for modern platforms. Not all of it is aimed at Windows. In fact, the latest documents reference macOS and Linux hacks that were part of the US Central Intelligence Agency's Imperial program.

Mac OS X
Image Source: Flickr (Tony Webster)

The first of these is called Achilles. According to the documentation, it is a capability that gives an operator the ability to infect a target's OS X disk image (.dmg) with a Trojan. The infected image will behave similar to the original image, except for secret software getting installed unbeknownst to the target. Once installed, Achilles automatically removes all traces of itself so that it is near impossible to detect.

It has been several years since Achilles was in use, or at least version 1.0. The document is dated July 15, 2011, and makes reference to being tested on OS X 10.6. There have been six other major releases Snow Leopard, the latest of which is now called macOS instead of OS X (macOS 10.12 Sierra).


Next on the list (if going down alphabetically) is Aeries. This one takes aim at Linux systems with a set of Python utilities and binaries. The documentation is nine pages long and gets pretty technical in places. Named after a Final Fantasy character, Aeries is essentially a backdoor written in C programming language. It includes functions for pilfering data and can be used to build customized implants on portable Linux OSes such as Debian, CenOS, Red Hat, FreeBSD, and Solaris.

The last of three tool contained in the data dump SeaPea, an OS X rootkit disguised as an iTunes component. It provides stealth and tool launching capabilities and can hide files, directors, socket connections, and processes. Rootkits are especially nasty bits of code because they sink their hooks deep within the OS. That makes them both difficult to detect and remove.

It is not clear if the CIA is using newer versions of these tools or has abandoned altogether.