WikiLeaks Reveals CIA Man-in-the-Middle LAN Hacking Tool Archimedes

WikiLeaks isn’t done exposing the CIA’s arsenal of hacking tools used to infiltrate computer systems around the globe. Last month, we told you about Weeping Angel, which targeted select Samsung Smart TVs for surveillance purposes. Today, we’re learning about Archimedes, which attacks computers attached to a Local Area Network (LAN).

Although we have no way of knowing whether Archimedes is still in use by the CIA, the details of how it is unleashed on unsuspecting parties has been revealed in full. In its teaser announcing the exploit, WikiLeaks writes, “It allows the re-directing of traffic from the target computer inside the LAN through a computer infected with this malware and controlled by the CIA.


“This technique is used by the CIA to redirect the target's computers web browser to an exploitation server while appearing as a normal browsing session.”

Archimedes is just the latest incarnation of software that was previously known as Fulcrum. WikiLeaks also provided the full documentation for Fulcrum, which goes into much greater detail about how the man-in-the-middle operation is conducted:

Fulcrum uses ARP spoofing to get in the middle of the target machine and the default gateway on the LAN so that it can monitor all traffic leaving the target machine. It is important to note that Fulcrum only establishes itself in the middle on one side of the two­-way communication channel between the target machine and the default gateway. Once Fulcrum is in the middle, it forwards all requests from the target machine to the real gateway.

Archimedes can be deployed on machines running Windows XP (32-bit), Windows Vista (64-bit) and Windows 7 (64-bit) operating systems. The CIA documentation also says that the binaries required for Archimedes/Fulcrum will “run on any reasonably modern x86-compatible hardware”.

The Fulcrum user guide gives step-by-step directions on how to Prepare, Package, and Deliver the “payload”. The “Management” portion of the directions even takes a rather humorous tone, stating:

If you are reading this then you have successfully delivered the Fulcrum packages and provided the binaries with code execution. Hoorah! At this stage, there is not much to do other than sit back and wait. The release builds of the Fulcrum binaries don’t print anything to the console nor do they log any messages, so all we hear are the sound of crickets.

Archimedes is just the latest in a number of “Vault 7” leaks that have come our way since March from WikiLeaks. And it likely won’t be the last as WikiLeaks apparently has plenty of CIA files that it is combing over, just waiting to release.