DOUG DAVIS
Imagine for a moment that you are a computer information technology worker – a real geek. You enjoy computer gaming, pop music, meeting girls, and having a good time with your friends. Unfortunately, you have the bad luck to have been born in a third world country with a repressive government, so you have to keep some secrets.
Because you managed to graduate tech school, you have a job at the Department of Energy headquarters, maintaining the desktop computers of some unimportant secretaries, and a file server. The pay and technology are dismal. They still run Windows Vista and Server 2003, but it doesn’t matter because no one in your department handles anything of importance.
Management hasn’t invested in a very fast internet connection, so anytime there is an update for some of the free software you load on the desktops, the internet connection becomes hopelessly bogged down. Your solution? Nobody downloads updates but you. You then put them on the file server for everyone to download locally, sparing the precious internet feed. Genius! In fact, your superiors liked the solution so much, that they now have other departments use your local “app store” as well.
One day a new acquaintance of yours from the technology field gets together with you. He has heard you repeatedly whine about your job, so he asks you to have a coffee with him. You don’t suspect anything, so you agree. When you both are alone, your new friend offers you two years’ salary in cash to install an app on your file server, no questions asked. He assures you that no one can ever discover it and claims you are more at risk spending his money than doing what he asks. The whole process will take fifteen seconds. You agree, install the app, collect your money, and start spending very slowly.
The app that your generous friend had you install was, according to Wikileaks, the Pandemic malware delivery system. The CIA developed Pandemic and released it between 2014 and 2015. It was a file server implant designed to work on any Windows file servers which transferred information via the SMB (Server Message Block) protocol. It worked by replacing the content of up to twenty files during transfer. The actual file on the server was never touched. Pandemic just intercepted the transfer request and returned a substitute file when sending it back to the client computer. So anyone inspecting the server would notice no discrepancy in the data, but when the replaced file landed on the client machine, any payload could be delivered, up to 800MB in size, and it would for all purposes appear to be the file requested.
In our hypothetical scenario above, every time that an employee attempted to download and execute any of up to twenty files on the server, they also downloaded a malware kit which would allow CIA hackers to take remote control, transfer new executables or copy all the files on that computer. Any and all computers on the network who downloaded and executed those files were infected, and all the information available to the users was now the property of the CIA. Secretaries don’t always do important work, but they maintain payroll, address, vendor, and tax information. All critical information when you are attempting to infiltrate a large science project, like, say, a nuclear weapons program.
Pandemic is a very particular application, designed for a tight set of circumstances. It only operates on Windows file servers using the SMB protocol, and it only works for files sent from that server. Additionally, it requires access to the server to install. This set of circumstances resembles the typical office information technology setup of the early 2000s in the U.S., but is very common in developing nations, as governments often shun software and hardware upgrades due to cost. It is very likely that this application was crafted specifically for the aging infrastructure of overseas governments. It would be completely ineffective in most private sector information technology settings in the U.S. today.
The additional bad news for the CIA is that Pandemic’s target environment is even smaller now due to the Wannacry malware outbreak, which also targeted SMB vulnerabilities. Many systems administrators worldwide are turning off the protocol to play it safe.
Never fear, the NSA and CIA are working hard to ensure that nobody has any secrets, and they will most certainly find other holes to exploit. And they will certainly keep losing the tools they develop. The best way to protect yourself is to make backups, keep your anti-virus updated, use a VPN and encryption, and verify your internet downloads via hash — random strings of text that allow you to verify files you download aren’t corrupted or tampered with. You can learn more about hash — including how to use them — by checking out this how-to article.
