The tool itself is impressive enough, serving as the backbone of the CIA’s malware processes, but there’s more. What’s interesting about the first leak in the Vault 8 line is that it seems to show the agency portraying Kaspersky, by making use of a fake certificate for the anti-virus company.
WikiLeaks describes the purpose and weaknesses of Vault 8: “This publication will enable investigative journalists, forensic experts, and the obscure public to better identify and assume covert CIA infrastructure components. Source code declared in this series contains software created to run on servers controlled by the CIA. Like WikiLeaks’ earlier Vault7 series, the stuff published by WikiLeaks does not contain 0-days or related security vulnerabilities which could be repurposed by others.”
It then goes on to explain the purpose of Hive and gives links to the Hive container as well as the Hive Commit History. It also presents a brief description of the purpose of the tool:
Hive solves a dangerous problem for the malware operators at the CIA. Even the most complicated malware implant on a target machine is useless if there is no way for it to interact with its operators in a secure method that does not draw attention. Using Hive even if an implant is located on a target computer, attributing it to the CIA is difficult by just looking at the interface of the malware with other servers on the internet. Hive presents a covert communications platform for a whole range of CIA malware to send exfiltrated knowledge to CIA servers and to receive new instructions from speculators at the CIA.
The source code for Hive is unquestionably interesting, but the use of fake documents relating to Kaspersky labs is particularly impressive. The discovery is certain to raise a few inquiries, such as whether the US government which has outlawed the use of Kaspersky software on its computers has been trying to use the Russia security firm as a victim for some time.