‘Archimedes’ Released by WikiLeaks CIA Vault 7
May 5, 2017. WikiLeaks publishes “Archimedes” a tool used by the CIA to attack a computer inside a Local Area Network (LAN), usually used in offices. It allows the re-directing of traffic from the target computer inside the LAN through a computer infected with this malware and controlled by the CIA. This technique is used by the CIA to redirect the target’s computers web browser to an exploitation server while appearing as a normal browsing session.
The document illustrates a type of attack within a “protected environment” as the tool is deployed into an existing local network abusing existing machines to bring targeted computers under control and allowing further exploitation and abuse.
RT Provides Advanced Information (The following is an edited reprint from RT)
The Archimedes tool enables traffic from one computer inside the LAN to be redirected through a computer infected with this malware and controlled by the CIA. The technique is used to redirect the target’s computer web browser to an exploitation server while appearing as a normal browsing session, the whistle-blowing site said. In this way, the hackers gain an entry point that allows them access to other machines on that network.
The tool’s user guide, which is dated December 2012, explains that it’s used to re-direct traffic in a Local Area network (LAN) from a “target’s computer through an attacker controlled computer before it is passed to the gateway.”
This allows it to insert a false web-server response that redirects the target’s web browser to a server that will exploit their system all the while appearing as if it’s a normal browsing session.
The target of the attack is directed to a webpage that looks exactly like the original page they were expecting to be served, but which contains malware. It’s only possible to detect the attack by examining the page source.
Archimedes is an update to a tool called ‘Fulcrum’ and it offers several improvements on the previous system, including providing a method of “gracefully shutting down the tool on demand.”
An addendum from January 2014 shows that Archimedes was updated to support the ability to run on targets with multiple gateways, i.e. devices used to connect different networks.
It is interesting how and why the CIA gives is weaponized cyberwarfare name. Because they will not disclose this information or comment on the WikiLeaks Vault 7 authenticity we can certainly do some speculation on the name associated with their cyber-weapons.
Archimedes (287 BC – 212 BC) was a Greek mathematician, physicist, astronomer, engineer, inventor, and weapons-designer. It was the latter weapons
designer that perhaps the CIA had in mind when they named this malware and combined it with one of more of his inventions and discoveries.
He is arguably most famous for inventing the science of mechanics and hydrostatics. He invented the ‘Archimedean Screw’ which is still used today to pull water out of the ground and discovered the laws of levers and pulleys, which allow us to move heavy objects using small forces.
He invented a highly accurate catapult through his understanding the mathematics of projectile trajectory. This war machine prevented the Roman Armies from conquering Syracuse, his place of birth, for many years.
When we see how the CIA uses this cyber-weapon to infect a target computer inside a LAN and redirect the web browser to an exploitation server while appearing as a normal browsing session. Could the inspiration of the ‘Archimedean Screw’ used to ‘pull-out’ and then ‘catapult’ elsewhere be behind the name? I’m sure the Archimedean Screw may also have a different CIA interpretation, but we’ll leave that be.
Forgive our folly in this endeavor but we couldn’t resist the temptation.
WikiLeaks: Archimedes Documentation
Edited by NHN