WikiLeaks continued its ongoing release of documents from the CIA Friday with a collection of files detailing the agency’s ability to obscure its activities and make it difficult for investigators to attribute the origins of attacks and hacking.
The latest release from what WikiLeaks calls Vault 7 is titled “ Marble ” and contains documentation of files that are purportedly part of the CIA Core Library of malware code. WikiLeaks describes Marble as part of the CIA’s “anti-forensics approach.”
The name “Marble” refers to a specific algorithm that scrambles and unscrambles data.
Marble is one of the more technical releases that WikiLeaks has published as part of Vault 7. According to the documentation, the CIA tool is “designed to allow for flexible and easy-to-use obfuscation" by using "string obfuscation algorithms” that are used to link malware to a specific developer.
To accomplish this, the tool hides text fragments found in CIA malware from visual inspection, making the attack difficult to attribute to a specific source. Within the source code for the tool is a “deobfuscator” that essentially reverses the algorithm used to disguise the attack origin.
Within the source code of Marble is a number of different languages, including Chinese, Korean, Russian, Farsi and Arabic. Those languages, according to WIkiLeaks, would allow the CIA to mislead investigators by leaving digital fingerprints that contain a different language.
The release of the Marble source code may present troubles for the CIA, as the information could be used to decode patterns from previous attacks and attribute attacks to the agency that had previously gone unidentified.
Marble reached version 1.0 in 2015 and was in use by the CIA as recent as 2016.
However, it is worth noting the previous document dumps released by WikiLeaks as part of Vault 7 have contained misrepresentations within the analysis provided by the transparency organization. It is possible the Marble release is the same.
WikiLeaks founder Julian Assange also previously promised to share information with tech companies to prevent against CIA hacking, only for the companies to claim fixes had already been made or they were never contacted by WikiLeaks.