Skip to Content

Wikileaks: ‘Marble’ is proof that CIA disguises hacks as Russian

The Vault 7 release by WikiLeaks contains a series of documents, named "Marble", detailing how CIA hacking tactics misdirect forensic investigators from attributing viruses, trojans and attacks.

Published: April 1, 2017, 9:36 am

    Read more

    After the release of “Year Zero” and “Dark Matter”, WikiLeaks has now released the third batch of stolen CIA documents. It doesn’t focus on tech companies, but on the American spy agency itself.

    Previous Vault7 releases have revealed the CIA’s ability to mask its hacking fingerprints. It has now been revealed how the CIA inserts code fragments in foreign languages, and the tactic has been in use as recently as 2016.

    According to the WikiLeaks release: “The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, — but there are other possibilities, such as hiding fake error messages.”

    By doing so, it creates a means for virus writers to pretend that the malware was created by a speaker of a range of foreign languages. But not any foreign languages of course, because the languages are those of the US’s main cyber-adversaries – Russia, North Korea, China and Iran.

    WikiLeaks suggests that this tech would trick security analysts to into thinking they were, for example, dealing with the Russians or the Chinese PLA.

    The whistleblower believes that potentially “thousands” of cyber attacks could thus be attributed to the CIA, while the blamed is wrongly placed on foreign governments, noting that the CIA technique is the digital equivalent of a tool which disguises the English text on US produced weapons systems before they are provided to insurgents.

    WikiLeaks said Marble is able to hide fragments of texts that would allow for the author of the malware to be identified, “designed to allow for flexible and easy-to-use obfuscation” as “string obfuscation algorithms” often link malware to a specific developer.

    The source code released reveals Marble contains test examples in Russian, Korean, Arabic, Chinese and Farsi.

    “This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion,” according to WikiLeaks, “But there are other possibilities, such as hiding fake error messages.”

    The code also contains a “deobfuscator” which allows the CIA text obfuscation to be reversed. “Combined with the revealed obfuscation techniques, a pattern or signature emerges which can assist forensic investigators attribute previous hacking attacks and viruses to the CIA.”

    “Marble forms part of the CIA’s anti-forensics approach. […] This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, — but there are other possibilities, such as hiding fake error messages.

    “The Marble Framework is used for obfuscation only and does not contain any vulnerabilties or exploits by itself.”

    The Marble release appears authentic because WikiLeaks used “primary source documents,” John Kiriakou, former CIA analyst and whistleblower, told RT.

    The first set of leaks, released on 7 March, described exploits used to compromise vulnerable Android devices, Apple iPhones, Samsung TVs, Windows PCs, and Macs.

    Two weeks later, it leaked how the CIA was able to buy Apple Macs and iPhones, install spyware on them, and give them to targets. WikiLeaks spun this to suggest this might be happening in the factory, but the suggestion was unsupported by the leaked documents.

    El Reg has independently confirmed that Assange and his co-workers have entered into talks with Microsoft, unlike whistleblower Edward Snowden, who unequivocally shared all the documents with the public without making any demands to the publications or companies.

    Keep ​your language polite​. Readers from many different countries visit and contribute to Free West Media and we must therefore obey the rules in​,​ for example​, ​Germany. Illegal content will be deleted.

    If you have been approved to post comments without preview from FWM, you are responsible for violation​s​ of​ any​ law. This means that FWM may be forced to cooperate with authorities in a possible crime investigation.

    If your comments are subject to preview ​by FWM, please be patient. We continually review comments but depending on the time of day it can take up to several hours before your comment is reviewed.

    We reserve the right to del​ete​ comments that are offensive, contain slander or foul language, or are irrelevant to the discussion.

    Americas

    Illegals voting in US election far higher than previously estimated

    WashingtonThe number of illegal immigrants that voted in recent US elections was likely far greater than previous estimates, a new study revealed. As many as 5.7 million illegals may have voted in the 2008 election, securing the White House for Barack Obama.

    One in six Americans unhappy about media even before ex-FBI Comey’s hearing

    WashingtonAmericans are not happy with their news media, as almost six in 10 say it makes them angry and dissatisfied in a new poll. It may also be the trending topic from the appearance by ex-FBI director James Comey in front of the Senate Intelligence Committee.

    Fake news: New York Times misrepresents Putin’s denial of Russian hacking

    New YorkThis week the New York Times misrepresented Putin's denial Russia that engages in hacking to insinuate an admission of a Russian role in hacking the Democratic campaign to stop Hillary Clinton from being elected.

    Beheading presidents: Chelsea Clinton is not laughing so much now

    WashingtonHillary Clinton once famously said "We came, we saw, he died" cackling about the murder of Muammar Ghaddafi of Libya her country unleashed. But her daughter Chelsea for one, does not appreciate gags about killing presidents:

    America First: Trump pulls out of ‘unfair’ Paris climate agreement

    WashingtonAmerican Senator Rand Paul blasted the Paris climate accord on Thursday for being unfair after President Donald Trump made good on his campaign promise to withdraw from the Paris climate agreement.

    Kissinger called Zbigniew Brzezinski a ‘total whore’

    WashingtonHenry Kissinger once called Zbigniew Brzezinski a "total whore", the Washington Post revealed. His legacy in Washington's foreign policy lives on after Afghanistan, today in Ukraine.

    FBI’s James Comey was Clinton insider

    WashingtonThe FBI director that was fired by President Trump, James Comey, was a Hillary Clinton insider. His career actually highlights the unhealthy relationship that exists between major corporations and the political elite.

    Another huge cyber attack is underway

    Another huge cyberattack is underway after last week's assault on computers worldwide, according to a global cybersecurity firm, suggesting military-grade cyberweapons are now being deployed for cyber crime.

    Kushner is a ‘massive, massive problem’ for the White House

    WashingtonThe American author of a best-selling book about the Clinton's dark secrets, believes president Trump's son-in-law Jared Kushner has created "a massive, massive problem " for the White House.

    Anger grows in South Korea over US deployment of THAAD

    SeongjuThe newest, the American anti-ballistic system THAAD, just went operational in South Korea, but both sides of the 38th Parallel and above the Yalu River, that is North as well as South Korea is unhappy about the president Trump's latest move and it could swing the outcome of elections in South Korea.

    Go to archive