CyberCrimeSecuritySecurity ManagementVirus

WikiLeaks Reveals CherryBlossom CIA Router Snooping Hacking Tools

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Follow on:

CherryBlossom can monitor Internet traffic and inject malicious code into targeted routers

WikiLeaks has released documents revealing that the CIA has been developing and maintaining a set of hacking tools that can be used to infiltrate routers and monitor their network traffic. 

The documents date back to 2012  and detail a CIA project called CherryBlossom designed to secretly monitor the Internet traffic of people and targets of interest to the US government agency. 

Router hacking 

CherryBlossom“CherryBlossom is focused on compromising wireless networking devices, such as wireless routers and access points (APs), to achieve these goals,” said WikiLeaks’ post about CherryBlossom. 

“These devices are the ideal spot for “Man-In-The-Middle” attacks, as they can easily monitor, control and manipulate the Internet traffic of connected users. By altering the data stream between the user and Internet services, the infected device can inject malicious content into the stream to exploit vulnerabilities in applications or the operating system on the computer of the targeted user.” 

Through this code injection attack, CherryBlossom allows the remote control of an infected router, allowing for the CIA to not only monitor the router’s traffic but also harvest useful information such as passwords, and redirect targeted users to the CIA’s choice of website.

CherryBlossom can be configured to target routers from ten different manufacturers, including the likes of Asus, Belkin, Dell and Netgear. 

The CIA can cover their tracks on a hacked router through the use of encryption to hide the data sent back to the CIA as well as use cryptographic authentication to avoid detection. 

CherryBlossom is added to routers through loading it onto a targeted device’s firmware through the use of a wireless connection. 

This creates what the CIA calls a ‘FlyTrap’ which connects to a command and control server used by the CIA and referred to as CherryTree. Through a browser-based user interface called CherryWeb, a CIA operative can control the CherryBlossom tools and plan mission tasks for the malware. 

This would point point CherryBlossom being a project for highly targeted CIA monitoring rather than the more mass surveillance nature of the NSA’s PRISM programme

The WikiLeaks documentation did not reveal if and how the CherryBlossom tools were put into effect, but they do demonstrate the cyber surveillance capabilities of the CIA. 

With the recent batch of terror attacks prompting cyber snooping to be made legal in Switzerland, we would not be surprised to see more hacking and surveillance tools brought to light by WikiLeaks and other whistleblowers. 

Quiz: What do you know about privacy?