After a two-week hiatus, WikiLeaks dumped new files as part of the Vault 7 series that supposedly contains CIA-made hacking tools the organization claims it received from hackers and agency insiders.

 

Today's dump includes the documentation for a CIA tool named CherryBlossom, a multi-purpose framework developed for hacking hundreds of home router models.

The tool is by far one of the most sophisticated CIA malware frameworks in the CIA's possession. The purpose of CherryBlossom is to allow operatives to interact and control SOHO routers on the victim's network.

CherryBlossom installed via tainted firmware updates

The most complex part of using CherryBlossom is by far deploying the tool on a target's routers. This can be done by a field operative, or remotely using a router flaw that allows CIA operators to install new firmware on the targeted device.

 

Internally, CherryBlossom is made up of different components, each with a very precise role:

FlyTrap - beacon (compromised firmware) that runs on compromised device
CherryTree - command and control server where FlyTrap devices report
CherryWeb - web-based admin panel running on CherryTree
Mission - a set of tasks sent by the C&C server to infected devices

CherryBlossom architecture

 

According to the CherryBlossom manual, CIA operators can send "missions" to infected devices from the CherryTree C&C server via the CherryWeb panel.

Mission types vary wildly, which speaks volumes about the tool's versatility. For example, missions can:

▻ snoop on the target's Internet traffic
▻ sniff traffic and execute various actions based on predefined triggers (URLs, usernames, email, MAC addresses, etc.)
▻ redirect target's Internet traffic through other servers/proxies
▻ create a VPN tunnel from operator to the target's internal network
▻ alert operators when the target becomes active
▻ scan the target's local network

CherryBlossom supports over 200 router models

According to the CIA docs, FlyTraps can be installed on both WiFi routers and access points. There is a separate document that lists over 200 router models that CherryBlossom can target, most of which are older models. This 24-page document is not dated, but the rest of the CherryBlossom manuals are — between 2006 and 2012.

 

You'll find a list of all WiFi equipment vendors that were included in this document at the bottom of this article. For the full vendor-series list, please refer to the original WikiLeaks document here.

 

CherryWeb panel

 

In addition, French security researcher X0rz noticed a small detail that might help investigators track down CherryBlossom installations. According to the tool's installation guide, the default URL for the CherryWeb control panel is is "https://CherryTree-ip-address/CherryWeb/" (e.g.: https://10.10.10.10/CherryWeb/). Scanning the Internet for CherryWeb web folders will reveal how many CherryBlossom installations are currently deployed online.

Tool co-developed with US nonprofit?

WikiLeaks claims the CIA co-developed CherryBlossom together with a US nonprofit named Stanford Research Institute (SRI International), but SRI's name only appears in one document — the manual for a tool named Sundew, a Linux-based wireless scanner used to identify the make and model of wireless devices. It is unclear at this moment what was SRI's role.

 

In May, WikiLeaks published documents revealing that US cyber-security company Siege Technologies had helped the CIA develop a tool called Athena, a versatile implant (CIA term for "malware").

 

Unlike the Shadow Brokers, who dumped the actual hacking tools they claim to have stolen from the NSA, WikiLeaks only published the CherryBlossom documentation, without dumping the actual tool.

 

You can read our previous WikiLeaks Vault 7 coverage here. Below is a list of the most notable WikiLeaks Vault 7 dumps:

Weeping Angel - tool to hack Samsung smart TVs
Fine Dining - a collection of fake, malware-laced apps
Grasshopper - a builder for Windows malware
DarkSeaSkies - tools for hacking iPhones and Macs
Scribble - beaconing system for Office documents
Archimedes - a tool for performing MitM attacks
AfterMidnight and Assassin - malware frameworks for Windows
Athena - a malware framework co-developed with a US company
Pandemic - a tool for replacing legitimate files with malware

 

List of WiFi router/AP vendors included in the CherryBlossom docs:

3Com
Accton
Aironet/Cisco
Allied Telesyn
Ambit
AMIT, Inc
Apple
Asustek Co
Belkin
Breezecom
Cameo
D-Link
Gemtek
Global Sun
Linksys
Motorola
Orinoco
Planet Tec
Senao
US Robotics
Z-Com