CIA uses bogus update to steal data from partners

Espionage

Beginning on March 7, 2017, the whistleblowing website Wikileaks began publishing a new series of leaked documents from the CIA, which they entitled “Vault 7”. Out of the many documents posted, one of the most prominent and secretive ones was one that described a tool allegedly used by the CIA to secretly collect biometric data from the agency’s liaison services, a job being facilitated by the CIA’s Office of Technical Services (OTS) and the Identity Intelligence Center (I2C). According to WikiLeaks, these liaison services include other U.S. government agencies, such as the NSA, the DHS, and the FBI.

In order for the collected biometric data to be shared, the CIA developed a tool called ExpressLane, which secretly copies the data collected by the biometric software and disables this software if continued access is not provided to the agency. The documents describe that ExpressLane is installed on the targeted system by an OTS officer pretending to perform an upgrade to the biometric system from a USB drive. ExpressLane then displays a bogus update screen for a period of time specified by the agent, while in the background the targeted biometric data is compressed, encrypted and copied to the officer’s USB drive. After this process, the contents of the USB drive are later extracted using a program called ExitRamp. As previously mentioned, the software automatically disables the biometric software after a certain period in time in order to make sure that it is constantly in use; this date defaults to 6 months but is extended when the tool is run on a target machine. Additionally, if an agent does not return with the ExpressLane USB drive within that period, the license for the biometric software expires.

The documents leaked by Wikileaks date back to 2009 and contain instructions for Windows XP, moreover it is unclear if the tool is still in use and/or what updates to it have been made.