Leak Reveals CIA ‘CherryBlossom’ Program Targeting Routers

WikiLeaks Dump Describes Custom Linux Firmware to Pwn Widely Used Routers

A new dump from WikiLeaks has revealed an apparent CIA project – code named “CherryBlossom” – that since 2007 has used customized, Linux-based firmware covertly installed on business and home routers to monitor internet traffic and exploit targets’ devices.

A new dump from WikiLeaks has revealed an apparent CIA project – code named “CherryBlossom” – that since 2007 has used customized, Linux-based firmware covertly installed on business and home routers to monitor internet traffic and as a stepping stone for exploiting targets’ devices.

Details of the CherryBlossom project were published Thursday by secrets-spilling organization WikiLeaks, as part of its ongoing series of “Vault 7” dumps of apparent CIA attack tools.

Previously leaked Vault 7 information, which dated from 2013 to 2016, described programs with such names as AfterMidnight, Athena, Dark Matter, Grasshopper, Hive, Pandemic and Weeping Angel. The identity of whoever leaked the information to WikiLeaks – and their motivation – remains unknown (see 7 Facts: ‘Vault 7’ CIA Hacking Tool Dump by WikiLeaks).

No Source Code

Unlike the “Equation Group” leaks of alleged NSA attack tools by the Shadow Brokers, the Vault 7 releases by WikiLeaks, including CherryBlossom, contain no source code or executable binaries. As a result, attackers cannot use the exploits referenced in the leak. But the leaked documentation does include indicators of compromise. As a result, as noted by the security researcher who tweets under the handle x0rz, potential victims can now scan their networks, as well as historical logs, for signs that they may have been exploited via CherryBlossom.

Continue reading…