It’s three a.m. Monday morning, and “Anita,” a twenty-four-year-old Ukranian woman, has just finished cleaning the third-floor bathrooms at Bull Market Beariers (BMB), a Portland, Oregon hedge fund. She strips off her rubber gloves and fires up the coffee maker. Steve, the narcoleptic security guard, walks by and they exchange smiles. He won’t be back by for a half hour. Marta, Anita’s partner, is on the second floor, so Anita is by herself for a while. She walks into an office marked “Chet Jackson – Chief Information Officer,” turns on the light, sets her coffee down, takes a sandwich from her pocket, and sits down behind the desk. Casually, Anita reaches down, takes an USB drive on a lanyard from her pocket, wraps the cord around her wrist, inserts the USB drive, and turns on the PC. After another bite of sandwich and a sip of her coffee, she slides the keyboard over and types frantically for about thirty seconds. Then she kicks up her feet, slowly eats the rest of her sandwich, and pulls the USB drive out. The computer turns off by itself, and Anita gathers her wrapper and cup. She has more trash cans to empty tonight.
Bobby is sitting in a small unmarked office on the east coast. He checks his Linux listening post server in Estonia. Success! The agent program that Anita installed in Oregon came alive and started communicating with Bobby’s server. The server then sent executable programs to run on Chet’s machine, so that Bobby can take remote control later, and copied part of Chet’s hard drive. Bobby will have to take his time and be careful not to do too much at once, but as long as he is sure Chet isn’t watching, he can eventually install any of hundreds of tools at his disposal anytime Chet’s computer comes to life and ‘phones home.’ Depending on how much of the rest of the network that Anita has compromised, Bobby can eventually gain control of the entirety of BMB’s data, and at this rate, that won’t take very long.
The above scenario is fictional, but the capabilities are not. The USB drive that Anita carries has ATHENA on it, part of the ATHENA/HERA toolkit. ATHENA/HERA are tools developed by the CIA and a private security firm, as reported by Wikileaks in its most recent Vault7 document dump. Athena, which is for Windows XP through Windows 10 systems, and Hera, which is for Windows 8 through Windows 10, act as a remote beacon and loader on the victim machine. They can be installed via a Linux-based operating system designed to boot from a USB stick and can be configured to work in several ways.
First, these tools can be set to work alone in memory only. In this situation, it is likely that Athena/Hera will just copy or delete files or install malware, and leave little forensic evidence in their wake. They can also work in memory only with a command and control server over the internet, which will allow them to copy or load files from the server while Athena/Hera are active. Finally, Athena/Hera are also capable of being installed in such a way that the software runs anytime that Windows is running. When the victim machine boots again, the new code hides itself, pretending to be a standard Windows process, masks its self from most anti-virus software, and can announce itself to CIA listening post command/control servers via encrypted internet traffic. Then the remote system administrator can use the ATHENA/HERA client to download and execute any of hundreds of other programs in the Intel Community’s dirty trick toolkit or delete or copy files from the victim at their leisure.
Athena/Hera is creepy stuff, especially as the CIA is working with private companies to develop these tools. The world has seen with the most recent Wannacry ransomware bloom, based on the NSA’s ETERNALBLUE exploit, that intelligence agencies are having a very hard time keeping their cyber weapons from falling into the hands of criminals. Adding private contractors to the equation can only make the maintenance of these cyber arsenals harder. These tools were as active as least as recently as February 2016, and they could be out in the wild at any moment. If that is the case, leaving your computer unattended, even with a secure password, could be a huge target for a hacker with Athena in their pocket.
The good news for LN readers is this. For Athena/Hera to copy/delete/install etc., it must be able to read your hard drive. If you use full disk encryption (FDE) on your machine, it will become considerably more difficult for CIA or any other hacker to copy, or otherwise modify your data if they aren’t logged in as you. The list of Windows FDE vendors is short but growing, and it is worth investigating. If switching to Linux isn’t a viable option for you, look into Windows full disk encryption.
Until next time, stay vigilant.