WikiLeaks has released the latest Vault 7 batch of CIA hacking exploits. ‘ELSA’ is malware used to track WiFi-enabled devices running Microsoft Windows, allowing the CIA to gather location data on a target’s device and monitor their patterns and habits.
ELSA tracks the geolocation of wifi-enabled devices, providing the CIA with a target’s “pattern of life,” by recording details about wifi access points near the target machine.
The malware allows the CIA to track a target’s location even when they’re not connected to the internet. All that’s needed is for the device to be wifi-enabled and in an area where wifi access points are in range. Using wifi for geolocation means GPS isn’t required.
ELSA was initially created in 2012, according to a 2013 user manual obtained by WikiLeaks. The manual is marked as ‘secret, noforn’ – meaning it’s not to be shared with other countries.
When the target device is connected to the internet, ELSA attempts to use public geolocation databases from Google or Microsoft to track the device’s location, and stores the longitude, latitude and timestamp in encrypted form on the device for the CIA to extract at a later time.
ELSA was developed by the Engineer Development Group (EDG), the division that manufactures the CIA’s hacking tools. The EDG is part of the Center for Cyber Intelligence (CCI).
ELSA differs from previous CIA Vault7 leaks in that the malware doesn’t beacon information from the target device back to a CIA server. Instead, the data must be retrieved from the device using other tools in the CIA’s collection of exploits and hacks. The manual doesn’t specify which particular tools are used to do this.
According to WikiLeaks, ELSA can be customized to suit the target environment and the objectives of the CIA. For example, the sampling interval, logfile size and persistence method can all be customized to suit the aims of the infiltration.
According to the manual, “some Anti-Virus (AV) suites such as Kaspersky and Rising protect critical system processes” from the injection technique used in ELSA. “Deploying ELSA to these systems requires careful system survey, targeting, and/ or cover application for processes vulnerable to this type of injection,” the manual explains.
ELSA is designed to be injected into an existing process on a device’s system. “It’s delivered in the form of a DLL,” the manual reads. A Windows DLL (Dynamic Link Library) is a library of code and data that can be used by more than one program at the same time. It helps operating systems and programs run faster and use less space.
ELSA also uses a configuration tool (patcher) and post processor. It uses the command-line tool, Microsoft Windows RegSvr32, to perform the installation.