CIA Implants Steal SSH Credentials From Linux & Windows Devices: WikiLeaks

The whistleblowing platform WikiLeaks is back with another batch of Vault 7 related documents exposing the alleged hacking tools and programs used by the American Central Intelligence Agency (CIA) to hack and spy on users worldwide.

This time, WikiLeaks has dumped the details of two more hacking tools as part of its Vault 7 series. Like last time, the hacking tools are meant for attacking Linux and Windows platforms and use a similar technique to perform cyber espionage on an unsuspecting user.

The documents in the discussion are about BothanSpy and Gyrfalcon implants developed and used by the CIA to “intercept and exfiltrate SSH credentials” from devices on Linux and Windows operating systems.


One of the hacking tools is called the BothanSpy and targets systems running on Windows. The tool is essentially after the SSH credentials of a user’s system and steals them by infiltrating the XShell program on Windows.

SSH credentials or Secure Shell credentials and contain secure keys that can be used to gain remote access to a system. Stealing them would mean the CIA can get its hands on these keys and remotely hijack a system.

The credentials also include a person’s username and password along with the details associated with the SSH key for every SSH session.

Once the tool is activated, it exfiltrates the relevant data directly to one of CIA’s servers. As such, no internal hardware of the victim’s computer is affected, and the data might be saved in an encrypted file for later use.


The next tool revealed is called the Gyrfalcon. This is meant for all Linux platforms including Centos, Rhel, Debian, SuSE, and Ubuntu.

A custom toolkit, built by the CIA, is needed to install the tool on a victim’s computer. Like the BothanSpy, Gyrfalcon also looks for the SSH credentials and hence the key to remotely spy on a victim.

However, in addition to that, it can steal either the complete or partial session traffic generated through OpenSSH.

The data collected is again stored in an encrypted file from which the data can be later exfiltrated.

Why Linux?

Recently, the Vault 7 series featured another hacking tool called OutlawCountry which was again meant for Linux machines. Exactly why CIA is targeting Linux alongside Windows is not exactly known.

However, the tool is yet another method to exfiltrate data by intercepting outbound network traffic and redirecting it to CIA for analysis.

Windows knock-out

The majority of the hacking tools target vulnerabilities in the Windows platform that allows the CIA to conduct a range of operations from spying to wiping out the entire system like the WannaCry incident.

Last week, documents related to ELSA were revealed by WikiLeaks, which is yet another tool that exploits certain vulnerabilities in Windows to figure out the exact location of a computer through detecting the location of a nearby public Wi-Fi hotspot.

Sponsored: DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Related Posts