WikiLeaks releases Vault 7 “Dark Matter” Apple malware, with Doctor Who inspired “Sonic Screwdriver”


The latest set of documents released under the WikiLeaks Vault 7 disclosures, is called “Dark Matter”. The Dark Matter release contains several CIA tools that infected Apple Mac firmware, that allowed CIA software to be persistently present on Apple hardware. The malware had the capability to survive on the compromised machines and continue to operate even after operating system re-installs. The Dark Matter tools were developed by the Embedded Development Branch (EDB) of the CIA.


The most interesting among these tools is one inspired by the Sonic Screwdriver, a multipurpose tool seen in the BBC television series Doctor Who. The malware stores itself on a thunderbolt to lightning adapter, by modifying the firmware on the adapter. The Sonic Screwdriver allows for the execution of arbitrary code on peripheral devices connected to an Apple laptop or desktop, when the machine is booting. The malware can get around the protection on the firmware of the computers that Apple has put in place.


The malware resides on an ethernet to lightning adapter such as this one.

Sonic Screwdriver scans all attached devices, including USB drives, CD/DVD drives and external hard drives for a specified volume name. If the specified volume is found, then the malware will execute a UEFI boot of that device, allowing the CIA to load its attack software. Sonic Screwdriver kicks in so early in the boot cycle, that at times it does not even recognise all the drives connected to the device. This limitation can be bypassed by loading a Linux distro through the compromised adapter. The malware has been tested on 11-inch, 13-inch and 15-inch Apple laptops released in 2011 and 2012.

The next most scariest thing in the Dark Matter set of releases, is a malware known as NightSkies v1.2. The malware has been used back in 2008, and is designed to be installed directly on iPhones fresh from the factory. This means that the CIA had the capabilities to infect a device in the supply chain itself, at least from 2008. NightSkies functions as a loader, beacon or implant tool, specifically for the Apple iPhone 3G v2.1.


NightSkies could be used to monitor the browser history, YouTube video cache, map files, and the metadata of emails. The CIA had the capability to remotely retrieve call logs, SMS messages and address books. The malware had full remote command and control capabilities, and could install additional software on demand. The tool pretended to use the standard HTTP protocol for communications, to avoid detection. The implant was configured to update itself automatically, and could be used to run arbitrary code on the device.

The DarkSeaSkies is a persistent implant for the Macbook Air that contains DarkMatter, SeaPea and DarkSkies. The DarkMatter is the module that provides persistence on the device, SeaPea allows the malware to hide the processing, files and networking necessary for the operation of the covert tools, and DarkSkies acts as the beacon. For the malware to be active, the Macbook Air has to periodically connect to the internet, or else the Malware will delete itself.

Triton is an automated implant for the Mac OS X. The tool allows tasks to be remotely retrieved and executed on the machine. Der Starke 1.4 is a diskless, EFI persistent version of Triton. Other Vault 7 documents show that these tools continue to be updated and developed by the CIA.

The type of tools revealed by the Dark Matter disclosure, indicate that the CIA intercepted the Apple devices in the supply chain of their targets, opened up the packages, infected them with the malware, and then sent them on their way to their destinations.

This entry was posted in Apple, Technology, WikiLeaks and tagged , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s