Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Latest leaked CIA hack focuses on Apple's macOS, utilizes patched Thunderbolt EFI exploit

A second batch of CIA "Vault 7" documents published by WikiLeaks reveals some penetration methods for Mac hardware in-use by the CIA, none of which are wide-reaching, requiring physical device access to implement.

Thursday's dump, significantly smaller than the first, is Apple-oriented and covers some macOS vulnerabilities and attack vectors utilizing attacks on the EFI routines that control the boot process. "DarkSeaSkies" is aimed at the MacBook Air, and introduces an EFI injection called "DarkMatter" that will subsequently install a "SeaPea" kernel attack, and a "NightSkies" malware and keylogging pacakge.

The DarkSeaSkies package is delivered by a "Sonic Screwdriver" — either a USB flash drive or modified Thunderbolt to Ethernet adapter leveraging a Thunderbolt exploit that was first discovered in 2014, and patched in 2015.

An offshoot of "NightSkies" is also available for the iPhone dating back to 2008, and could be installed by "interdicting mail orders and other shipments" according to WikiLeaks — but is still not a remote attack.

Other documents from Thursday's release include the possibility of the "DerStarke" package used to attempt to break in to OS X Mavericks still under development, at least through part of 2016. It also addresses EFI compromise, but still appears less developed than the particular to MacBook Air "SeaPea" vector.

While WikiLeaks notes that the EFI exploits persist after a reboot, what they actually do is reinstall themselves after reboot if not mitigated. An Apple firmware update appears to purge the exploit permanently, until re-infected by someone with physical access to the machine.

The CIA's Center for Cyber Intelligence (CCI) responsible for the leaked computer intrusion methods purportedly has over 5000 members. The group has allegedly targeted more than 10,000 individuals world-wide, spanning iOS, Windows, and Android devices including smart televisions.

The previous reveal on March 7 spanned 8,761 files, and contained 14 iOS exploit and penetration methods. The latest dump is notable for being so specifically targeted at Apple hardware — a targeted release made by WikiLeaks for reasons only known to themselves.

However, as with the last WikiLeaks reveal, most AppleInsider readers aren't impacted. All of the leaked CIA attacks continue to not be a wide-spread net, with nearly all of the published exploits demanding physical access to equipment and time to install.