New CIA 'Vault 7' leaks detail 'Achilles' and 'SeaPea' vulnerabilities for Snow Leopard, Lion
The latest WikiLeaks "Vault 7" data dump demonstrates a pair of exploits developed in 2011 for Apple's Snow Leopard and Lion operating systems, that still require root access to install.
The latest data purloined by WikiLeaks from the U.S. CIA's "Imperial" project actually shows workable exploits against older versions of Apple's Mac operating systems. The first detailed package, named "Achilles," was developed by the agency on July 15 2011 for use against Snow Leopard systems. It was created to be inserted into a legitimate disk image, and install at the same time as the legitimate application on the image.
The user will still need to authorize credentials for the package to install. Should the target have run any checksums against the disk image, they would fail. Additionally, if the original disk image had an associated user agreement, it would not pop up in the version with the trojan.
More information is available about the "SeaPea" launcher, even though the leaked document is apparently the original draft. Where "Imperial" was a vector to install an undefined payload, "SeaPea" works on Snow Leopard or Lion, and contains executable hiding features, as well as a way to reduce its footprint to traffic monitoring applications.
Based on the detail provided by the leaked document, dated July 8, 2011, "SeaPea" is a much more mature tool. However, rather than hiding in an executable, "SeaPea" appears to require installers to have physical access to the computer itself, or the ability to remotely execute a Python script plus root access.
Mac OS X 10.6 Snow Leopard was released on August 28, 2009, and last updated on July 25, 2011 — about the same time as the "Achilles" data was updated.
Puzzlingly, Mac OS X 10.7 Lion was released on July 20, 2011, after the "SeaPea" document was crafted. The last update for Lion was made on October 4, 2012.
Thursday's leak does not contain any record of successful exploits undertaken with the tool, but the targeting necessary, or physical access to a device required limit wide-scale use of the exploits.
On March 7, 8,761 files were released by WikiLeaks alleging that the U.S. Central Intelligence Agency has a dedicated iOS, Windows, and Android exploit team, and failed to keep the attack vectors under lock and key. Later on Tuesday, Apple noted that "many" of the attacks had already been dealt with in the course of updating iOS.
A closer look at the Apple exploits following initial release showed a great deal of effort put into attacking Apple gear, but found what had been disclosed at that point to be rudimentary, non-functional, or proof-of-concept only. The releases on Thursday are the first evidence that the CIA had functional tools to use against Apple hardware owners.