27 July 2015
WikiLeaks Stratfor Emails Contain Malware
Hi Cryptome -
My name is Josh Wieder. You may remember me recently as one of the guys who helped shut down one of the guys who has been circulating torrents posing as Cryptome. I'm a systems administrator, and have been for about 10 years now. Most of that time I have worked for data centers and hosting companies. One of my responsibilities was helping to manage the abuse response for the networks my companies leased; in practice this meant tracking down hackers and spammers and mitigating the occasional DoS.
I am also a regular reader of Wikileaks (as well as Cryptome!). Back in March, I decided to take a look at the Stratfor emails that Wikileaks got from Lulzsec. Although Wikileaks first publicized the emails in 2012, they did not release all of them until two years later. I thought I might find information that was overlooked after the initial publicity wore off.
What I found, so far, was 18 email attachments infected with malicious software. Most of the malware is embedded inside documents like PDFs, DOCs and Excel spreadsheets. All of the programs allow those who read infected files to be identified and tracked - one script for example scrapes Windows software registration info like name and location and sends it to a remote server. Interestingly, the email headers indicate that nearly all of the malware originates from Stratfor employees. This is not spearphishing.
I tried to contact Wikileaks for over two months via email, the livechat that is supposed to serve as how they receive leaks and finally publicly, through Twitter. I received no response. Because of the lack of response and the risk posed to activists and journalists by leaving these malicious scripts available for download without any sort of warning, I went public. Interestingly, Hector Monsegur - aka 'sabu' - the former leader of Lulzsec and FBI informant who was reportedly involved with handing over the Stratfor emails to Wikileaks, was one of the first people to publicly confirm my findings.
My findings have been verified by several respected news outlets - The Register from the UK
Neue Zürcher Zeitung of Switzerland
I've been interviewed by several other newspapers that are working on features; the I-team editor of one of those newspapers even sent a warning containing my findings to the NICAR mailing list. You can confirm my findings directly using the list of infected files available here:
because Wikileaks is publishing the malware file by file, confirming infection using a tool like Virus Total or something similar would only take a few minutes.
I do not have a bone to pick with Wikileaks - however providing malware that can identify the readers of leaked documents without a warning is without justification. While technically savvy readers likely take precautions when viewing these documents, they are taking precautions against third party surveillance techniques and applications like XKEYSCORE; securing a computer for analysis of active malicious software requires different precautions.
Finally, analysis of the malware - who designed it and how it circulated - is of public interest all on its own. Taken at face value, the email headers of several infected messages indicate that the wife of Stratfor's CEO was circulating infected files as early as 2003. The continued presence of these infected attachments strongly indicates that such intrusions were never discovered, investigated and repaired: a stunning display of operational security incompetence.
Please help me get the word out to activists and journalists as well as tech folks who can help me research the malware iself. I am happy to provide additional information and background to the best of my ability.
All the best,
PGP Public Key:
Fingerprint: Fingerprint=040C D852 0EAB 0FCB 5492 5DA0 D059 F15C D355 3EDC
Key ID: D3553EDC