Wikileaks and the Marble Framework

This week, Wikileaks released CIA’s Marble framework.  As Rendition Infosec works with many organizations on security and threat intelligence, we have been fielding calls asking what the release means for businesses. WikiLeaks suggests that the Marble framework can be used to confuse analysts into attributing CIA malware to Russia or China.  Many of our customers (especially our international customers) are concerned that they may have misattributed past intrusions that really were the CIA.

After a review of the code, Rendition Infosec assesses that the WikiLeaks analysis of the purpose of the code is incorrect.  The code in the Marble Framework appears to be used to obfuscate strings commonly found in malware.  The presence of Russian, Farsi, Chinese, etc. strings in the source code does not demonstrate that the CIA tried to blame its hacking on foreign entities (as WikiLeaks claims).  It does demonstrate that the CIA wanted to test the obfuscation framework on those languages.  This might suggest that CIA wrote custom malware targeting these languages, but that is all.

Is the release of the code significant?

The code release IS significant in that it allows the attribution of previously discovered malware to the CIA specifically.  It is likely that malware has been discovered previously which was not attributed to CIA then, but can be today thanks to the release of the code. Rendition Infosec is looking for patterns in the Marble Framework that would be useful for detecting malware that uses it.  Customers will be notified when those are available.

Ironically, while the Marble Framework simply could not have supported false flag operations in any way before it was released, it is now likely to.  Attackers can create malware today using the Marble Framework and backdate the compile time stamp.  Malware using the Marble framework is likely to be caught as antivirus vendors update their signatures to account for this code library.  Malware detected because it uses the Marble Framework will undoubtedly be linked to the CIA, even though there is no way to truly know when the malware was created.  So in this way rather than disclosing false flag operations, Wikileaks is actually enabling them.

The only malware we can attribute to CIA with certainty is that which uses the Marble Framework, but was detected in the wild prior to the public release of the framework.  Even then, that attribution relies on the (potentially incorrect) assumption that the Marble Framework code has not been shared with any other entities prior to its public release.  If for instance, the Russian government is WikiLeaks’ source of the Vault7 data they would have had access to the Marble Framework before its public release and could have created malware using it, only to later blame CIA for those operations. All of this is a hypothetical example.  Rendition Infosec has no opinion on how WikiLeaks obtained the Vault7 data (it is insignificant from an infosec perspective).

On cyber attribution

Cyber attribution is a complicated activity and must take into account data from many different sources.  Even if we believed WikiLeaks’ statement that Marble Framework was used to perpetuate false flag operations, no professional Cyber Threat Intelligence (CTI) analyst uses a single point of data (the strings in a piece of malware) to do attribution.  CTI analysts use many other data points when attempting to attribute an intrusion to a foreign actor.  Other data points that might be used include known coding patterns (ironically, such as the use of the Marble Framework), IP addresses and domains used for command and control, malware delivery methods, and operator tradecraft used once inside the target network.

Any competent CTI analyst will always tell you that attribution is tentative and subject to change over time with additional data.  WikiLeaks either didn’t talk to any CTI analysts when they published its assessment or chose to ignore the CTI analysts completely.

Closing thoughts

One of our guiding principles at Rendition Infosec is to educate.  While our clients are of course our first priority, we take our commitment to educating the public seriously.  The team at Rendition sincerely hopes that this post helps clear up some confusion surrounding the release of the Marble Framework (and cyber attribution in general).  Given the number of news reports that simply parroted WikiLeaks’ flawed (or intentionally misleading) analysis, we appreciate the opportunity to set the records straight.  The Washington Post was responsible enough to fact check their story before publication and ended up publishing a great piece on the Marble Framework release.  We’ve expanded on our contributions for that article for this post.

As always, if you need assistance with your information security, don’t hesitate to contact Rendition.  It’s about time you experience what it’s like to have world class infosec professionals in your corner.