WikiLeaks Vault 7: Angelfire Framework Used by CIA to Spy On Windows Machines

Indian organisations endangered due to high usage of old Windows OS


Wikileaks has published another set of files dubbed “Angelfire” as a part of their Vault 7 project. The leak reveals a framework used by the CIA to infect machines using older versions of Windows operating systems, Windows XP or Windows 7.

Angelfire is a set of 5 tools named as Solartime, Wolfcreek, Keystone, BadMFS, and the Windows Transitory File system.

SolarTime modifies the partition boot sector (The place in a hard drive that tells your computer where the operating system files are and how to execute them) of the system allowing CIA to inject code in even before the operating system boots up. This injected code further modifies the Windows processes which gives the CIA access to the hard drive every time a system starts up.

Wolfcreek is the injected code that is executed by Solartime. It is a self-loading master process that can be further used by the CIA to modify the machine’s processes and applications.

Keystone is the framework that is used to load malicious code on the targeted systems without getting it anywhere near an antivirus solution. It injects the code can directly on the memory without even touching the file system making it completely untraceable.

BadMFS keeps a log of every malicious implant, drivers or executables activated by WolfCreek

Windows Transitory System is used by CIA to create files for specific actions including installation, adding files to Angelfire or removing files from Angelfire.

Ankush Johar, Director at, said: "“From Wikileaks Vault7 leaks, one thing is certain, snooping into consumer’s private data is achievable. The security of people lies in their own hands. People should take data privacy seriously if they want to secure their data.

“A huge chunk of Indian organisations are still using Windows 7  if not Windows XP. This majorly includes Governmental bodies but not limited to them alone. Small-medium sized business are also using these older versions of the OS.

"If the CIA can allegedly hack into these devices then so can a malicious hacker as seen in the case of Wannacry. This comes as a red flag to all those corporations that are still using the soon to be discontinued Windows 7 or even worse Windows XP”

“The simplest way of protecting your online data is assuming that you are already being snooped on. This will make you cautious enough to simply avoid sharing critical data on an insecure channel."

Consumers are advised to take the following necessary measures:
* Install all updates available on your device when prompted to do so
* Do not connect to unknown WIFI networks
* Create strong alphanumeric passwords and never repeat passwords for different accounts.
* Never click on any unknown attachments or links.
* Do not fall for fake calls impersonating your bank or any other organization.

Organisations should take the following measures to ensure that their network is proof from infiltrators:
* Upgrade all machines to the latest versions of Windows 8.1/10.
* Any outdated machine in the network infrastructure to be disconnected right away. A single mistake can compromise your entire network.
* Latest patches must instantly be deployed across the company.
* All pirated / un-patched / outdated devices to be removed (read unplugged) from the network instantly.
* Employees to be trained to detect and protect against Phishing and other such scams.
* Anti-viruses ensured to be in place and updated.


Around The World