BothanSpy & Gyrfalcon - Analysis of CIA hacking tools for SSH

BothanSpy and Gyrfalcon are alleged CIA hacking tools targeting various SSH (Secure Shell) implementations with the objective of stealing usernames, passwords, SSH keys, and SSH key passphrases. They are tools used after access has already been gained to the target machine - typically a user's desktop/laptop - and are used for stealing credentials that can then be used to spread the attack further into servers and other systems.

Information about these tools was released by Wikileaks on July 6, 2017, as part of their Vault 7 releases. Based on the analysis here, it is completely plausible they are genuine CIA tools.

These are two distinct tools, BothanSpy targeting a fairly esoteric SSH client on Windows and Gyrfalcon targeting the extermely widely used OpenSSH on Linux.

This analysis was written by Tatu Ylonen (twitter: @tjssh) based on information published by Wikileaks. He is the inventor of the SSH protocol. OpenSSH is based on his original SSH implementation.

Available Information

Wikileaks has published documentation for each tool. The tools themselves were not available for review. However, the documentation is detailed enough that the method of operation of the tools can be easily inferred.

The original Wikileaks release can be found here.

Objectives of the Tools

Each of the tools is intended for obtainining additional credentials (passwords, SSH keys) once the attacker has already penetrated a user's laptop or desktop using other methods. The obtained credentials will allow spreading the attack to further machines, particularly servers. It is well known that many organizations have very lax SSH key management practices and that compromise of even a single SSH key can in many cases lead to compromise of the entire server environment. This, of course, makes the tools very useful in preparing for destructive cyberwarfare as well as for gaining access for information exfiltration and disrupting the target's operations by inserting false information, evidence, or directives.

BothanSpy Detailed Analysis

The BothanSpy documentation is for version 1.0 and is dated March 2015.

BothanSpy collects credentials from running Xshell processes. Xshell is an SSH client primarily used in South Korea and the United States.

The attack works by injecting a dynamically linked library BothanSpy.dll into each of the Xshell processes it finds. This said to be done using Wow64 injection, which is a well-known technique. Its description can be found, e.g., here.

Once the DLL is injected, it extracts the following credentials for each connection: user name and password for password authenticated connections; user name, private key file name, and passphrase for public key authenticated connections. While the private key file itself is not fetched by this tool, it is reasonable to assume that other tools are readily available to fetch the file (and most likely fetch it automatically). The really useful collected information is the passphrase, which is used to encrypt the private key file. Obtaining the passphrase on top of the file itself enables the attacker to log in to any server where that key grants access. The passwords and passphrases are the real targets of this attack tool.

The BothanSpy tool has been designed to be used together with the ShellTerm attack framework. This framework appears to provide covert communications between the attacker's command and control server, as well as for example DLL injection capabilities in its newer versions (3.0+). When used with ShellTerm, the DLL communicates directly with its Fire and Collect channel, avoiding writing any information to disk. This makes detection harder, and no anti-malware software based on inspecting just written files will detect it.

BothanSpy can also be used without a Fire and Collect connection, writing the credentials to disk for later transmission to its controllers. The files are AES-encrypted, but the details of how the encryption key is selected were not disclosed in the available information. This mode of operation could be used to run BothanSpy offline using any suitable offline attack framework. Stuxnet is an example of such a framework; however, there is no evidence these are connected in any way.

It is easy to surmise that BothanSpy injects the DLL into the Xterm process and intercepts one or more function calls that are called frequently, e.g., from a periodic timer. The function call(s) are redirected to the injected DLL, which then scans the data structures of the process to find data structures for SSH connections and their credentials. All this is well known techniques and fairly easy to implement, probably with a few hours of work to inspect the data structures of the target process. In fact, I have used and documented a similar technique in a 1999 patent application for the legitimate purpose of intercepting network packets for implementing IPsec encryption.

In summary, BothanSpy appears to be a tool contracted to be built as a component of a larger framework around ShellTerm, but with the proviso that it can also be used independently. It does not break the SSH protocol or compromise its encryption. There are no zero-days involved. It instead compromises the SSH client process by injecting malicious code into it and reading the credentials from the memory of the SSH client process.

Gyrfalcon Detailed Analysis

The Gyrfalcon documentation is for for version 2.0, dated November 2013. Version 1.0 documentation was also available, dated January 2013, but not inspected for this analysis.

Gyrfalcon is designed to obtain credentials from OpenSSH running on various Linux distributions. Linux is the leading operating system used in the cloud and in public web servers. It seems likely that the attack tool could be easily adapted to run on any Unix variant.

The key components of Gyrfalcon are a server process and a DLL library that is loaded into the OpenSSH process. It uses an encrypted configuration file and encrypts collected data using AES. Apparently public key cryptography is used for encrypting the collected data such that only the operator can decrypt it. Additional tools are provided for creating encrypted configuration files and decrypting the output data.

Gyrfalcon appears to have been tested extensively on Linux distributions used in enterprises and the government. At least the Red Hat, CentOS, SuSE, Debian, and Ubuntu distributions are supported by the tool.

The basic interception works by preloading a DLL into the OpenSSH process. The manual contains detailed instructions on how to name the DLL as something that will look inconspicuous on the target machine. It masquerades as a GSSAPI DLL - While the DLL name could theoretically be used for detecting it, the name can be changed arbitrarily, probably without even recompiling the software. It also does not look like the DLL necessarily needs to be in /lib64. Presence of LD_PRELOAD in the process's environment would be a red flag, but even that could be easily avoided by actually replacing an existing DLL with the attack DLL, but that would presumably require modifications to the DLL to implement the replaced functionality and/or also load the original DLL.

The documentation says that LD_PRELOAD must be added in the user's profile. This could also be done globally in /etc/profile on many systems to facilitate global interception of credentials for all users on the target machine, although this does not appear to be mentioned in the documentation.

The attack itself is very trivial and does not involve any advanced hacking techniques. Replacing functions by preloading a DLL is a well-established technique and I first saw it used in mid-1990s for preloading memory allocation debugging libraries. One can surmise that once loaded, the library implements certain library functions the OpenSSH client calls during or after authentication, and uses these functions to capture full session traffic, including user names and passwords. It probably also intercepts some functions involved in processing session traffic to obtain access to sent and received unencrypted packets.

The exact division of work between the application and the DLL remains a bit unclear. A reasonable assumption would be that the application handles configuration file reading, writing the output file, and encryption. In any case, that division of work is an unimportant implementation detail.

In summary, the attack tool is fairly unsurprising and unsophisticated. Its sophistication is more in the encryption of the configuration file and the results rather than the attack itself. The actual DLL implementation and credential interception in this manner could probably be implemented in a few hours to a few days. The software looks like a separately contracted tool built against a loose specification.

Interestingly, this version of Gyrfalcon does not appear to include integration with command-and-control systems. Also, it freely writes and changes files on disk. It performs several operations that could easily be detected as suspicious or anomalous by proper intrusion detection tools. It could have been implemented in a much more covert manner. Perhaps there was a lack of attention to such details because anti-malware software on Linux is still fairly uncommon. To some extent I find myself troubled by this lack of sophistication and lack of stealth. We have seen so much more sophisticated tools coming out from the intelligence community.

Also of some interest is the extensive attention paid to various enterprise Linux versions that are rarely used by individuals. This could suggest a focus on cyberwarfare, disruption, and commercial intelligence rather than targeting individuals or terrorist groups.

Gyrfalcon as an attack relies on the attacker already having root access on the target's client machine (typically a desktop or a laptop). It does not suggest compromise of the SSH protocol or its encryption in any way. Instead it compromises the implementation and just reads the data before encryption and after decryption.


These attack tools appear real. My professional judgement is that they are likely to work and were likely commercially contracted as independent development projects. They do not rely on any classified techniques or zero-days and there is nothing suprising about them. Perhaps the biggest surprise is how easily detectable the techniques used by Gyrfalcon are; there really has not been much attention paid to being hard to detect.

Neither of these tools suggests any compromise of the SSH protocol. They do, however, illustrate the strong interest intelligence organizations and other attackers have towards SSH credentials, including SSH keys. They are a primary way for hackers to spread within the target organization.

It seems completetely feasible that these tools are actual CIA hacking tools. However, it is impossible to confirm that for sure based on the available information alone.