Phillip David Stearns

A selection of software retail package designs made for the CIA’s Center for Cyber Intelligence cyberweapons from the Vault 7 leaks published by WikiLeaks.

Unknown to most of the population, were are in the midst of a rapidly escalating global cyberwar. This war isn’t one with clearly defined borders or groups. Rather, there is a diverse ecology of individuals, criminal groups, private organizations and companies, state sponsored groups, and government intelligence organizations all operating with their own agendas.

Cyberwarfare involves the deployment of cyberweapons, or weaponized software also known as malware, against targets. The motivations are as diverse as those operating on the frontlines. High profile attacks covered by the media have resulted in power outages in Ukraine, Internet Outages in Libya, Destruction of Uranium Enriching Centrifuges in Iran, Ransomware attacks on British National Health Service, Internet Service disruptions due to Distributed Denial of Service Attacks on DYN’s Domain Name System servers to attacks on voter registries in the US as well as phishing attacks on US and French presidential campaigns.

The boxes in this project represent only a handful of actual cyberweapons developed by the CIA. Knowledge of the CIA’s cyber arsenal was first made public by Wikileaks on March 7th, 2017:

“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized „zero day“ exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

„Year Zero“ introduces the scope and direction of the CIA’s global covert hacking program, its malware arsenal and dozens of „zero day“ weaponized exploits against a wide range of U.S. and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.” —

Many of the CIA cyberweapons revealed by the leaks were in active development as recent as 2015. In addition to having extensive research capabilities for seeking out vulnerabilities and developing its own exploits, there is evidence that the CIA was actively collaborating with Britain’s Mi5 as well as tapping into research done by broader Information Security and hacking communities.

The CIA isn’t alone in developing cyberweapons. There is a growing cyber arms market, with several hundreds of companies globally developing and peddling cyberweapons and cyber security services. A recent article by the New York Times Magazine covering the Italian group Hacking Team reveals that many of these companies operate in obscurity, selling their wares directly to governments, not all of whom have clean human rights abuse records.

The Vault 7 leaks are significant, not only because they reveal the scope of the CIA’s involvement in developing cyberweapons, but that they lost control of the arsenal. Knowledge of these vulnerabilities and exploits could easily spread to malicious actors who could then deploy widespread cyber attacks as evidenced by the recent ransomware attacks on the NHS. The WannaCry ransomware attack is a direct result of a leak by the hacking group Shadow Brokers of a ZeroDay exploit developed by the NSA targeting the Windows operating system.

Cyberarms deals do not involve the exchange of physical equipment like conventional arms deals. Agreements happen over encrypted channels, oftentimes using cryptocurrency. These activities are kept far from the public eyes. The most common way for this information to reach the public is through leaks, like

Vault 7 and others. However, the highly technical and immaterial nature of cyberwarfare create barriers to broad efforts to increase public awareness of the dynamics behind the headliner attacks.

This collection of software boxes imagine what these cyberweapons might look like if sold in a public commercial space using some of the visual language of cultural tropes referenced, hinted at, or suggested by their names. They are relics of an imagined future present.

Featured Tools:

Archimedes 1.3 – a proactive capability used to redirect LAN traffic from a target’s computer through an attacker controlled computer before it is passed to the Internet gateway, enabling the tool to inject a forged (HTTP) web-server response that redirects the target’s web browser to an arbitrary location. This technique is typically used to redirect the target to an exploitation server while providing the appearance of a normal Internet browsing session.

Weeping Angel – an implant designed for Samsung F Series Smart Televisions, designed to record audio from the built-in microphone and egress or store the data. It’s built on top of the EXTENDING tool developed by the MI5/BTSS [British Security Service]. Weeping Angel the result of a coordinated group effort between the CIA and the MI5/BTSS through the Joint Development Workshops.

AfterMidnight 1.2 – is an infiltration platform that self-persists as a Windows Service DLL running from inside the netsvcs svchost.exe process. It provides secure execution of malware payloads, or “Gremlins”, via a HTTPS based Listening Post (LP).Gremlins run hidden on target and either subvert the functionality of target software; provide survey and exfil functions; or provide internal service or support for other gremlins.

RockyBobby 4.0 – is a lightweight implant for target computers running newer versions of Microsoft Windows and Windows Server. The RickyBobby implant enables attackers to upload and download files and execute commands and executables on the target computer without detection as malicious software by personal security products.

HarpyEagle – A project established by the CIA’s Information Operations Agency Embedded Development Branch to explore and exploit security vulnerabilities on Apple Airport Extreme and Time Capsule networked devices. The goal is to implant a persistent rootkit on the devices thus enabling a platform for deploying infiltration software on target networked devices.

BaldEagle – A project established by the CIA’s Information Operations Agency Embedded Development Branch, BaldEagle is a local user-to-root privilege escalation exploit within the Hardware Abstraction Layer (HAL) daemon. This exploit is available on Linux and PC-BSD platforms with the hald process running.