Why did CIA create a bogus software upgrade? To steal data from FBI, NSA

WikiLeaks latest Vault 7 details the CIA's 'spy versus spy' Trojan.
Written by Liam Tung, Contributing Writer

The CIA installed ExpressLane to check up on whether fellow security services were sharing biometric data. (Image: CIA)

The CIA didn't trust its security service partners to share biometric information with it, so it created a bogus software upgrade to steal the data.

The data-stealing Trojan was created as part of a CIA project called ExpressLane, a piece of software installed by CIA Office of Technical Service (OTS) agents under the guise of upgrading the CIA's biometric collection system.

This biometric system is installed at the 'liaison services' or partners such as the NSA, Department of Homeland Security, and the FBI, according to WikiLeaks, which released the ExpressLane documents as part of its Vault 7 collection.

The CIA installed the biometric system at partner offices around the world and expected them to voluntarily share biometric data with the CIA.

Just in case they didn't, it installed ExpressLane to "verify that this data is also being shared with the Agency." It also had a feature to cut-off the liaison's access to the system if it didn't provide the CIA with access.

"The systems are provided to Liaison with the expectation for sharing of the biometric takes collected on the systems. Some of these biometric systems have already been given to the Liaison services. OTS/i2c plans to revisit these sites with the cover of upgrading the biometric software to perform a collection against the biometric takes," it noted in one document.

So that OTS agents could install the Trojan in the presence of partner agents, ExpressLane included a "splash screen with a progress bar" to look like an authentic Windows install.

OTS agents would install the software with a USB stick and could set the installation time of the update as well as a kill date before visiting the target.

Once installed the Trojan collects relevant files and stores them in a secret partition on a specially watermarked thumb drive that an OTS agent inserts during a subsequent maintenance visit.

The biometric system itself was provided by US identity management firm CrossMatch. It specifically didn't want the update to reference CrossMatch software.

It's unlikely this specific version of ExpressLane is still supported given the documents are dated 2009 and describe functionality for Windows XP.


Linux malware: Leak exposes CIA's OutlawCountry hacking toolkit

OutlawCountry malware sends traffic from Linux machines to the CIA's servers.

CIA's Windows XP to Windows 10 malware: WikiLeaks reveals Athena

WikiLeaks says the CIA's Athena malware can be used to spy on Windows XP through to Windows 10 computers.

CIA tools exposed by Wikileaks linked to hacking across 16 countries

The North American-based Longhorn group has been using espionage tools against foreign targets for a sustained amount of time, say researchers.

Apple to iPhone owners: We're working fast to block CIA's iOS hacks

The iPhone maker is working 'rapidly' to fix vulnerabilities exposed in Wikileaks CIA documents.

Editorial standards