HomeWinBuzzer NewsVault 7: Latest CIA Leak Reveals 'CherryBlossom', a 10-Year Old Router Spying...

Vault 7: Latest CIA Leak Reveals ‘CherryBlossom’, a 10-Year Old Router Spying Firmware

CherryBlossom lets CIA operatives take control of a router and spy on it using a web interface. They can redirect traffic, target specific users, and send the data back to a server by disguising as a browser cookie.


The CIA has been spying on your Wi-Fi connection and at this point, few people are surprised. This is the latest in a series of publications that reveal the full extent of the agency's capabilities. A previous release revealed an ‘undetectable malware' that uses Windows Update to reinstall itself. Others include a Windows 10 malware codenamed Athena and zero-day exploits for devices.

More surprising, however, is the scope of this framework. CherryBlossom is an implant code that lets the CIA monitor everything that happens on a connection. It can reach some models remotely, even if they have a strong password. It sounds pretty advanced, but in reality, it's been around for ten years.

What's more, CherryBlossom runs on 25 router models, and likely up to 100 with modifications. That includes big firms like D-Link, Linksys, Belkin and more. Once the CIA infects the router, it turns into a ‘FlyTrap' that connects to a CIA-controlled sever, ‘CherryTree'.

From there it can intercept data, redirect browser pages to install malware, and target specific users. All of the data is encrypted and disguised as a browser cookie so that even technical users remain unaware. It was developed with the help of US non-profit Stanford Research Institute.

A Full Toolkit

Though CherryBlossom uses similar techniques that have utilized for years, it's the dedication and development that makes it so powerful. It features a web UI, lists of mission tasks, command server support and more. The quick start' guide for the firmware is 65 pages, so that should give you an idea of its scope.

Also bear in mind that this is what the CIA was using ten years ago. It's likely things have progressed significantly since then as researchers discover new techniques and router manufacturers update their products.

Thankfully, the WikiLeaks documents did not reveal the source code of the exploits, as with the Shadow Brokers NSA leaks. It did, however, detail some defense and detection mechanisms, so it's likely companies will be making statements on that soon.

You can read the WikiLeaks statement for yourself on the official site.

Ryan Maskell
Ryan Maskellhttps://ryanmaskell.co.uk
Ryan has had a passion for gaming and technology since early childhood. Fusing the skills from his Creative Writing and Publishing degree with profound technical knowledge, he enjoys covering news about Microsoft. As an avid writer, he is also working on his debut novel.

Recent News