WikiLeaks has released further documents as part of its ‘Vault 7' leaks, a collection of stolen CIA hacking tools. Three manuals reveal the existence of BothanSpy and Gyrfalcon, projects “to infiltrate and exfiltrate SSH credentials”.
Both have different attack vectors, but BothanSpy target's Microsoft Windows via the SSH client, Xshell. It affects ongoing SSH sessions and transfers the data to an AES encrypted disk. This includes usernames and passwords or username, filename and private SSH keys for authenticated SSH.
BothanSpy can also extract that data to a CIA-controlled server and exfiltrate it there, or save an encrypted file for exfiltration later. The exploit takes the form of a Shellterm 3.x. extension. The document was updated as recently as 2015.
The name is a reference to the Star Wars trilogy, and the documents have tidbits like “Many Bothan spies will die to bring you this information, remember their sacrifice.”
Of course, the CIA has not stopped with Windows. Increasingly, users are using Linux, especially when it comes to web hosting and privacy conscious activities. Gyrfalcon targets the OpenSSH client on Linux, producing much the same results.
However, with Gyrfalcon, the CIA can not just steal logins, but execute commands on behalf of the user. It can capture not just active SSH sessions, but “full or partial OpenSSH session traffic”. It works on centos, rhel, suse, Ubuntu and more, installing via a CIA-made rootkit.
Both of these tools are designed for maximum stealth. According to the documentation, BothanSpy uses a “very paranoid approach” when collecting data.
Operation of the Linux tool is a bit more complex, requiring knowledge of bash, chs, and sh to operate. It requires root privileges to install, though they aren't required to execute after that.