More surprising, however, is the scope of this framework. CherryBlossom is an implant code that lets the CIA monitor everything that happens on a connection. It can reach some models remotely, even if they have a strong password. It sounds pretty advanced, but in reality, it’s been around for ten years. What’s more, CherryBlossom runs on 25 router models, and likely up to 100 with modifications. That includes big firms like D-Link, Linksys, Belkin and more. Once the CIA infects the router, it turns into a ‘FlyTrap’ that connects to a CIA-controlled sever, ‘CherryTree’. From there it can intercept data, redirect browser pages to install malware, and target specific users. All of the data is encrypted and disguised as a browser cookie so that even technical users remain unaware. It was developed with the help of US non-profit Stanford Research Institute.
A Full Toolkit
Though CherryBlossom uses similar techniques that hackers have utilized for years, it’s the dedication and development that makes it so powerful. It features a web UI, lists of mission tasks, command server support and more. The ‘quick start’ guide for the firmware is 65 pages, so that should give you an idea of its scope. Also bear in mind that this is what the CIA was using ten years ago. It’s likely things have progressed significantly since then as researchers discover new techniques and router manufacturers update their products. Thankfully, the WikiLeaks documents did not reveal the source code of the exploits, as with the Shadow Brokers NSA leaks. It did, however, detail some defense and detection mechanisms, so it’s likely companies will be making statements on that soon. You can read the WikiLeaks statement for yourself on the official site.
