wikiLeaks-scribbles-cia-whistleblower
Wikileaks has just published a new batch of the Vault 7 leak, exposing the documentation and source code for a CIA project known as "Scribbles."

Scribbles, a.k.a. the "Snowden Stopper," is a piece of software allegedly designed to embed 'web beacon' tags into confidential documents, allowing the spying agency to track whistleblowers and foreign spies.

Since March, as part of its "Vault 7" series, the Whistleblowing website has published thousands of documents and other confidential information that the whistleblower group claims came from the US Central Intelligence Agency (CIA).
Cybersecurity

The CIA itself described Scribbles as a "batch processing tool for pre-generating watermarks and inserting those watermarks into documents that are apparently being stolen by FIO (foreign intelligence officers) actors."


Here's How Scribbles Tool Works:


Scribbles is coded in C# programming language and generates a random watermark for each document, inserts it into the document, saves all processed documents in an output directory, and creates a log file that identifies the watermarks inserted into every document.

This technique works exactly in the same way as the "tracking pixel" works, where a tiny pixel-sized image is embedded inside an email, allowing marketers and companies to keep track of how many users have seen the advertisement.
wikiLeaks-vault7-scribbles
Using this tool CIA inserts a tiny uniquely generated file, hosted on a CIA-controlled server, to the classified documents "likely to be stolen."
Cybersecurity

So, every time the watermarked document is accessed by anyone, including potential whistleblowers, it will secretly load an embedded file in the background, which creates an entry on the CIA's server, containing unique information about the one who accessed it, including the time stamp and his/her IP address.
"It generates a random watermark for each document, inserts that watermark into the document, saves all such processed documents in an output directory, and creates a log file which identifies the watermarks inserted into each document," Scribbles' user guide manual reads.


Scribbles Only Works with Microsoft Office Products


The user manual also specifies that the tool is intended for off-line preprocessing of Microsoft Office documents. So, if the watermarked documents are opened in any other application like OpenOffice or LibreOffice, they may reveal watermarks and URLs to the user.
According to the documentation, "the Scribbles document watermarking tool has been successfully tested on…Microsoft Office 2013 (on Windows 8.1 x64), documents from Office versions 97–2016 (Office 95 documents will not work!) [and]...documents that are not be locked forms, encrypted, or password-protected."
However, since the hidden watermarks are loaded from a remote server, this technique should work only when the user accessing the marked documents is connected to the Internet.

WikiLeaks notes that the latest released version of Scribbles (v1.0 RC1) dated March 1, 2016, which indicates it was in use up until at least last year and seemingly meant to remain classified until 2066.

More technical details of Scribble can be found in the User Guide.

So far, Wikileaks has revealed the "Year Zero" batch which uncovered CIA hacking exploits for popular hardware and software, the "Dark Matter" batch which focused on hacking exploits the agency designed to target iPhones and Macs, the "Marble" batch, and the "Grasshopper" batch that reveal a framework, allowing the agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.