New CIA Leak Reveals Ability to Infect Air-Gapped Systems

The CIA hasn’t been doing extraordinarily well, with leaks coming out of the organization like wildfire over the last few years. Most famous of these leaks was the Vault 7 incident where several documents from the agency came out of the woodwork, revealing advanced hacking methodologies, tools, and frameworks that could compromise a great deal of devices around the world.

A new leak on 22 June 2017 revealed that it could not only infect computers across networks but even infiltrate air-gapped systems at will using a couple of cunning tactics and a USB thumb drive.

Why Would You Want to Infect Air-Gapped Systems?


Air-gapping has been used for several years as a strong line of defense against outside infiltration. As networks become more convenience-centric, they become more vulnerable. To help counteract this, some companies and government institutions have completely removed sensitive systems from their networks, using them only as offline storage to be accessed only by select personnel.

As the CIA’s new leaks have proven, this is a highly-effective method of protection … until it isn’t anymore.

Since no entity really wants to spend an inordinate amount of resources on maintaining systems it doesn’t need, it’s a safe bet that the ones it air-gaps are full of secret data they do not want just anyone to access. This information usually consists of trade secrets, military strategies, unrevealed technologies, and anything else that is more important than a couple of credit card numbers.

How the Tool Works

The CIA tool, known as Brutal Kangaroo, relies on “hopping,” a method of replication where a virus writes itself and any relevant information onto a new platform. The idea here is to infect a networked computer, wait until an employee inserts a USB drive, write itself onto the platform, wait until the USB drive is inserted into an air-gapped computer, then grab any information of interest from the system. As soon as the USB drive is once again inserted into a networked computer, the virus will relay the information to the “controller,” allowing them to have a bird’s eye view of all air-gapped computers.

How to Prevent the Attack


Once your systems have been infected, there is no way to “unsend” the data that gets through. Once again, prevention is key. I’d recommend putting every networked system through a sanitation procedure where every single change is checked and accounted for (i.e. log every activity on each networked system, then go through the log just before transferring to an air-gapped system).

In addition to this, if you can, run your air-gapped system on something other than Windows (Brutal Kangaroo only runs on that operating system). If it’s just a database you’re storing and nothing else, you should get by just fine on Linux. Just don’t get complacent – Linux isn’t a magical weapon against hackers.

Minimize the amount of staff that is allowed to touch the air-gapped system and encrypt the file system whenever possible. Air-gapping by itself is just one of many tools in your arsenal. It should ideally be used in conjunction with several other safety procedures and policies that prevent your organization from looking like something made of egg shells.

Are there more things that organizations can do to prevent air gap infiltration? Tell us about it in a comment!

Miguel Leiva-Gomez
Miguel Leiva-Gomez

Miguel has been a business growth and technology expert for more than a decade and has written software for even longer. From his little castle in Romania, he presents cold and analytical perspectives to things that affect the tech world.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox