WikiLeaks describes Hive as a “back-end infrastructure malware with a public-facing HTTPS interface,” used to transfer information from machines targeted by the CIA and to allow commands to be communicated in order to execute specific tasks on those machines.
To hide the presence of such malware, WikiLeaks notes that the public HTTPS interface (a protocol for secure communication over a computer network within an encrypted connection) “utilizes unsuspicious-looking cover domains,” meaning those targeted would be unaware of the CIA’s interference.
WikiLeaks notes anti-virus companies and forensic experts have noticed “possible state-actor” malware using similar back-end infrastructure, but were unable to connect the back-end to CIA operations.
The Hive documents released Friday may allow experts to examine this kind of communication between malware implants and backend servers, WikiLeaks says.
The CIA’s Hive project was created by its Embedded Development Branch (EDB). This branch was also responsible for projects detailed in WikiLeaks’ ‘Dark Matter’ leak, revealing the CIA’s attacks on Apple firmware.
A 2015 User Guide reveals the initial release of Hive was in 2010, and describes the software implant as having two primary functions – a beacon and interactive shell. Both are designed to provide an initial foothold to deploy other “full featured tools.”