27 July 2015
WikiLeaks Stratfor Emails Contain Malware
Hi Cryptome -
My name is Josh Wieder. You may remember me recently as one of the guys who
helped shut down one of the guys who has been circulating torrents posing
as Cryptome. I'm a systems administrator, and have been for about 10 years
now. Most of that time I have worked for data centers and hosting companies.
One of my responsibilities was helping to manage the abuse response for the
networks my companies leased; in practice this meant tracking down hackers
and spammers and mitigating the occasional DoS.
I am also a regular reader of Wikileaks (as well as Cryptome!). Back in March,
I decided to take a look at the Stratfor emails that Wikileaks got from Lulzsec.
Although Wikileaks first publicized the emails in 2012, they did not release
all of them until two years later. I thought I might find information that
was overlooked after the initial publicity wore off.
What I found, so far, was 18 email attachments infected with malicious software.
Most of the malware is embedded inside documents like PDFs, DOCs and Excel
spreadsheets. All of the programs allow those who read infected files to
be identified and tracked - one script for example scrapes Windows software
registration info like name and location and sends it to a remote server.
Interestingly, the email headers indicate that nearly all of the malware
originates from Stratfor employees. This is not spearphishing.
I tried to contact Wikileaks for over two months via email, the livechat
that is supposed to serve as how they receive leaks and finally publicly,
through Twitter. I received no response. Because of the lack of response
and the risk posed to activists and journalists by leaving these malicious
scripts available for download without any sort of warning, I went public.
Interestingly, Hector Monsegur - aka 'sabu' - the former leader of Lulzsec
and FBI informant who was reportedly involved with handing over the Stratfor
emails to Wikileaks, was one of the first people to publicly confirm my findings.
My findings have been verified by several respected news outlets - The Register
from the UK
Neue Zürcher Zeitung of Switzerland
I've been interviewed by several other newspapers that are working on features;
the I-team editor of one of those newspapers even sent a warning containing
my findings to the NICAR mailing list. You can confirm my findings directly
using the list of infected files available here:
because Wikileaks is publishing the malware file by file, confirming infection
using a tool like Virus Total or something similar would only take a few
I do not have a bone to pick with Wikileaks - however providing malware that
can identify the readers of leaked documents without a warning is without
justification. While technically savvy readers likely take precautions when
viewing these documents, they are taking precautions against third party
surveillance techniques and applications like XKEYSCORE; securing a computer
for analysis of active malicious software requires different precautions.
Finally, analysis of the malware - who designed it and how it circulated
- is of public interest all on its own. Taken at face value, the email headers
of several infected messages indicate that the wife of Stratfor's CEO was
circulating infected files as early as 2003. The continued presence of these
infected attachments strongly indicates that such intrusions were never
discovered, investigated and repairs: a stunning display of operational security
Please help me get the word out to activists and journalists as well as tech
folks who can help me research the malware iself. I am happy to provide
additional information and background to the best of my ability.
All the best,
PGP Public Key:
Fingerprint: Fingerprint=040C D852 0EAB 0FCB 5492 5DA0 D059 F15C D355 3EDC
Key ID: D3553EDC