The manual for "NightSkies 1.2", a "beacon/loader/implant tool" for the Apple iPhone, indicates the tool had reached this version by 2008. It is designed to be physically installed onto factory fresh iPhones, WikiLeaks said.
Video: Edward Snowden on how U.S. intelligence agencies interdict organizational supply chains to install malware https://t.co/1qovna2tUh— WikiLeaks (@wikileaks) 23 March 2017
The second tranche of documents from WikiLeaks' CIA trove, this one dubbed Vault 7: Dark Matter, contained material on how the spy outfit attacks Apple/Mac devices and was released overnight on Thursday.
The documents spell out how the CIA gains "persistence" on Apple/Mac devices, including Macs and iPhones, and also provides details on the use of EFI/UEFI and firmware malware.
One of the projects described in the latest leak is named Sonic Screwdriver. According to the CIA, it provides a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting".
This permits an attacker to boot attack software, for example, from a USB stick "even when a firmware password is enabled".
The Screwdriver gets stored on an Apple Thunderbolt-to-Ethernet adaptor where the firmware has been changed.
Another implant described is named "DarkSeaSkies". It persists in the EFI firmware of an Apple MacBook Air computer and consists of "DarkMatter", "SeaPea" and "NightSkies". These are respectively EFI, kernel-space and user-space implants.
Other documents included in this release provide details about the "Triton" Mac OSX malware, its infector "Dark Mallet" and its EFI-persistent version "DerStarke".
The DerStarke 1.4 manual dates to 2013 but other documents show the CIS continues to rely on it and update it; DerStarke2.0 is said to be under production.
"While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organisation's supply chain including by interdicting mail orders and other shipments (opening, infecting, and re-sending) leaving the United States or otherwise," the organisation said.
Apple has been contacted for comment.