Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Gyrfalcon 2.0 SECRET//NOFORN
1 (U) Overview
(S//NF) Gyrfalcon 2.0 is a library loaded into the OpenSSH client process address space on Linux
platforms. Gyrfalcon also contains an application which communicates with the library via SYSV
message queues. The application compresses, encrypts, and stores the collected data into a collection
file kept on the Linux platform's file system. Gyrfalcon is capable of collecting full or partial OpenSSH
session traffic including user name and passwords of OpenSSH users. A third-party application that
provides communications between the Linux platform and listening post is required to transfer the
compressed, encrypted collection file. COG/NOD requested Gyrfalcon via IMIS 2012-0465.
2 (U) User Skill Level
(S//NF) The operator must obtain a thorough understanding of the Linux/UNIX command line interface
and shells such as bash, csh, and sh. Gyrfalcon assumes that the operator knows the standard operating
procedures for masking their activity within certain shells. For instance, if the operator is using the bash
shell on the Linux platform, then Gyrfalcon assumes they executed the following commands at the
shell's prompt before uploading, installing, and executing Gyrfalcon.
1. unset HISTFILE
2. export HISTFILE
3. HISTSIZE=0
4. export HISTSIZE
5. TERM=vt100
6. export TERM
7. PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin …
8. export PATH
(S//NF) Because Gyrfalcon is a Linux library and application, the operator needs to understand the
Linux computing environment to safely install and configure Gyrfalcon. Both the library and
application must be installed with root privileges, however, they do not need root privilege to execute
successfully on the Linux platform. Therefore, the operator must be confident with their understanding
of Linux to use root privileges and not muck up the Linux platform's configuration.
(S//NF) Gyrfalcon is designed to execute its collection efforts against the OpenSSH client under the
protection of the JQC/KitV root kit. The operator must be familiar with the JQC/KitV root kit on Linux
when installing the Gyrfalcon library, application, and configuration file.
November 2013 SECRET//NOFORN//20381126 1