Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20350112
7.4 (U) Target Tracking and the “Derived MAC”
(S) To monitor a Target and perform Actions (Browser Redirect (Windex), Copy, VPN
Proxy), a Flytrap must be able to distinguish that Target’s network traffic from the
network traffic of other users on a per packet basis. MAC address is used for this purpose
(i.e., each packet of network traffic passing through the Flytrap contains a client MAC
address but does not necessarily contain the Target email address/chat user/VoIP
number). If the Flytrap detects a Target email address, chat user, or VoIP number in a
network packet (see 15.4), the Flytrap records the MAC address of the associated client
computer and uses it to then track this Target’s network traffic – this MAC address is
referred to as a “Derived MAC”.
(S) It is important to note that whenever a Flytrap receives a new Mission (i.e., a Mission
that is different than the one it is currently executing), it clears all of its Derived MAC
Targets.
7.5 (U) Alerting
(S) In general, a Target detection (primitive MAC, email address, chat user, VoIP
number, Derived MAC) will trigger the Flytrap to send an Alert to the CherryTree (CT),
which may then forward that Alert and relevant information to the Sponsor’s alerting
system (e.g., Catapult – see 8.5).
(S) It should be reiterated that when a Target Alert happens, the Alert only indicates that
the Target email/chat user/VoIP number was found in the traffic of the client with the
indicated MAC address. It does not necessarily mean that the client with that MAC
address is the owner of that email/chat user/VoIP number. The user, for example, could
be sending an email to or receiving an email from a Target email user.
(S) Here are the Alerting rules built into the Flytrap:
Primitive MAC:
Upon initial detection of a primitive MAC, the Flytrap sends a (primitive) MAC
Alert to the CT.
If there is no network activity from this primitive MAC address for the Mission-
configurable “Session Timeout” (see 9.11.9), and then there is again network
activity from this MAC address, the Flytrap sends another (primitive) MAC Alert
to the CT.
Email/Chat/VoIP/Derived MAC:
Upon initial detection of a Target email address, chat user, or VoIP number, the
Flytrap sends an email/chat/VoIP Alert to the CT, and the Flytrap begins tracking
this Target via Derived MAC.
If there is no network activity from this Derived MAC address for “Session
Timeout”, and then there is again network activity from the Derived MAC
address, the Flytrap sends a Derived MAC Alert to the CT.
33
SECRET//20350112

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh