Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20350112
Cherry Bomb Program Cherry Blossom System Requirements Specification Document
• (S) Target – a computer/person that should be monitored and at which exploits should be
targeted. Flytraps use MAC address, email address, or chat username to detect/identify
Targets
• (U) Target Deck – a grouping of related Targets
• (U) Mission – tasking and Target data given to a Flytrap in response to a Beacon
• (U) Operation (formerly Customer) – a CherryWeb-defined entity around which Cherry
Blossom system data is organized and to which this data is reported. System data can be
compartmentalized according to Operation via assigning permissions to a User on a per-
Operation basis.
• (U) Beacon – a periodic communication between a Flytrap and the CT, where the Flytrap
indicates its status, security info, etc. to the CT. In response to a Beacon, the CT gives the
Flytrap a Mission.
• (U) Alert – a communication sent from a Flytrap to the CT when the Flytrap has detected
Target activity
• (U) One-way Transfer – a process of packaging and moving Cherry Blossom system data to
a secure computer.
• (U) Flash – (noun) non-volatile RAM where the system image and persistent configuration
data is typically stored on devices
• (U) Flash/Reflash – (verb) the process of upgrading a device with a new firmware image.
(S) The key element of the Cherry Blossom system is the Flytrap. In typical operation, a wireless
device of interest is implanted with Cherry Blossom firmware, either using the Claymore tool or
via a supply chain operation. After implanting has occurred, the wireless device is known as a
Flytrap. The Flytrap will send a Beacon (according to parameters specified at Flytrap implant
build time) to the CT to report status and retrieve a Mission. The CT logs all Beacon information
(status info and security settings) from a Flytrap to a local database. Flytrap status, security info,
etc. can be viewed using the web browser-based Remote Terminal (Cherry Web) user interface.
All communications between a Flytrap and the CT are done through Sponsor-maintained PoP's.
(S) A Mission includes instructions on Targets to monitor, exploits to perform on a Target (e.g.,
copy traffic, proxy traffic, redirect browser), and instructions on when and how to send the next
Beacon and retrieve the next Mission. Targets typically include email addresses, chat usernames,
and MAC addresses (Roundhouse devices also support VoIP addresses). Missions are created
using the web browser-based Remote Terminal (Cherry Web) user interface.
(S) Upon receipt of a Mission, a Flytrap will begin Mission execution, typically configuring the
necessary software modules on the Flytrap, running the necessary applications, etc. This includes
configuring the software to detect Target network activity and direct exploits at Targets. When
the Flytrap detects a Target it performs any Mission-configured exploits against that Target and
sends an Alert to the CT. The CT will log the Alert to a local database, and, potentially distribute
Alert information to interested parties (via sending an email to Catapult). Detailed Alert
information can be viewed with Cherry Web.
SECRET//20350112
7