Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
5.27 (U) Using VPN Link and VPN Proxy
(S) This section details usage of the VPN Link and VPN Proxy capabilities of the CB
system. VPN-related actions are available only on a limited number of devices. Section
5.11.3 discusses device support for VPN Link and Proxy actions.
(S) Figure 48 shows the CB architecture related to VPN actions. When a Flytrap begins
either a VPN Proxy Action or a VPN Link Action (i.e., through Mission tasking), it first
establishes an encrypted VPN tunnel to the CB VPN Server (CB-VPN). The CB-VPN
requires authentication to establish the VPN tunnel.
(S) NOTE: in general, a CB-VPN server could be located anywhere (as illustrated in
Figure 48). The CB team maintains a production CB-VPN server that is located behind
the sponsor firewall on the sponsor network (see the “CB Server/Sponsor Network
Diagram” in the “CB Installation Guide"). For this server, connections from the Flytrap
are proxied through a PoP to the CB-VPN server.
Figure 48: VPN Link/Proxy Architecture
(S) For the case of VPN Proxy, any proxied network traffic is first sent through the VPN
tunnel to the CB-VPN. For the case of a Proxy All Global Action, all TCP and UDP
traffic from any LAN/WLAN client of the Flytrap is sent through the tunnel. For the case
of a Target with a proxy action, as soon as the Target is detected, all of that Target’s TCP
and UDP traffic is sent through the tunnel. The CB-VPN then handles the proxied traffic,
forwarding requests to the proper server. The green arrow path in Figure 48 shows a
typical case of a Target with a VPN Proxy Action making a request to google.com.
Instead of going directly from the Flytrap to the Google Server, the request instead is sent
through the tunnel to the CB-VPN, which then routes the traffic properly to the Google
Server. Note that the CB-VPN could run MITM software to exploit the Target’s network
traffic.
62
Target
Implanted
Wireless
Device
(Flytrap)
Internet
Cherry Blossom
VPN Proxy Server
(CB-VPN)
Sponsor
Firewall
Command
& Control
Server
(CherryTree)
Sponsor
Network
User
Interface
(CherryWeb)
Icon Terminal
Key
Path to Flytrap LAN/WLAN via
VPN Link
VPN Proxy of Google Request
CB System Component
Google Server
VPN Tunnel