Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20350112
• If the Target email address, chat user, or VoIP number has not been detected in
network traffic for “Session Timeout”, and then is detected again, the Flytrap
sends an email/chat/VoIP Alert to the CT.
(S) The Derived MAC Alert is useful in a scenario where a Target connects to a Flytrap,
generates an Alert (e.g., by logging in to an email/chat account), disconnects from the
Flytrap (i.e., leaves), and then returns at some later time. When the Target returns, a
Derived MAC Alert will be triggered (assuming the Target is using the same device and
the Flytrap is still executing the same Mission and has not been power-cycled) as soon as
the Target connects to the Flytrap – i.e., the Target does not do not need to log in to the
email/chat/VoIP account again for an Alert to be triggered.
(S) Still, Derived MAC Alerts should be treated with caution, because the device that was
used to trigger the initial email/chat/VoIP Alert may have changed hands, or may be a
fixed internet café computer that has multiple (Target and non-Target) users per day.
Note that CherryWeb provides some analysis capability for relating MAC addresses to
email/chat/VoIP Targets (see 7.8).
(S) Note that if alert forwarding to the Sponsor alerting system (e.g., Catapult) is enabled
(see 8.5), only (primitive) MAC, email, chat, and VoIP Alerts are forwarded – Derived
MAC Alerts are not forwarded.
(S) Alerts are also cached and resent, if, for example, the Flytrap cannot immediately
contact the CherryTree when a Target detection occurs.
7.6 (S) Target Monitoring after an Alert
(S) Target Monitoring is a Mission-configurable Flytrap feature intended to give a near-
realtime indication of whether or not a Target is using the Flytrap’s internet connection
(and hence is likely in the vicinity of the Flytrap). If the Flytrap is executing a Mission
with Target Monitoring enabled, when an Alert is triggered, at every Target Monitor
Interval (see 9.11.9) the Flytrap sends an “Active” or “Inactive” Target Monitor message
– “Active” implies that the MAC address that generated the Alert has had network
activity since the previous Target Monitor Interval; “Inactive” implies the converse.
Target Monitor messages cease when the Target has been Inactive for “Session
Timeout”. Note that Target Monitor messages are cached and resent in the same fashion
as Alerts.
34
SECRET//20350112