Vault 7 - AngelFire

As with all of the other Vault 7 leaks, the tools in question are never released with the documentation, therefore it is highly unlikely that these tools would fall into the hands of malicious actors. The documentation provides insight into the capability of the CIA, which highlights what is possible and achievable for malicious actors who may attempt to create similar tools.

AngelFire is made up of 5 key components:

1. Solartime: modifies the partition boot sector in order to load kernel code (Wolfcreek). The implant driver and boot code are stored in a small user-specified file on disk which is encrypted.
2. Wolfcreek: the kernel code that is executed by Solartime. It is a self-loading driver, that once executed, is able to load other drivers and user-mode applications.
3. Keystone: responsible for starting user applications. All processes are created as svchost. Keystone is file-less, leaving very little forensic evidence that the process ever ran.
4. BadMFS: a covert file system that is created at the end of the active partition. The file system is used to store all drivers and implants that Wolfcreek will start.
5. Windows Transitory File System: the new method for installing AngelFire. Rather than have independent components on disk, the system allows the operator to create transitory files for specific actions, like installation and adding/removing files from AngelFire.

There is a long list of known issues documented, highlighting the fact that this may not have been one of the more robust projects to target Microsoft Windows operating systems in the Vault 7 leaks. Some of the documentation leaked is dated in 2011, therefore, it is highly likely that more sophisticated tools have been added to the CIA toolbox to affect more recent versions of Windows.