Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
1. Scope
This document describes the user and system Concept of Operations for DarkSeaSkies
1.0.
1.1 System Overview and Description
DarkSeaSkies is an implant that persists in the EFI firmware of an Apple MacBook Air
computer, installs a Mac OSX 10.5 kernel-space implant and executes a user-space
implant.
DarkSeaSkies consists of three different tools:
1. DarkMatter: An EFI driver that persists in firmware and installs the other two
tools.
2. SeaPea: A Mac OSX kernel-space implant that executes, and provides stealth and
privilege to user-space implants.
3. NightSkies: A Mac OSX user-space implant that beacons to a listening post and
provides command and control.
This document describes the CONOP of DarkMatter, and that of SeaPea and NightSkies
only where they differ from their documented CONOPs. Refer to SeaPea CONOP for
further information on SeaPea CONOP. Refer to NightSkies CONOPS for further
information on NightSkies CONOP.
1.2 Assumptions and Constraints
It is assumed that the target system is a MacBook Air version 1,1 with firmware version
MBA11.0088.B03 running Mac OSX 10.5.2-10.5.x.
It is assumed that an operator or asset has one-time physical access to the target system
and can boot the target system to an external flash drive.
A constraint is that the DarkSeaSkies will not persist in the event of a firmware update.
2. Applicable Documents
The following documents, of the exact issue shown, form a part of this CONOPS to the
extent specified herein. In the event of a conflict between the documents referenced
herein and the contents of this CONOPS, the contents of this CONOPS will be
considered superseding. The following documents may be found within
S:\DO\IOC\EDG ALL\EDG AE\Projects\:
• SeaPea CONOP, Rev. 2.0, November 2008
• NightSkies CONOPS, Rev. 1.2, November 2008
darkmatter+darkmatter+docs+DarkSeaSkies 1.0 CONOP_Rev New_2009-01-26.doc
1
SECRET//NOFORN