Vault 7: CIA used fake software update to spy on NSA, DHS, FBI

As part of the Vault 7 software leak, WikiLeaks has just exposed ExpressLane, another CIA project used to secretly collect biometrics from fellow intelligence agencies such as the NSA, DHS and FBI. The cyber operation dates from 2009 and only works on Windows computers.

Disguising the operation as a software update, a CIA technician would visit the targeted organization to make sure the update was not declined and the tool was installed.

“ExpressLane 3.0 will overtly appear to be just another part of this system. It”s called: MOBSLangSvc.exe and is stored in \Windows\System32,” reads the most recent user guide published in 2009. “Covertly it will collect the data files of interest from the liaison system and store them compressed and encrypted in the covert partition on a specially watermarked thumb drive when it is inserted into the system.”

The Office of Technical Services (OTS) within the CIA reportedly already had a system to collect biometric data shared with agencies around the world. The database may have been considered incomplete and partner agencies to be withholding information, since ExpressLane was used to extract data through its technical liaison service. The tool appeared to be part of the system and it set a kill date for 6 months as a default value.

“OTS/I2C [Office of Technical Service/Identity Intelligence Center] has an established effort to provide liaison services with a system that collects biometric information. ExpressLane v3.1.1, and supporting tools, was developed to support OTS/I2C in their efforts to verify that this data is also being shared with the Agency,” the manual says.