WikiLeaks released details on what it said is a Central Intelligence Agency document tracking program called Scribbles, part of the agency’s effort to keep tabs on documents leaked to whistleblowers and journalists. Scribbles allegedly embeds a web beacon-style tag into watermarks located on Microsoft Word documents that can report document analytics back to the CIA.
A user manual describing Scribbles said the tool can be used to generate batch copies of identical or unique files, each with distinctive watermarks that includes a web beacon-like tag. A web beacon (or web bug) is a transparent graphic image that can be used to report back if a document has been opened and the IP address of the computer that requested the image file.
According to WikiLeaks, Scribble works exclusively with Microsoft Office documents. The tool, according to the user guide has been “successfully tested” to work with Microsoft Office 2013 (on Windows 8.1 x64) and Office 97-2016 running on Windows 98 and above.
WikiLeaks’ copy of the CIA’s Scribbles user manual says the tool will not work on encrypted or password-protected documents. The CIA also warns that if a document with a Scribbles’ watermark is opened in an alternative document viewing program, such as OpenOffice or LibreOffice, it may result in revealing watermarks and URLs for the user.
According to the alleged CIA’s documentation, the tool is for “pre-generating watermarks and inserting those watermarks into documents that are apparently being stolen by FIO (Foreign Intelligence Officers) actors.”
A CIA spokesperson declined to comment on this latest WikiLeaks release. Instead, the CIA reiterated a statement to Threatpost it made on March 8 regarding the initial Vault 7 dump by WikiLeaks.
“We have no comment on the authenticity of purported intelligence documents released by Wikileaks or on the status of any investigation into the source of the documents. However, there are several critical points we would like to make.
CIA’s mission is to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries. It is CIA’s job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad. America deserves nothing less.
It is also important to note that CIA is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and CIA does not do so. CIA’s activities are subject to rigorous oversight to ensure that they comply fully with U.S. law and the Constitution.”
A Microsoft spokesperson told Threatpost, by design Microsoft Office supports rich content, including elements loaded from network locations. “Customers using Office 365 or Office 2013 and newer are protected by default, as these documents will open in Protected View, which blocks network access,” the spokesperson said.
According to security expert Udi Yavo, CTO and co-founder of enSilo, Scribbles is taking advantage of a feature in Microsoft Office that allows users to embed remote objects, such as images, in documents. “Similar tracking mechanisms are used by document protection security companies in order to track them,” Yavo said.
He said Scribbles and similar tools such as web beacons are used by organizations to determine questions like: Did the document leak? Where was it opened? Who was the owner of the document that was opened? When was it opened?
Similar digital rights management products are sold commercially by firms like IntraLinks, which sells a tool called DocTrack, a file tracking service that gathers document analytics. Inserting web beacons into Word documents was also a technique described by the Privacy Foundation at the University of Denver Sturm College of Law in 2000. With the release of Office 2016 Microsoft introduced Data Loss Protection, a tool to prevent data leakage and manage file permissions. The tool offered admins the ability to track some document usage.
WikiLeaks contends Scribbles is intended for use against “insiders, whistleblowers, journalists or others.”
“Regarding privacy concerns, I don’t see here a major concern, since we are dealing with internal classified documents – they should be protected from data leakage,” said Omer Schneider, CEO of CyberX.
However, Schneider and Yavo point out remote objects features in Office documents have been leveraged in several Office document based attacks. “Sandworm leveraged this feature, as did the latest major Office vulnerability (CVE-2017-0199) with HTA files,” Schneider said.
(This article was updated 4/29/2017 at 9:30 a.m. ET to include Microsoft’s response to Threatpost’s request for comment)