OutlawCountry: CIA’s Hacking Tool For Linux Computers Revealed


Wikileaks has published fresh documents that deal with the CIA’s hacking and spying on Linux machines using a malware strain called OutlawCountry. This tool consists of a kernel module that creates invisible netfilter table for creating new rules with iptables command. Those rules can modify and redirect the network traffic.
The OutlawCountry’s prerequisites for operation are a compatible 64-bit CentOS/RHEL 6.x operating system (Linux 2.6 kernel), shell access and root access to the target. The target must have a “nat” netfilter table.

You can read further details about OutlawCountry in this user manual.


  1. Tomi Engdahl says:

    WikiLeaks Exposes CIA Targeting Linux Users With OutlawCountry Network Traffic Re-Routing Tool

    OutlawCountry starts out as a Linux kernel module (nf_table_6_64.ko) that gets loaded into the system and subsequently creates a new entry in the iptables firewall configuration. After the deed is done, the original kernel module is no longer needed, so it’s deleted.

    At this point, an attacker could run an iptables command to reroute all of the traffic through a designated CIA data mining server, allowing the agency to spy on user activities and communications. The biggest threat here isn’t winding up with the attack on a home PC, but more so a web server that could have thousands or even millions of people routing through it.

    Read more at https://hothardware.com/news/wikileaks-exposes-cia-targeting-linux-users-with-outlawcountry-network-traffic-re-routing-tool#k4lkMZ82OizucZvX.99

  2. Tomi Engdahl says:

    Wikileaks Reveals CIA Malware that Hacks & Spy On Linux Computers
    Friday, June 30, 2017 Swati Khandelwal

    WikiLeaks has just published a new batch of the ongoing Vault 7 leak, this time detailing an alleged CIA project that allowed the agency to hack and remotely spy on computers running the Linux operating systems.

    Dubbed OutlawCountry, the project allows the CIA hackers to redirect all outbound network traffic on the targeted computer to CIA controlled computer systems for exfiltrate and infiltrate data.

  3. Tomi Engdahl says:

    OutlawCountry Is CIA’s Malware for Hacking Linux Systems

    Shell access and root privileges are needed to install OutlawCountry, meaning CIA operatives must compromise machines via other means before deploying this malware strain.

    OutlawCountry redirects outgoing Internet traffic

    OutlawCountry uses the built-in packet filtering tools available in Linux, such as netfilter or iptables. An operative can

    When loaded, the module creates a new netfilter table with an obscure name. The new table allows certain rules to be created using the “iptables” command. These rules take precedence over existing rules, and are only visible to an administrator if the table name is known. When the Operator removes the kernel module, the new table is also removed.

    OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x. This module will only work with default kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain.

    An effective tool for spying on Linux servers

    OutlawCountry can be used for both servers and regular desktops, as it allows a CIA operative to redirect the target’s traffic to proxy servers under the CIA’s control and sniff the user’s Internet habits or mount other attacks.

    Obviously, more damage can be done if OutlawCountry is installed on a server, allowing an operative to sniff traffic from many users at once.

    The leaked OutlawCountry manual includes an MD5 hash for one of the kernel modules (nf_table_6_64.ko): 2CB8954A3E683477AA5A084964D4665D.

  4. Tomi Engdahl says:

    Wikileaks – CIA developed OutlawCountry Malware to hack Linux systems

    The OutlawCountry Linux hacking tool consists of a kernel module for Linux 2.6 that CIA hackers load via shell access to the targeted system.

    The principal limitation of the tool is that the kernel modules only work with compatible Linux kernel below the list of prerequisites included in the documentation:

    (S//NF) The target must be running a compatible 64-bit version of CentOS/RHEL 6.x
    (kernel version 2.6.32).
    (S//NF) The Operator must have shell access to the target.
    (S//NF) The target must have a “nat” netfilter table

    The module allows the creation of a hidden Netfilter table with an obscure name on a target Linux user.

  5. Tomi Engdahl says:

    ‘OutlawCountry’ Tool Used by CIA to Target Linux Systems

    One of the tools used by the U.S. Central Intelligence Agency (CIA) to target Linux systems is named OutlawCountry, according to documents published by WikiLeaks.

    OutlawCountry is described by its developers as a tool that uses a kernel module to create a hidden netfilter table on the targeted Linux system. The operator can then use this table to create new firewall rules with iptables commands and these rules will take precedence over existing ones. The rules can be used to redirect traffic from the infected machine to one controlled by the attacker.

    OutlawCountry documentation dated June 2015 states that the tool’s user needs to have shell access and root privileges to the targeted machine. As for hiding on the infected system, the new rules created by the malware are only visible to an administrator who knows the name of the table, and the table is removed if the kernel module is deleted by the operator.

    Since the documentation specifically names CentOS and Red Hat Enterprise Linux as the operating systems on which the tool works, Red Hat has published an advisory for users who may be concerned about the impact of OutlawCountry.

    I’m concerned about the OutlawCountry exploit
    Solution In Progress – Updated Saturday at 3:16 PM – English

    Take action

    This issue is currently under investigation. For the meantime, end-users can look for the existence of the following file:

    File: nf_table_6_64.ko
    Size: 9672
    MD5: 2CB8954A3E683477AA5A084964D4665D

    When the module is loaded a hidden table named “dpxvke8h18″ can be found within the iptable rules.

    Part of the attack documentation described a cleanup process to remove these traces from the system after the attack had concluded their operations.

    It is recommended that systems found with indicators of compromise should follow their organizational practices for Incident Response and react accordingly.


Leave a Comment

Your email address will not be published. Required fields are marked *