From Waterboarding to Watermarking: CIA Implants MS Docs to Track Whistleblowers
The CIA is using a beacon that watermarks Microsoft Word documents to track whistleblowers, journalists, informants, and other targets of interest.
Every seven days WikiLeaks has been releasing CIA user guides for various spying, tracking, and hacking tools.
This week it released details of how the CIA is infiltrating Microsoft Word documents by adding a watermarking beacon in its latest Vault 7 dump.
CIA project Scribbles (SCRIB) is a document watermarking tool that can be used to batch process a number of documents in a pre-seeded input directory. It generates a random watermark for each document, inserts that watermark into the document, saves all such processed documents in an output directory, and creates a log file which identifies the watermarks inserted into each document.
In this way, the CIA can “embed ‘Web beacon’-style tags into documents that are likely to be copied by Insiders, Whistleblowers, Journalists or others.”
According to the user’s guide, “Scribbles is intended for off-line preprocessing of Microsoft Office documents. The Scribbles executable should be set up on a Windows system for batch preprocessing of documents that will be watermarked before being returned to their desired location(s).”
Scribbles worked successfully on versions of Microsoft Office 2013, but may work on other versions.
Microsoft Office 95 is not compatible and using other word processing software such as OpenOffice may actually expose the watermark.
“Please note that these watermarks have only been tested with Microsoft Office applications. If the targeted end-user opens them up in a different application, such as OpenOffice or LibreOffice, the watermark images and URLs may be visible to the end-user,” the guide reads.
Additionally, “Depending on whether the targeted end-user downloads a watermarked document file from an Internet file server, the Office application may open the document in ‘Protected View’ mode. In this case, the watermark URL will not beacon in until the user pushes the “Enable Editing” button.”
The latest version of Scribbles was dated March 1, 2016, and was deemed classified for another 50 years until 2066.