CIA Tools for Stealing SSH Credentials Exposed by WikiLeaks

WikiLeaks has published documents detailing BothanSpy and Gyrfalcon, tools allegedly used by the U.S. Central Intelligence Agency (CIA) to steal SSH credentials from Windows and Linux systems. A document dated March 2015 describes BothanSpy as a tool that steals credentials for active SSH sessions from Xshell, an SSH, telnet, and rlogin terminal emulator for Windows. Using a mode dubbed by its developers “Fire and Collect,” BothanSpy collects SSH credentials and sends them to the attacker’s server without writing any data to the compromised machine’s disk. If the mode “Fire and Forget” is used, the stolen credentials are written to a file on the disk.