Bothan Spy Steals SSH Keys to Attack an Enterprise’s Death Star

In a series of recent revelations made by WikiLeaks, the site has exposed a new set of tools commonly used by United States’ top foreign intelligence service, the CIA, to attack Windows and Linux computers. The BothanSpy and Gyrfalcon projects, named after famous Star Wars characters, are used to intercept and steal SSH credentials from Windows and Linux devices respectively.

According to the leaked documentation, the BothanSpy is an implant that targets the Xshell program, a Windows terminal emulator that supports SSH, SFTP, TELNET, RLOGIN and SERIAL. Xshell must have active sessions for the tool to exfiltrate credentials. In case of password-authenticated SSH sessions, the tool targets usernames and passwords. In the case of public key authenticated sessions, the tool targets usernames, filenames of private SSH keys and key passwords.

Bothan Spy Steals SSH Keys to Attack an Enterprise’s Death Star | AppViewX Image

The stolen credentials are then retrieved by two modes: F&C (Fire and Collect) and F&F (Fire and Forget). The Fire and Collect mode can send the collected credentials to a CIA-controlled server by copying a malicious script at the attack location and opening a shell at that location. However, in scenarios where F&C becomes impossible, the Fire and Forget mode allows the attacker to create AES-256 encrypted files with the collected credentials on the target machine, which will be retrieved later. The BothanSpy is installed as a Shellterm 3.x extension on the target machine.

As far as the Gyrfalcon project is concerned, the tool can not only steal credentials of active OpenSSH sessions, but can also capture full or partial OpenSSH session traffic. The majority of popular Linux distributions such as CentOS, Debian, RedHat, openSUSE and Ubuntu are affected by this tool. The Gyrfalcon package contains the application, library and configuration file, which must be installed with root privileges for the tool to work effectively.

Apart from just logging SSH sessions, the Gyrfalcon operator can also execute commands on behalf of the legitimate user which the attacker can then use to end the data collection. The collected data is encrypted and stored on the target machine’s disk for later retrieval. The Gyrfalcon is being installed and configured using a CIA-developed rootkit (JQC/KitV) on the target machine for persistent access.

What Next?

Are we going to see Hackers build new ransomwares based on these vulnerabilities?

Yes, definitely.

Are we going to patch these vulnerabilities and safeguard ourselves from future attacks?

Known attacks – Yes, but we can’t predict the outcome for unknown attacks.

Are the leaked documentations going to do any good for enterprises interested in strengthening security?

The answers depend on their actual understanding of the vulnerability.

So, what do the above attacks have in common?

They are all after SSH and PGP keys. They can change the name of an attack or go after a new vulnerability, but at the end of the day, hackers are after the SSH keys that guard your most critical data. Unless you understand the importance of SSH key management, SSH access visibility and SSH key rotation, you will continue to be vulnerable to BothanSpies and GyrFalcons, as well as other attacks like them. They will confiscate sensitive data from you, and unless you prepare, you will be forced to pay hefty ransoms for its return.

Is there a way to prevent key misuse?

Yes. You can start by automating your SSH key management, maintaining an accurate SSH key inventory and properly enforcing SSH key compliance.

How can automation save your Keys?

One effective solution against key misuse is a frequent SSH key rotation. SSH keys tend to provide permanent access to critical systems as they never expire. If you rotate keys – meaning you delete and re-provision them over critical systems – hackers will be forced to regain access every time a key is rotated. With the right control and access visibility over your SSH keys, PGP keys and asymmetric keys, you can track and flag key misuse almost immediately making any risk associated with your SSH keys obsolete.

Control Your Certificates Before They Go Rogue!


More than 84% of enterprises worldwide use SSH. SSH keys are essentially the keys to your kingdom. It is no surprise that intelligence agencies such as CIA develop tools to steal SSH keys and gather critical intelligence. However, when in the hands of hackers with less noble intentions, BothanSpy, GyrFalcon, and the other variations of these tools that will undoubtedly come, pose a significant security threat by exposing your SSH keys. Are you going to continue patching all vulnerabilities using third party tools? Or, are you going to focus on protecting the source using effective SSH key lifecycle automation? The decision is yours.


  • Key Lifecycle management
  • Key Management
  • PKI
  • PKI management
  • Public Key Infrastructure
  • SSH Keys

About the Author

Shiva Kumar

Customer Success Architect

Enabling customers to resolve business challenges by designing solutions and facilitating a better understanding of the AppViewX platform.

More From the Author →

Related Articles

Why SSH Certificates Can Be A Better Option For Remote Access Than SSH Keys

| 8 Min Read

9 SSH Key Management Best Practices You Need to Know

| 5 Min Read

Four Reasons Why SSH Key Management Is Challenging

| 5 Min Read