4 Takeaways from the Wikileaks 'Vault 7' CIA Leak
From using smart TVs for spying to hoarding IT vulnerabilities
Wikileaks released "Vault 7" this morning, consisting of what Wikileaks says is the "largest ever publication of confidential documents" on the CIA—more than 8,000 documents detailing various CIA cyberwarfare and electronic surveillance activities. Wikileaks says it is only the first set of documents to be released, with more to follow as the organization is able to verify and analyze more documents. Wikileaks had promoted the Vault 7 disclosures for some time—the documents were released under the title "Year Zero"; they contain 7,818 web pages and 943 attachments from a development groupware used by the CIA's engineers, and include previous versions of many pages.
Wikileaks says that while President Trump's executive order calling for a cyberwar review did not influence the timing, it did increase "the timeliness and relevance of the publication". Wikileaks noted in its extensive press release that while it highlighted some of the major findings from the documents released so far, more research and investigation would uncover more.
1. The CIA developed malware for iPhone and Android, as well as Windows, OSx, Linux, and internet servers.
According to Wikileaks, the documents show the CIA has a specialized unit specifically for stealing data from Apple products like the iPhone and the iPad, and another unit for Google's Android mobile operating system. These units create malware based on "zero day" exploits that the companies that develop the compromised systems are not aware of. While after the Edward Snowden disclosures the Obama administration promised to share such exploits when agencies like the National Security Agency discovered them, Wikileaks says the documents it released show that has not been the case. Such "hoarding," as is noted by Wikileaks and has been long noted by critics of cyberwar tactics, can exacerbate security risks—any exploit the CIA can use to compromise a U.S. system foreign powers can also.
The malware the CIA has developed for iPhones and Android phones allow, according to Wikileaks, "the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the 'smart' phones that they run on and collecting audio and message traffic before encryption is applied." This doesn't mean the CIA has cracked the encryption of any specific application, but rather that it has made such encryption obsolete for phones it is able to compromise with its malware. According to Wikileaks, other CIA efforts target Microsoft Windows, Linux, and internet infrastructure and webservers. Wikileaks also details efforts by the CIA to develop a "Fake Off" mode to use on Samsung smart televisions in order to turn them into effective surveillance devices, as well as conceptual efforts toward taking remote control of "smart" vehicles.
2. The CIA has a "menu" of hacking tools for its assets to use, as well as "fingerprints" of other states.
A questionnaire under the program "Fine Dining" allows CIA case officers to identify their specific needs and receive hacking tools tailored to them. The list of possible targets includes asset, liaison asset, system administrator, foreign information operations, foreign intelligence agencies and foreign government entities. "Notably absent," Wikileaks points out, "is any reference to extremists or transnational criminals."
The CIA's UMBRAGE group also keeps a "substantial library of attack techniques 'stolen' from malware produced in other states," Wikileaks notes, helpfully adding that that includes Russia. Such a library of digital fingerprints, which Wikileaks compares to a distinctive knife wound, could help "misdirect attribution." Questions over just how Russia-specific purported Russia-specific telltale signs in the DNC hacks were fuel much of the suspicion about the certainty of the accusations against Russia.
3. The archive Wikileaks released was likely passed around among former U.S. hackers and contractors.
Wikileaks warns that the "CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation," and that the documents it was publishing it had received from a former U.S. government hacker or contractor, a community within which the documents had been previously circulation.
"There is an extreme proliferation risk in the development of cyber 'weapons,'" Wikileaks noted in its press release. "Comparisons can be drawn between the uncontrolled proliferation of such 'weapons', which results from the inability to contain them combined with their high market value, and the global arms trade." According to Wikileaks, the documents it released were not considered classified information because the nature of malware requires code to be left on target computers—handling classified information in such a way is prohibited.
4. The CIA appears to have duplicated the NSA's cyberwarfare efforts to avoid information sharing.
According to Wikileaks, for years the CIA has been developing "its own substantial fleet of hackers," one that has "freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities."
The CIA, Wikileaks explains, "had created, in effect, its 'own NSA' with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified."
It calls to mind the quote from the 1996 film Contact: "First rule in government spending: why build one when you can have two at twice the price?" Especially if it's secret!