Inside Vault 7: Digging into WikiLeaks ‘Year Zero’ trove of CIA hacking docs [UPDATED]

GettyImages-138076003.jpg

A man crosses the Central Intelligence Agency (CIA) logo in the lobby of CIA Headquarters in Langley, Virginia, on August 14, 2008. (Photo credit: SAUL LOEB/AFP/Getty Images)

Editor’s note: This story has been updated throughout the day since the original post at 12:26 p.m. on March 7.

The controversial transparency organization WikiLeaks published on Tuesday an archive of 8,761 documents and files the organization claims originate from the “CIA’s global covert hacking program.” WikiLeaks alleges the documents were stolen by an unidentified threat actor from the network of the CIA’s Center for Cyber Intelligence in Langley, Virginia.

The Associated Press cited experts who are reviewing the documents and said the leaked material appeared legitimate. A former NSA employee, speaking to FifthDomain on background, was unable to authenticate the documents but agreed they appeared to be legitimate. Past WikiLeaks publications have proven to be authentic.

More: WikiLeaks claims to publish CIA cyber espionage toolkit
More: WikiLeaks dump is first big test for new CIA head

CIA Spokesman Jonathan Liu told the Associated Press, “We do not comment on the authenticity or content of purported intelligence documents.”

The trove of information spans 2013 to 2016 and is claimed to be the largest ever publication of confidential documents from inside the U.S.’s top spy agency.

WikiLeaks dubbed Tuesday’s release “Year Zero” and claimed the archive was just the first in a series of leaks from inside the CIA that WikiLeaks plans to publish. According to WikiLeaks:

“Year Zero” introduces the scope and direction of the CIA’s global covert hacking program, its malware arsenal and dozens of “zero day” weaponized exploits against a wide range of U.S. and European company products, include[ing] Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.

WikiLeaks did not reveal its source, but the organization claimed, “Recently, the CIA lost control of the majority of its hacking arsenal” and that the “archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

“WikiLeaks continues to remind us both how important, yet how difficult, data protection is,” the former NSA employee told FifthDomain. “Furthermore, there appears to be an operational security crisis around maintaining confidentiality.”

The published Year Zero archive does not include any of the CIA’s actual “’armed’ cyberweapons,” which WikiLeaks claimed it will withhold “until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should [be] analyzed, disarmed and published.”

Unlike previous leaks, in which WikiLeaks published all information it obtained from sources – including sensitive data of innocent parties – the Year Zero release redacted “ten[s] of thousands of CIA targets and attack machines throughout Latin America, Europe and the United States.”

The CIA’s ‘Own NSA’

The leak shows how the CIA’s hacking program developed over this millennium to the point that it now rivals the storied capabilities of the NSA:

Since 2001, the CIA has gained political and budgetary prominence over the NSA. The agency’s hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA’s hacking capacities.

Leaked documents detail specialized groups within the CIA, each tasked with a focused mission. For instance, the Automated Implant Branch focuses on “automated infestation,” the Network Devices Branch focuses on IT infrastructure such as web servers and the Engineering Development Group (EDG) creates the CIA’s malware and hacking tools. The EDG, WikiLeaks reported, has about 500 projects, which are only partially documented in Year Zero.

WikiLeaks claims the archive contains “several hundred million lines of code,” which have been used in “more than a thousand hacking systems, trojans, viruses and other ‘weaponized’ malware.” In 2016, the CIA had over 5,000 “registered users” involved in its hacking program.

“The CIA,” WikiLeaks wrote, “had created, in effect, its ‘own NSA’…”

CIA Tactics, Techniques and Procedures

When describing hackers’ tradecraft, cybersecurity experts refer to tactics, techniques and procedures (TTP). (Sometimes referred to as tools, techniques and procedures.) The Year Zero archive reveals the CIA’s significant skill and sophistication in developing custom TTPs for both widespread and targeted use.

The CIA’s hacking capabilities appear to span nearly every type of IT and telecommunications device, including smart phones, tablets, personal computers, infrastructure such as servers and networking components such as routers. In addition, the revealed TTPs enable the CIA to target almost every exploitable attack surface – from data and applications to operating systems, hardware and embedded systems.

Many of the TTPs – with codenames such as “Brutal Kangaroo,” “Assassin” and “Medusa” – will sound similar in technical functionality to the NSA’s TTPs, which were leaked in 2013 by former NSA Contractor Edward Snowden. A few TTPs contained in Year Zero stand out.

One method, called “Weeping Angel” – which was developed collaboratively with CIA counterparts at the U.K.’s intelligence agency MI5/BTSS – exploits Samsung smart TVs with a “fake-off” mode. In “fake-off” mode, the TV appears to be off, but it remains on to record nearby conversations and transmit the audio to CIA servers.

Another notable finding was the CIA’s investigation in 2014 of TTPs targeting automobile vehicle control systems. WikiLeaks wrote, “The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations.”

In addition, the leaked documents detail numerous exploits against Apple’s iPhone and other devices that run Apple’s iOS (operating system), as well as phones (manufactured by various makers) that run Google’s Android OS. Smart phone TTPs, which were developed by the Mobile Devices Branch, “permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman [sic] by hacking the ‘smart’ phones that they run on and collecting audio and message traffic before encryption is applied.”

The leak reveals the CIA has invested significantly in compromising the Microsoft Windows OS, with exploits that can reach “air-gapped” computers (those not connected to the public internet), infect removable storage media (e.g., thumb drives) and hide data in images, a method called steganography.

The leak reveals, “The CIA has developed automated multi-platform malware attack and control systems covering Windows, Mac OS X, Solaris, Linux and more.”

CIA ‘Hoarding’ Zero-Day Vulnerabilities

Following the 2013 NSA leak by Snowden, U.S. technology companies lobbied the Obama administration to commit to the Vulnerabilities Equities Process (VEP).

VEP was intended to encourage the U.S. government to disclose to technology makers so-called “zero-day vulnerabilities” – weaknesses in software and hardware unknown to vendors or the public that, unpatched, would allow hackers to exploit the technology. Zero-day vulnerabilities pose significant threats to the safety and privacy of technology end users.

According to WikiLeaks, Year Zero reveals that the CIA instead “hoarded” zero-day vulnerabilities rather than disclosing them to companies like Apple, Google and Microsoft. WikiLeaks claimed, “Many of the vulnerabilities used in the CIA’s cyber arsenal are pervasive and some may already have been found by rival intelligence agencies or cyber criminals.”

International Operations

The leaked documents reveal how the CIA used the office of the U.S. Consulate in Frankfurt, Germany, as a base for covert operations throughout Europe, the Middle East and Africa.

CIA agents were purportedly issued “black” (diplomatic) passports and provided cover by the U.S. State Department, which enabled agents to “breeze through” German security. From Germany, the CIA agents were free to travel without obstruction across borders throughout the so-called Shengen Area.

The ability to freely move agents across international borders would prove useful to the CIA when it needed to deploy an exploit that relied on physical access to the target device.

Damaging String of Attacks Against U.S. Intelligence

Year Zero is the latest in a string of damaging hacks, leaks and uncovered insider threats at U.S. intelligence agencies. Snowden’s NSA leak is perhaps the most well-known, but there have been other significant events since 2013.

Last fall, then-current NSA Contractor Harold T. Martin III, 52, of Glen Burnie, Md., was arrested for stealing sensitive information from the NSA. Investigators found an estimated 50 terabytes of highly classified material in Martin’s house, car and shed. In February, a 20-count indictment of Martin was unsealed in a Maryland federal court. It alleged Martin stole classified government data “for as long as two decades.” Martin faces up to 200 years in prison if charged on all counts.

Also last year, an unknown hacker or hacker group calling itself ShadowBrokers claimed to have stolen highly sensitive materials from the NSA. Security researchers claimed the materials “share a strong connection” with the Equation Group, which some believe is the NSA’s Tailored Access Organization. After several months and repeated failed attempts to sell the stolen information in an online auction, ShadowBrokers dumped the material to the public in January and then disappeared.

There is no evidence that Snowden, Martin, the ShadowBrokers and/or the unknown source of the Year Zero material are in anyway connected or related events.

WikiLeaks Controversy Continues

Year Zero comes after WikiLeaks was accused last fall of cooperating with Russia to undermine the 2016 presidential campaign of Hillary Clinton, who lost to Donald Trump in November.

The U.S. intelligence community in January published an unclassified version of a joint report based on the work of the CIA, NSA and FBI. The report alleged Russia used WikiLeaks and other outlets to publish information stolen in hacks, in an attempt to influence the 2016 presidential election:

We assess with high confidence that Russian military intelligence (General Staff Main Intelligence Directorate or GRU) used the Guccifer 2.0 persona and DCLeaks.com to release US victim data obtained in cyber operations publicly and in exclusives to media outlets and relayed material to WikiLeaks.

The House Permanent Select Committee is now investigating various allegations of Russian hacking and influence operations that have arisen from multiple sources.