Encryption & Key Management , Incident & Breach Response , Managed Detection & Response (MDR)
WikiLeaks Dumps Alleged CIA Malware and Hacking TroveLeak Seems to Show US Government Struggling to Protect Cyber-Espionage Secrets
WikiLeaks has released thousands of documents that appear to lay open in detail the CIA's computer hacking techniques - an astounding release of classified information that shows the government's efforts to diversify its digital surveillance tools and overcome encryption.
The secrets-spilling organization, run by Julian Assange, says the information, which it's dubbed Vault 7, "is the largest ever publication of confidential documents on the agency."
The first part of the leaks, comprising 8,761 files, came from the CIA's Center for Cyber Intelligence, WikiLeaks says. The CIA declined to comment on the leaks. "We do not comment on the authenticity or content of purported intelligence documents," Heather Fritz Horniak, a spokeswoman for the CIA, tells Information Security Media Group.
The disclosure underscores the U.S. government's continuing struggle to keep highly sensitive intelligence material secret. In 2013, former NSA contractor Edward Snowden leaked tens of thousands of documents to demonstrate how U.S. citizens were ensnared in electronic surveillance dragnets (see How Did Snowden Breach NSA Systems?).
Last year, a longtime government contractor, Harold T. Martin III, was accused of collecting reams of sensitive intelligence documents over a 20-year period. The documents taken by Martin are not believed to have leaked publicly (see Former US Contractor Indicted in Theft of Classified Material).
The source of the alleged CIA leak has not been identified, but - as with Snowden and Martin - may have been an insider. "The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive," the organization says in a press release.
The source was motivated by a desire to prompt discourse on "whether the CIA's hacking capabilities exceed its mandated powers and the problem of public oversight of the agency," WikiLeaks says. "Once a single cyber 'weapon' is 'loose' it can spread around the world in seconds, to be used by rival states, cyber mafia and teenage hackers alike," WikiLeaks says.
But Thomas Rid, a professor in security studies at King's College London, says it's unusual that WikiLeaks mentions a supposed source for the dump at all.
Who is the source? This paragraph from WL seems odd.— Thomas Rid (@RidT) March 7, 2017
We will probably find out more about the source, if it was indeed an insider. pic.twitter.com/v06XiU966B
Mobile, Smart TV Attacks
The archive describes in deep technical detail the CIA's efforts to compromise other kinds of networked devices, such as smart TVs, as well as to exploit software vulnerabilities in Android and Apple's iOS mobile devices. But it's not clear how many of these exploits can be installed remotely, and how many require physical access to a device.
Apple says it's been testing the leaked exploits and finds that most won't work against its latest iOS operating system. "While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities," an Apple spokeswoman tells ISMG. "We always urge customers to download the latest iOS to make sure they have the most recent security updates."
Google couldn't be immediately reached for comment about the alleged Android exploits.
The CIA's Mobile Devices Branch - including its "Engineering Development Group," which doesn't appear to have ever been named in public before, developed ways to intercept audio, text, and geolocation data from mobile phones, WikiLeaks says. The agency has also either bought or developed zero-day exploits and malicious software.
Parts of those efforts are aimed at finding ways to overcome encryption, which law enforcement and intelligence agencies see as an obstacle to surveillance. WikiLeaks says that the agency's effort has focused on operating system attacks to get around encryption.
"These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the 'smart' phones that they run on and collecting audio and message traffic before encryption is applied," WikiLeaks says.
But Robert Graham, head of offensive-security research firm Errata Security, notes that bypassing encryption isn't the same as defeating it. "The CIA has some exploits for Android/iPhone," he says in a blog post. "If they can get on your phone, then of course they can record audio and screenshots. Technically, this bypasses/defeats encryption - but such phrases used by WikiLeaks are highly misleading, since nothing related to Signal/WhatsApp is happening. What's happening is the CIA is bypassing/defeating the phone. Sometimes. If they've got an exploit for it, or can trick you into installing their software."
No Signal Hack Revealed
Open Whisper Systems, which develops the messaging app Signal, says that none of the documents indicate that the CIA has successfully exploited its application or found weaknesses in its encryption protocol.
Signal, widely viewed as one of the most secure messaging applications, uses end-to-end encryption to protect content, with the decryption keys closely protected on end users' devices. WhatsApp uses the same encryption protocol as Signal.
Instead, the leak shows that end-to-end encryption is proving to be a thorny obstacle to surveillance and "pushing intelligence agencies from undetectable mass surveillance to expensive, high-risk, targeted attacks," Open Whisper Systems wrote in a tweet.
Some documents also describe the agency's efforts to compromise Samsung smart TVs, a project nicknamed "Weeping Angel" - an apparent reference to killer aliens in the British television show "Doctor Who" that sneak up when their victims aren't looking. The exploit, developed in partnership with the U.K.'s MI5 intelligence agency, aimed to trigger the TV to record audio and transmit the content to the CIA, while making the device appear to be turned off. But it's not clear that this software - a firmware update - can be delivered remotely. "If you aren't afraid of the CIA breaking in an installing a listening device, then you shouldn't be afraid of the CIA installing listening software," Graham says.
WikiLeaks, however, contends the documents prove the government hasn't been sharing information on software flaws with the technology industry, as many believe it should.
In 2010, the U.S. government committed to a program called the Vulnerabilities Equities Process. Under the program, the government notifies companies about software vulnerabilities, with the caveat that some would be used for intelligence-gathering purposes.
The VEP was widely supported by the technology industry and seen as critical to protecting users from attacks using zero-day software vulnerabilities, which are those that have no patch. Such flaws are highly prized.
The CIA leaks bolster the argument of those who advocate for more prompt disclosure. If intelligence agencies such as the NSA and CIA can't protect sensitive information about software flaws, adversaries will seize upon the information.
Security teams are now poring over the documents to see how their products are affected, says Casey Ellis, founder and CEO of Bugcrowd.
"With this release, those exploits are now in the hands of anyone who wants them, including malicious attackers who will no doubt use them for their own purposes over the coming weeks," he says.
For example, the Vault 7 dump includes a variety of smartphone exploits, including what WikiLeaks claims are zero-day attacks against Android.
WikiLeaks' #Vault7 reveals numerous CIA 'zero day' vulnerabilities in Android phones https://t.co/yHg7AtX5gg pic.twitter.com/g6xpPYly9T— WikiLeaks (@wikileaks) March 7, 2017
But some information security experts say that the collection of leaks doesn't appear to include much in the way of previously unseen attacks. The operational security expert known as the Grugq, for example, says that while the dump includes exploits for Android 4.x - including the current version of the mobile operating system - there are numerous exploits for the operating system already in the wild, meaning would-be attackers would have little use for supposed zero days.
Numerous 0days in 4.x Android? Seriously? There isn't a 4.x Android phone around that can't be pwned using public exploits https://t.co/tFHkDkqZAH— the grugq (@thegrugq) March 7, 2017
"Most of this dump is child's play, simply malware/Trojans cobbled together from bits found on the internet," Errata Security's Graham says.
WikiLeaks vs. Trump
The alleged leaks may put WikiLeaks on a collision course with U.S. President Donald Trump's new administration.
But a separate line of thinking is also emerging, that the WikiLeaks dump, including revealing "false flag" malware that the CIA has used - some of which appears to have been previously attributed to Chinese or Russian attackers - may be an attempt to provide the Trump administration with a ready-built narrative for dismissing the U.S. intelligence community's finding that Russia attempted to influence the U.S. election, in part by routing stolen Democratic National Committee documents to WikiLeaks to be dumped online.
Why now? How long did Wikileaks sit on the files before release? - In the recent past they carefully timed releases for political effect.— Thomas Rid (@RidT) March 7, 2017
Trump praised WikiLeaks and its founder Assange during his presidential campaign, as the organization released reams of internal Democratic Party emails. The material fueled his stump speeches and put Democratic presidential nominee Hillary Clinton on the defensive, perhaps contributing to her election day defeat, which caught many by surprise.
Now that Trump heads the executive branch of the U.S. government, his relationship with WikiLeaks may become more complicated. The U.S. intelligence community continues to investigate Russia's alleged hack of Democratic Party figures and passing of material to WikiLeaks. Investigations also continue into whether Trump's associates had improper contact with Russian intelligence officials during the campaign.
Trump has so far not commented on the CIA disclosures.
Executive Editor Mathew J. Schwartz also contributed to this story.