For the second time in a matter of months, U.S. intelligence agencies have suffered a devastating breach of their hacking secrets.
But unlike the last breach in August, an American Central Intelligence Agency worker, not Russian hackers, is the most likely source of a new tranche of documents detailing the methods and tools used by the CIA to steal secrets from foreign governments and terror groupsâthough some experts have seen signs that Russia is working overtime to take advantage of the disclosure.
Tuesdayâs document dump, titled âVault 7, Year Zeroâ by WikiLeaks, details the capabilities and culture within the CIAâs secretive Center for Cyber Intelligence in Langley, Virginia. The leak portrays a robust, if not unique, computer-intrusion capability inside the CIA, accented by a few James Bond novelties, like special snooping software intended to be carried into an adversaryâs lair on a thumb drive, where a CIA asset plugs it into a USB port. Another program, code-named Weeping Angel, turns a Samsung smart TV into a covert listening device.
The leak follows an incident last August when a mysterious group or individual called the Shadow Brokers began publishing hacking tools stockpiled by the NSAâs elite Tailored Access Operations group, including dozens of backdoor programs and 10 exploits. Experts suspected the Shadow Brokers were a shot across the bow by Russiaâs intelligence services.
But the CIA leak could be worse for U.S. intelligence, because it includes code from the agencyâs malware development frameworks. Using that code, security experts and counterintelligence agents could sniff out a variety of CIA malware. âFor the CIA this is huge loss,â said Jake Williams, founder of Rendition Infosec. âFor incident responders like me, this is a treasure trove.â
The hacking files are the second WikiLeaks disclosure from a tranche of CIA documents it calls âVault 7.â The first, in February, showed that the CIA closely monitored the 2012 French election, an unsurprising revelation that nonetheless fueled charges of American hypocrisy.
Tuesdayâs data dump was similarly met with a rapid wave of social-media fury, most of it mischaracterizing the leakâs content. Perhaps significantly, the most common meme purports to clear Vladimir Putin in the 2016 U.S. election hacking. It was the CIA that actually hacked the Democratic National Committee, the story goes, using the Kremlinâs malware to frame Russia for the breach. In one version of the meme, it was all done âto justify spying on Trumpââan apparent reference to the presidentâs recent assertion that the Obama administration wiretapped Trump Tower.
The basis of that false claim is a leaked CIA resource called âUmbrage,â a catalog of malicious code samples captured in the wild by the government or computer-security firms. The leak shows that CIA hackers are encouraged to reuse that public malware in their own hack attacks when possible, in part to make it harder to attribute the breach.
But as described in the leak, the Umbrage library is primarily a shortcut for CIA code jockeys who donât want to write, for example, a Windows keystroke-logging function from scratch, when there are plenty of keyloggers crawling around our crimeware-clogged Internet already. The leaked catalog isnât organized by country of origin, and the specific malware used by the Russian DNC hackers is nowhere on the list. Needless to say, the documents say nothing about framing another nationâs intelligence service. But by the end of the day Tuesday, the alt-right news site Breitbart was promoting the false claim.
Other memes claim falsely that the leaks show all Skype conversations are stored in the CIA cloud, that President Obama used CIA hackers to spy on President Trump, and cite the CIAâs 2014 interest in hacking onboard automotive systems as a hint that the agency assassinated Rolling Stone reporter Michael Hastings, who died in a high-speed crash in 2013.
Robert M. Lee, founder of the cybersecurity firm Dragos, finds the rapidity, consistency, and overwhelming volume of the falsehoods suspicious, particularly the meme purporting to vindicate the Kremlin. He suspects that bots have been deployed to push the tall tale on Twitter. âThat narrative emerged far too quickly to have been organic,â said Lee. âThere is certain narrative terminology and sound-bites that are consistent among multiple accounts. That usually speaks to some sort of automation or coordination.â
âA lot of the things that were highlighted are clearly intended to drive a wedge between the president and the intelligence community,â said Lee, âwhich is terrible for the country.â
A similar dynamic was seen during WikiLeaksâ election leaks, when legitimate revelations about the Democratic Party were often accompanied by far juicier reports on social mediaâoften in .gif formâfalsely citing the stolen emails. U.S. intelligence later assessed that the Kremlin had legions of paid trolls circulating critical and outright false narratives on social media as part of the campaign to throw the election to Trump.
A key difference this time is that by all evidence the CIA disclosures are genuine leaks from inside the agency, not the result of a hack. Few say they think the agency was breached by Russia the way the DNC was, which means a CIA employee or contractor with a top-secret clearance is likely the source. The most recent file in the cache appears to date to February 2016, so itâs possible the leaker passed the documents to WikiLeaks before the group was known for laundering the ill-gotten gains of Vladimir Putinâs hackers.
That personâs identity will be an obsession in intelligence circles, and his or her motives a subject of endless speculation outside. WikiLeaks normally doesnât comment on sources except to deny Russiaâs involvement, but Julian Assange broke with that tradition this time to claim that the files had already leaked to former government hackers and contractors, one of whom then passed the tranche to WikiLeaks. The source wanted to spark a public debate on policy questions, Assange wrote, âincluding whether the CIAâs hacking capabilities exceed its mandated powers and the problem of public oversight of the agency.
âThe source wishes to initiate a public debate about the security, creation, use, proliferation, and democratic control of cyberweapons,â Assange added.
Williams, a former U.S. government hacker himself, says WikiLeaks might well be telling the truth about the leakerâs motives. âIt could just be someone concerned about civil liberties,â he said. But regardless of why they were leaked, the CIA documents put Trump in a tough spot. âHeâs openly praised WikiLeaks previously,â said Lee. âNow heâs dealing with whatâs ultimately going to be an intelligence collection disaster.â
