WikiLeaks on Tuesday published what it claims to be the CIA’s hacking techniques to exploit devices such as smart phones, computers, and Internet-connected televisions for the collection of intelligence around the world. If proven to be authentic, it “will be a huge benefit to our adversaries,” says Michael Morell, the former acting director of the CIA. “They will undoubtedly change their behavior in very short order, cutting off any intelligence flow and it will take months, if not years, to get it back.” Morell notes that if confirmed, “this would be the CIA’s Chelsea Manning, this would be CIA’s Edward Snowden.”
The cache, labeled Year Zero, includes 7,818 web pages and 943 attachments allegedly from the CIA’s Center for Cyber Intelligence between the years 2013 and 2016. The publication of the alleged CIA hacking methods is claimed to be the first installment in a series of upcoming leaks called Vault 7 – promised to be “the largest intelligence publication in history,” according to WikiLeaks.
In the past, WikiLeaks has published authenticated materials – most notably the Iraq and Afghanistan war logs, a trove of State Department diplomatic cables that came from Chelsea Manning (formerly known as Bradley Manning), and the internal communications of the Democratic National Committee – but the CIA would not confirm Tuesday’s WikiLeaks release.
Jonathan Liu, a CIA media spokesperson, issued a statement saying, “We do not comment on the authenticity or content of the purported intelligence documents.”
Should the documents prove to be real, however, it could impact the United States’ capacity to remotely collect intelligence and spark further debate over the responsible use of cyber capabilities. Todd Rosenblum, former acting Assistant Secretary of Defense for Homeland Defense, argues that “If authenticated, the release is devastating to law enforcement, intelligence collection, counter-terrorism, non-proliferation, and counter-intelligence efforts.”
“It could also greatly damage efforts to counter foreign active programs against the United States, like Russia’s,” he adds. But in the long run, Rosenblum says that “state and non-state actors will discover new exploits, because software releases are almost never exploit free, and current internet fundamentals leave most networks insecure.”
According to WikiLeaks, “The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.” However, James Lewis, the Senior Vice President at CSIS, says this information would be difficult to gather. “This is a large amount of files. The idea is that they circulated them and somebody collected the set seems a little dubious,” he says. “I think that’s one of the things they put in to hide their tracks about where they got it from.” Morell agrees. “This kind of information isn’t kept in one place at the Agency. This kind of information is spread out, compartmented. So whoever did this needed to carefully put it together, going to different places and pulling different pieces from different places and putting it together in a package and then handing it to somebody else,” Morell said.
The alleged CIA hacking toolkit released by WikiLeaks Tuesday is reminiscent of the hacking tools published by a group calling themselves the Shadow Brokers, said to belong to the NSA.
Tuesday’s trove of documents suggests that the arsenal of CIA hacking tools includes numerous zero days – tools meant to exploit previously undisclosed vulnerabilities in systems – either developed by the CIA internally, obtained from partners like the NSA, FBI, and the U.K.’s GCHQ, or even purchased from various private companies.
The hacking tools reported in the WikiLeaks release can be used to breach common technologies around the world, such as Apple and Android phones and tablets, Samsung smart TVs, as well as operating systems like Windows, Mac OS X, Solaris, and Linux. What’s more, the CIA’s overwhelming use of exploits in products of Western companies could cause backlash in foreign markets, potentially leading countries such as China to pursue protectionist policies intended to develop domestic replacements for Western products.
The revelations of CIA cyber espionage capabilities are not surprising after the recent establishment of the Directorate of Digital Innovation, and as Lewis says, “to be an intelligence agency you have to be operating in cyber space.” But it does point to the scale with allegedly over 5000 personnel involved in CIA’s Center for Cyber Intelligence, according to WikiLeaks. Traditionally cyber operations are thought to be the domain of the NSA, raising questions about the respective roles between agencies. “There has always been a little bit of tension in the last few years between the CIA and NSA over who owns this space,” says Lewis. “Everyone is connected to their device. Everyone’s using different applications. If you want to be a spy, you have to do some kind of hacking.”
According to WikiLeaks, the techniques listed permit the CIA to bypass encrypted messaging apps like WhatsApp, Signal, and Telegram, by hacking the devices themselves. This does not mean, however, that encrypted messages can necessarily be read when intercepted in transit.
WikiLeaks also says that Tuesday’s release is intended to spark a debate over the disclosure of vulnerabilities so that they can be patched, rather than maintained to facilitate intelligence collection.
Rosenblum acknowledges that “exploits are vital parts of national intelligence activities, like counter-terrorism, counter-proliferation and counter-intelligence.” However, he maintains that disclosing vulnerabilities “is essential to our security, economic vitality and leadership in the technology sphere.”
If the CIA has the capabilities to exploit a vulnerability, then foreign governments and cybercriminals may as well. Not disclosing these vulnerabilities is a risky gamble, and according to Rosenblum, “Government sharing identified exploits with industry would reduce, for example, the possibility that a hostile power could harm the nation’s critical infrastructure operations via network attack.”
One notable difference in this week’s WikiLeaks release is the decision to withhold the actual code of the exploits, and the relevant CIA email addresses, targets, and the IP addresses of attack servers. “Maybe it means WikiLeaks can learn from its past mistakes,” says Lewis. “They know they were taken to task for damaging privacy in some of their earlier leaks. Their goal is to damage the United States and they get the effect without actually releasing everything.”
Should WikiLeaks choose to publish the exploits in full, Morell argues it “would be even more damaging because it would tell adversaries exactly how we approach these kinds of things” while a release of the target list would say “what targets are these tools aimed at to collect intelligence.” Morell goes on to say that “the things they published already are damaging, but the things that they have and could publish are even more damaging.”
Levi Maxey (@lemax13) is a cyber and technology producer at The Cipher Brief.
Pam Benson and Leone Lakhani contributed to this report.
