Leaked: Docs cataloguing CIA’s frightening hacking capabilities

WikiLeaks has released 8,761 documents and files they claim originate from the US Central Intelligence Agency (CIA) – more specifically, from an “isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina.”

CIA hacking capabilities

WikiLeaks says that this release – dubbed Vault 7 – is just part one of the documents and files they have in their possession and plan to release. The entire lot contains documents from 2013 to 2016, and this part – dubbed Year Zero – covers 2016.

The cache supposedly contains details about the CIA’s hacking capabilities and activities, and WikiLeaks has helpfully detailed some of them in the press release accompanying the dump.

But it will take days, if now weeks, for the cache to be sifted through and a credible assessment can be made of the authenticity of the documents.

A CIA spokesman declined to comment on the authenticity or content of the documents in question, but several information security experts said that, at first glance, the document dump looks legitimate. Even Edward Snowden says so:

“Still working through the publication, but what Wikileaks has here is genuinely a big deal. Looks authentic,” he noted in a tweet, then explained: “What makes this look real? Program & office names, such as the JQJ (IOC) crypt series, are real. Only a cleared insider could know them.”

What’s in the documents?

WikiLeaks says that, among other things:

  • “The CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation,” and that “the archive appears to have been circulated among former US government hackers and contractors in an unauthorized manner” and one them provided WikiLeaks with portions of it.
  • The documents and files prove that CIA has been secretly stocking up on zero days, hacking techniques, tools, and employees who can use them, and that these capabilities have been used without much (or any) meaningful oversight.
  • The agency has been buying zero-day exploits from wherever it could, and used them for hacking, all the while saying nothing to the manufacturers of the technologies they target (mostly US companies).
  • The agency can bypass the encryption of popular encrypted communication apps such as WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman “by hacking the smartphones that they run on and collecting audio and message traffic before encryption is applied.”
  • The CIA can remotely hack and compromise Apple products running iOS, a variety of smartphones running Android, Windows computers and Macs, Linux boxes and routers, Samsung smart TVs (and turn them into always-listening devices), defeat and/or bypass most well known anti-virus programs.
  • The CIA “collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation,” which they can use to misdirect attribution of attacks.

As usual, WikiLeaks won’t reveal the source of the leak. It has redacted from the documents the names of employees, contractors, targets, and anyone who is related to the agency, as well as IP addresses. They have also not published “armed” cyberweapons (hacking tools, exploits) “until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.”

What now?

“If today’s leaks are authenticated, they demonstrate what we’ve long been warning about government hacking powers — that they can be extremely intrusive, have enormous security implications, and are not sufficiently regulated,” Privacy International commented.

“Both the US and UK governments have used secret interpretations of law to justify hacking. In the US, the legal framework for NSA’s hacking operations likely stems from Executive Order 12333, but it remains shrouded in secrecy. Today’s leaks raise profound questions about the authority under which the CIA develops and carries out its hacking activities. ”

If the documents prove to be authentic, there will be no end to the issues that will arise from them.

The companies whose products sport the zero-days used by the agency and left unpatched because the CIA didn’t want to reveal them are surely fuming, but I doubt that their bottom lines will be seriously affected.

These products are so ubiquitous and occupy huge market shares, and easy to use alternatives are practically non-existent. Consumers are left with little effective choice, even though information about these zero-days could ultimately also end up in the hands of criminals much more interested in accessing their devices than the CIA.

The leak will surely have an impact on the currently extremely volatile political situation in the US, but it’s impossible to predict the outcome.