The CIA’s No Good, Very Bad, Totally Awful Tuesday

It is now almost Lawfare tradition that when interesting classified technical documents are dumped, I take advantage of my lack of security clearance to do an initial analysis. (I’ll leave for another day the question of why this is becoming common enough to have established a tradition.)

As has been widely reported, this morning Wikileaks released a trove of documents, the first installation (Year Zero) of a series of planned releases it is calling “Vault 7.” According to Wikileaks,

the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

A word of caution: Wikileaks has in the past habitually exaggerated the quantity and quality of its leaks. We do not yet know exactly what we are dealing with. For example, Wikileaks touted its “introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election.” The shocking revelation that the CIA … does its job generated less of a splash than they seemed to be anticipating. That said, these documents appear to be a collection of developer notes and related materials from an internal development server. And Wikileaks promises more, both some of the currently redacted documents in this dump and potentially other archives.

The story here isn’t that the CIA hacks people. Of course they do; taxpayers would be right to be annoyed if that weren’t the case. The CIA’s job, after all, is collect intelligence, and while its primary purview is human intelligence, hacking systems interacts synergistically with that collection. The actual headline here is that someone apparently managed to compromise a Top Secret CIA development environment, exfiltrate a whole host of material, and is now releasing it to the world. The compromise appears to have occurred in February or March 2016.

The dump itself is mostly developer notes and Wiki-type contents, probably from a private Atlassian development coordination server based on automatic-text in a PDF. It describes a large variety of tools targeting a whole host of platforms, ranging from Cisco routers to iPhones to Samsung Smart TVs. Technically, there really are no big surprises; these are all systems we would expect the CIA’s hackers to target.

The dump by Wikileaks is also deliberately incomplete. It actually did a decent job redacting names and IP addresses, at least far better than by its normal standards. It also deliberately did not include attack tools, but did provide directory listings suggesting that it may have a few of the CIA’s tools and not only these documents.

The CIA is no doubt scrambling to assemble an internal damage assessment, but the Wikileaks release already paints a very ugly picture. Dates in the files suggest that the compromise happened in February or March of 2016, so this is a recent breach. Two documents have Top Secret markings, which suggest either a mishandling of classified information or that the attacker managed to compromise a Top Secret CIA internal network.

Although Wikileaks did not release any exploits, the CIA must assume that whoever compromised this CIA server also exfiltrated any other information available on that network. Since some of these are zero-days, this shifts the vulnerabilities equities calculation for all exploits on that network. The CIA has an obligation to inform potentially affected companies. While I am reasonably tolerant of the US government retaining exclusive iOS 0-days, it should not be holding onto the 0-day once there is reason to believe it has been compromised by an adversary.

Wikileaks claims that “The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.” I strongly doubt this is the case.

It would be a pretty extreme violation for someone with a Top Secret clearance to spread this archive around, and it is exceedingly strange a “whistleblower” would use Wikileaks instead of an actual news outfit like the Guardian or the Washington Post. To my mind, there are pretty limited suspects who would have both the capability of exfiltrating from a Top Secret CIA network and who would want to both boast about it and damage the CIA by releasing this archive to Wikileaks. Presumably more information will emerge on this count.

Today is only the beginning of this story. People like me will continue technical analysis on the 500 MB and it will probably lead to discovering individual vulnerabilities used (based on their descriptions) as well as amusing notes about developer life in the CIA. (Apparently they hate GIT as much as those of us on the outside do.)

This shouldn’t distract us from the real story, however. Around a year ago, it looks like someone compromised a Top Secret CIA system and exfiltrated untold amounts of data. And now the world wants to know who, and how, and why.