WikiLeaks has released more than 8,700 internal CIA documents detailing agency hacking practices. The cache, called Vault 7, contains in-depth information on key cyberespionage resources, including computer programs that can infiltrate commonly used consumer and enterprise tools such as Internet Explorer and Skype, The New York Times reported. The document dump underscores the ongoing debate on internet privacy and poses serious problems for the CIA, which relies heavily on web-based intelligence-gathering techniques.
WikiLeaks claims it received the documents from a former contractor with inside access to agency resources. However, some speculate that another foreign power may have handed over the information. Either way, those familiar with the leaked data say it appears to be genuine, albeit unsurprising.
“The people who know a lot about security and hacking assumed that the CIA was at least investing in these capabilities, and if they weren’t, then somebody else was – China, Iran, Russia, as well as a lot of other private actors,” Beau Woods, deputy director for the Cyber Statecraft Initiative at the Atlantic Council in Washington D.C., told The Times.
Various vectors in play
Even so, the hacking methods detailed in the documents might shock everyday citizens. The files contain numerous techniques for taking advantage of software vulnerabilities, specifically those found in devices running Android and Windows operating systems, according to Wired. The cache also includes strategies for infiltrating messaging applications equipped with end-to-end encryption and using Samsung smart televisions as listening devices.
Vectors and hacking techniques discussed in the dump carry codenames. For example, HIVE, a malware suite, allows users to deploy tailored vectors for Linux and Windows platforms, according to WikiLeaks. Additionally, Vault 7 includes details on an internal CIA program called UMBRAGE Group, which maintains an extensive library of third-party malware, including programs stolen from enemy actors.
Together, the leaked sources paint a clear picture of the CIA cybersecurity apparatus and reveal it to be more extensive than previously thought. However, some in the intelligence community believe this data represents only a small section of the group, which operates within a separate internal division called the Center for Cyber Intelligence. Additionally, the cache fails to mention more modern operating systems and devices, meaning the included information may be dated.
“I don’t think that this is everything. It likely represents a very limited view of the overall network exploitation program,” cyber threat consultant Jake Williams told Wired. “But there’s a lot here, and it’s likely going to be very damaging to US international relations.”
Measuring the ripple effect
Indeed, the leak has the potential to catalyze political flare-ups across the globe and drastically dampen the CIA’s operational impact. Conversely, the domestic damage may be less dramatic. While Vault 7 contains details that raise serious questions regarding the agency’s reach, it does not show evidence of domestic spying, a direct violation of the CIA charter, and offers little information on how the mentioned data-collection devices and techniques have been deployed in the past.
Of course, the leak alone does bring up the issue of data security at the CIA itself. WikiLeaks claims the published documents have circulated the espionage community for some time and were removed by individuals with inside access. Additionally, some in the legal community suggest that the CIA’s willingness to leave key software vulnerabilities unaddressed points to large ethical problems.
“Those vulnerabilities will be exploited not just by our security agencies, but by hackers and governments around the world,” Ben Wizner, director for the Speech, Privacy and Technology project at the American Civil Liberties Union, told The Times. “Patching security holes immediately, not stockpiling them, is the best way to make everyone’s digital life safer.”
Technology firms mentioned in the Vault 7 documents have already gone to work investigating supposed software vulnerabilities, The Washington Post reported. For example, Microsoft announced that it was looking into the defect mentioned in the report and would provide patches soon.
In any case, the release of the cache has shaken the CIA and reignited salient conversations centered on data security and privacy.