Fourth WikiLeaks CIA Attack Tool Dump

WikiLeaks is obviously playing their Top Secret CIA data cache for as much press as they can, leaking the documents a little at a time. On Friday they published their fourth set of documents from what they call "Vault 7":

27 documents from the CIA's Grasshopper framework, a platform used to build customized malware payloads for Microsoft Windows operating systems.

We have absolutely no idea who leaked this one. When they first started appearing, I suspected that it was not an insider because there wasn't anything illegal in the documents. There still isn't, but let me explain further. The CIA documents are all hacking tools. There's nothing about programs or targets. Think about the Snowden leaks: it was the information about programs that targeted Americans, programs that swept up much of the world's information, programs that demonstrated particularly powerful NSA capabilities. There's nothing like that in the CIA leaks. They're just hacking tools. All they demonstrate is that the CIA hoards vulnerabilities contrary to the government's stated position, but we already knew that.

This was my guess from March:

If I had to guess right now, I'd say the documents came from an outsider and not an insider. My reasoning: One, there is absolutely nothing illegal in the contents of any of this stuff. It's exactly what you'd expect the CIA to be doing in cyberspace. That makes the whistleblower motive less likely. And two, the documents are a few years old, making this more like the Shadow Brokers than Edward Snowden. An internal leaker would leak quickly. A foreign intelligence agency -- like the Russians -- would use the documents while they were fresh and valuable, and only expose them when the embarrassment value was greater.

But, as I said last month, no one has any idea: we're all guessing. (Well, to be fair, I hope the CIA knows exactly who did this. Or, at least, exactly where the documents were stolen from.) And I hope the inability of either the NSA or CIA to keep its own attack tools secret will cause them to rethink their decision to hoard vulnerabilities in common Internet systems instead of fixing them.

News articles.

EDITED TO ADD (4/12): An analysis.

Posted on April 10, 2017 at 2:16 PM • 24 Comments

Comments

Ross SniderApril 10, 2017 2:36 PM

The problem is that the official statements obscure that there is vulnerability hoarding. I know how to parse that. You know how to parse that. But most people don't. And when I tell people that it's going on, there's a huge backlash of resistance to the idea. It's the same with the Snowden Documents. I spoke about mass and domestic surveillance and was socially crucified for it. Today I talk about US domestic propaganda. There's incredible resistance to it.

So the value of releasing the tools is the publication of irrefutable, clear evidence.

Cegfault McIrishApril 10, 2017 2:53 PM

The CIA does not have the same authoritative structure as the NSA (or FBI or ... most government agencies). They're very split apart, loosely connected. There's this attitude of "the left hand shouldn't know what the right is doing" - which makes sense. You don't want a CIA compromise in India to compromise the CIA in Mexico.

What this means, from my perspective, is that saying something like "the CIA is hoarding attack tools" is a bit of a misnomer. I'm certain various groups, contractors, and individuals in the agency pass around this information, but I highly doubt there's some high-level sanctioning or participation in it.

Does it really matter if the CIA knows how this information was taken? They probably don't care about it too much.

Ross SniderApril 10, 2017 3:10 PM

The CIA has built its own effective air force (its drone program) and its own effective hacking agency (vault 7), which has meant that it has increasingly been able to function inside its own entity, which has no checks or balances. The US originally broke the intelligence agencies and military agencies up into small departments so that they could be managed by the bureaucracy. What we've been seeing since 9/11 is that each of these agencies has bid to streamline its own relevance and consolidate its own capability to operate independently from oversight, with the CIA being a primary - and successful - example.

NApril 10, 2017 4:23 PM

Hey speaking of irrefutable, clear evidence, Longhorn is CIA. Symantec documents the first exposed CIA Fluxwire attack on a US target. CIA backed out in a hurry upon getting caught - that of course is what you have to do when you're shitting on US law.

https://wikileaks.org/ciav7p1/cms/page_17072166.html
https://www.symantec.com/security_response/writeup.jsp?docid=2015-111823-1849-99&tabid=2

Frantic CIA mind-control attempts ensue. It was obviously an accident. Yeah, right. As with NSA, CIA uses its best tricks to maintain impunity. So as the yara rules come out, the first place to look is in organizations coping with CIA crimes: torture, murder, drug trafficking, pedophile blackmail, and aggression by armed bands of irregulars.

Ross SniderApril 10, 2017 5:07 PM

@N

Can you provide an indicator that Trojan.Corentry (the Symantec link) has anything to do with the CIA, wikileaks and Vault 7? The link you provided to Wikileaks was to a page on how to set up a mesh networking tool (Fluxwire). The Symantec page says nothing about mesh networking and includes almost no information.

How would you link these two?

Dustin McEarchernApril 10, 2017 10:58 PM

It's amazing to think that 10-15 years ago this all would have sounded like the plot of a Hollywood spook movie but now it is just every day reality. Really amazing stuff.

Student6893April 10, 2017 11:08 PM

WikiLeaks is obviously playing their Top Secret CIA data cache for as much press as they can, leaking the documents a little at a time.

I don't think that's a fair statement, to imply they're only in it for the publicity. I think releasing the dumps in small batches helps to keep the government crimes relevant.

Dumping the archive all at once would be too easy for the public to be dismissive. There would be so much information that low attention span citizens would simply read something else. And the media certainly wouldn't cover it.

Wikileaks is exposing constitutional violations of the government and people are already complacent in their outrage. A massive dump would certainly not make it any better.

Rotoscoped LandyaughtApril 11, 2017 12:57 AM

s/attack tools/virtual kompromat databases/
s/vulnerability in common internet systems/comprehensive intimate details of ordinary people's lives/
s/fix them/not fscking doing it in the first place/

I hope the inability of either the NSA or CIA to keep its own attack tools secret will cause them to rethink their decision to hoard vulnerabilities in common Internet systems instead of fix them.

Soufiane TahiriApril 11, 2017 2:32 AM

"There is absolutely nothing illegal in the contents of any of this stuff. It's exactly what you'd expect the CIA to be doing in cyberspace." As many of security enthusiasts I respect your opinions sometimes kind of blindly, but are you sure regarding your statement ? Do you really mean "nothing illegal" ?! or nothing "anormal" ?

Slime Mold with MustardApril 11, 2017 5:30 AM

Can anyone with time please compare the 'Vault 7' tools to the 'Shadow Brokers' exploits? I would love to know how the CIA and NSA are getting on these days. Would love to know who is in the other's servers.

rApril 11, 2017 5:52 AM

@Ross Snider,

The ars link above includes the major.minor details of developmental co-relation done by Symantec.

trentApril 11, 2017 6:00 AM

> I hope the CIA knows exactly who did this. Or, at least, exactly where the documents were stolen from.

There's some pretty terrifying symmetry in here too: either the CIA has also obtained all the hacking tools of whoever did this - and so is failing to disclose security holes they know have active hostile exploits - or else the CIA has to admit that it's not the Top Dog.

Both of those are bad options.

Ergo SumApril 11, 2017 6:45 AM

@Ross Snider...

Today I talk about US domestic propaganda. There's incredible resistance to it.

Well, at least you haven't been crucified for it... yet... :)

Not just the US, other countries have widespread propaganda as well. Since most people cannot analyze/evaluate the news themselves, they rely on experts opinions and as such, they are easily influenced. And of course, they will resist any attempt to discredit their way of thinking...

So the value of releasing the tools is the publication of irrefutable, clear evidence.

[sarcasm]
But, but... It was done by Wikileaks and the Russians to discredit the "most effective" agency in the US. It does not matter what's in the publication, it is propaganda by our enemies. You know, like the HRC email leaks...
[/sarcasm]

I'd venture to say that these type of leaks had lost their edge by now. Snowden leaks had been the last one that stirred up some controversy.

The current CIA leak is too technical for most people to comprehend. The MSM will downplay the content of the leak and emphasize the evilness of the "boogeymen" and keep pounding that in their headlines. For security people, it is "clear evidence", but who is listenning to security people nowadays?

student22April 11, 2017 7:15 AM

Fixing the vulnerabilities seems mores sensible. Propagating
the tools to exploit them, will enable the spread and development of these tools across the world. All systems would then become increasingly vulnerable themselves to attack as a result.

jonesApril 11, 2017 8:10 AM

FYI:

The CIA is not now nor has it ever been a central intelligence agency. It is the covert action arm of the President's foreign policy advisers. In that capacity it overthrows or supports foreign governments while reporting "intelligence" justifying those activities. It shapes its intelligence, even in such critical areas as Soviet nuclear weapon capability, to support presidential policy. Disinformation is a large part of its covert action responsibility, and the American people are the primary target audience of its lies.

-- Ralph McGehee

***

Yet over the three decades since the N.S.A. was created by a classified executive order signed by President Truman in 1952, neither the Congress nor any President has publicly shown much interest in grappling with the far-reaching legal conflicts surrounding the operation of this extraordinarily powerful and clandestine agency. A Senate committee on intelligence, warning that the N.S.A.'s capabilities impinged on crucial issues of privacy, once urged that Congress or the courts develop a legislative or judicial framework to control the agency's activities. In a nation whose Constitution demands an open Government operating according to precise rules of fairness, the N.S.A. remains an unexamined entity. With the increasing computerization of society, the conflicts it presents become more important. The power of the N.S.A., whose annual budget and staff are believed to exceed those of either the F.B.I. or the C.I.A., is enhanced by its unique legal status within the Federal Government. Unlike the Agriculture Department, the Postal Service or even the C.I.A., the N.S.A. has no specific Congressional law defining its responsibilities and obligations. Instead, the agency, based at Fort George Meade, about 20 miles northeast of Washington, has operated under a series of Presidential directives. Because of Congress's failure to draft a law for the agency, because of the tremendous secrecy surrounding the N.S.A.'s work and because of the highly technical and thus thwarting character of its equipment, the N.S.A. is free to define and pursue its own goals.

-- The Silent Power of the NSA, New York Times (1983)


Dirk PraetApril 11, 2017 8:46 AM

@ Soufiane Tahiri

There is absolutely nothing illegal in the contents of any of this stuff.

As counter-intuitive as it may sound, that is exactly what it is, depending on one's definition and legal approach of espionage.

While kinda every country has very strict laws against espionage perpetrated against it, most of them also have one or more spy agencies with an explicit legal mandate to carry out acts of espionage both domestic and abroad. Which makes it both legal and illegal, depending on which side you're looking at it.

International law on espionage remains somewhat of a grey area that - with some notable exceptions - does not criminalise it as such, and in practice mostly is governed by a framework of gentleman's agreements like not spying on allies and other arrangements most of us know from John Le Carré and similar spy novel authors. Legal scholars tend to disagree with each other, some of them calling espionage legal, others illegal and a majority neither legal nor illegal.

Most of them however agree that there is an almost complete legal vacuum when it comes to cyber espionage, which neither of the most prolific spy nations are too enthusiastic to address as they would essentially shoot themselves in the foot. They can of course also conclude bilateral cyber treaties among each other (e.g. the 2015 US-China Cyber Agreement), but I'm not too optimistic that these are actually worth the paper they're written on.

In practice, what we are seeing is that everyone is spying on everyone, and that whatever some nations are claiming to uphold some imaginary moral high ground, nothing really is off-limits. From a US vantage, probably none of this CIA or NSA foreign spying is illegal. From that of the spied upon, they have been targeted by criminal foreign state actors whom under international law they have little to no legal recourse against.

Given the US's well-documented espionage and aggressive regime change track record, the current indignation over Chinese and Russian spying not only is hypocritical, it is downright laughable in the sense that there is no such thing as a boxing match in which you are the only party that gets to throw the punches.

Bruce SchneierApril 11, 2017 9:20 AM

"'There is absolutely nothing illegal in the contents of any of this stuff. It's exactly what you'd expect the CIA to be doing in cyberspace.' As many of security enthusiasts I respect your opinions sometimes kind of blindly, but are you sure regarding your statement ? Do you really mean 'nothing illegal' ?! or nothing 'anormal'?

I mean illegal. These are tools. They're weapons. The US Government is allowed to own weapons. What would be legal vs illegal is their use. That's why this is different from the Snowden NSA documents. Snowden exposed NSA surveillance programs -- usages -- that targeted Americans and are illegal. Snowden exposed NSA surveillance programs that targeted innocents all over the world and are immoral. Snowden also exposed NSA programs that targeted friendly world leader and organizations; at best those are questionable. The CIA dump exposes nothing even remotely like any of that.

Bruce SchneierApril 11, 2017 9:21 AM

"There's some pretty terrifying symmetry in here too: either the CIA has also obtained all the hacking tools of whoever did this - and so is failing to disclose security holes they know have active hostile exploits - or else the CIA has to admit that it's not the Top Dog.

"Both of those are bad options."

Agreed.

gordoApril 11, 2017 3:38 PM

Kaspersky's summary of 'The Lamberts' or 'Longhorn':

Unraveling the Lamberts Toolkit
An Overview of a Color-coded Multi-Stage Arsenal
By GReAT on April 11, 2017

Yesterday, our colleagues from Symantec published their analysis of Longhorn, an advanced threat actor that can be easily compared with Regin, ProjectSauron, Equation or Duqu2 in terms of its complexity.


Longhorn, which we internally refer to as “The Lamberts”, first came to the attention of the ITSec community in 2014, when our colleagues from FireEye discovered an attack using a zero day vulnerability (CVE-2014-4148). The attack leveraged malware we called ‘BlackLambert’, which was used to target a high profile organization in Europe.

Since at least 2008, ...

https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/

Ross SniderApril 12, 2017 1:18 PM

@Camp No

"These redactions include ten of thousands of CIA targets AND ATTACK MACHINES throughout Latin America, Europe and the United States."

It isn't obvious that Wikileaks is talking about targets in the United States at this point. They could be refering to attack machines. Also, Wikileaks would likely publish this bombshell - or maybe they are just waiting for the best time to do it.

It should also be noted that it is legal (unfortunately) for the CIA to target Americans. The rules carved out for this are for assistance to FBI, for domestic targets that have international intelligence value, and a number of others.

Namely, Schneier is pretty ignorant of the law here (or rather, is presenting generalized versions of it) but your response is equally - if not more - generalized and presumptuous. Let's wait to see if Wikileaks publishes anything of substance that violates domestic or international law. So far they've published incompetence and embarrassing and complicating material.

Then, if you think everything the CIA does is unjustified, you could argue that. There's lots of legal things that are unjust - CIA activities being one of many of them.

John GaltApril 14, 2017 4:26 AM

@ Schneier

[[[ I mean illegal. These are tools. They're weapons. The US Government is allowed to own weapons. What would be legal vs illegal is their use. That's why this is different from the Snowden NSA documents. Snowden exposed NSA surveillance programs -- usages -- that targeted Americans and are illegal. Snowden exposed NSA surveillance programs that targeted innocents all over the world and are immoral. Snowden also exposed NSA programs that targeted friendly world leader and organizations; at best those are questionable. The CIA dump exposes nothing even remotely like any of that. ]]]

A computer is a weapon. False paradigm.

A computer is a tool used by psychopaths to conduct espionage and enslave their victims.

It's like Eve eating the Apple in the Garden of Eden. She coveted to become the All-Knowing. A poison apple. And, Adam helped.

Then, they both tried to hide their deed behind fig leaves. Fig leaves are about the size of your thumb.

Gilligan's Island Episode: Food for thought. https://www.youtube.com/watch?v=yZarLN94VZg

Jared HallApril 17, 2017 1:43 AM

@Bruce: OMG. There is absolutely nothing in these documents that make them credible. Period. On a bad day, after 37 shots of Tequila, a CIA mail clerk could write a disinformation campaign that would be more plausible than this. Not even the Russians would be this bad. Outsider? Yes. Teenager? Probably.

I like the nice plug for the book. Now wait a minute... Bruce, what did you do last weekend?

@jones: That's a lot of outdated information. Paragraph 1 - The 80's were a big growth period for the NSA. For at least the last 15 years or so, the CIA has the bigger budget. Paragraph 2 - The NSA is mission driven. It has top-level mission directives handed to them by the CIA. The military component of the NSA, the CSS, is responsible for coordinating Military Intelligence agencies in support of the NSA's missions and coordinating the response to immediate threats (while somebody is trying to wake up the President or track down someone else in a meeting).

Neither one of those organizations is *supposed* to violate US law, where US law exists. The general direction of the CIA is dictated by the President to support US interests, whatever they may be (usually business/economic deals). Generally speaking, once policy is defined and issued the ship sails in a semi-autonomous fashion. It takes a lot of time to turn that battleship around. Where things have gone awry is when there have "Don't Ask, Don't Tell" relationships between the two agency Directors.

@Dirk: You are correct as usual. There aren't a whole lot of laws governing what can and cannot be done. I opine that's the way it should be.

@Govt: Please do away with the whole DNI position. Look what that brainy McConnell from NSA did to bamboozle everybody. Please consider instead a two-factor leadership role: NSA: #1 Military/#2 Civilian and CIA: #1 Civilian/#2 Military. Work 'em in Meerkat pairs so that NSA/CSS has a clear military leader of authoritive rank. Both CIA leaders should have unfettered access to the President's ear; kind like the old days, but better.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.