This past Tuesday (March 7, 2017), the internet’s online library of cool stuff, WikiLeaks, published the first of what it promises to be many more materials related to the CIA’s cyberspying arsenal (or should that be “cyber spying?”). The site has dubbed this treasure trove of purloined materials “Vault 7.” The outward dismay and deep concern this dump has caused is probably only the tip of the dismay and concern iceberg. One can only imagine the wailing and gnashing of teeth that’s currently in process behind closed doors in Langley, VA.
There are a whole lot of goodies bundled with this info dump and I’m not just referring to the leaked docs. The docs are really secondary to the many teachable moments offered up to us Cybrarians relating to a wide range of courses here on Cybrary.
What’s in the vault?
The materials that were published on WikiLeaks are the first part of a series comprising 8,761 documents. WikiLeaks has dubbed this first release, “Year Zero.” WikiLeaks states that the CIA recently lost control of the majority of its hacking arsenal, which includes such nice stuff like malware, viruses, Trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation developed by a CIA-entity known as the Engineering Development Group. Sounds like Christmas morning in Hackerville. It’s best to go directly to the source for the details, which is WikiLeaks, rather than getting your news secondhand. I drifted off to sleep last night reading the WikiLeaks “Vault 7” article.
WikiLeaks claims that this trove already eclipses the total number of pages published over the first three years of the Edward Snowden NSA leaks. Competitive much? And the competition doesn’t end there. It seems the NSA and CIA have an on-going competition in the cyber warfare arena. Again, according to WikiLeaks, the CIA bristled that they had to get hand-me-downs from the NSA. Eventually, the CIA’s budget for cyberwarfare development increased and they were able to finally go their own way, possibly out-pacing the NSA’s efforts.
Hacking the endpoint is where it’s at
Many consider the zero day exploits to be the most interesting as well as the most frightening revelation in all this. It appears that despite an agreement forged between the U.S. technology industry and the Obama administration, that the government would disclose – on an on-going basis – “serious vulnerabilities, exploits, bugs, or ‘zero days’ to Apple, Google, Microsoft, and other US-based manufacturers. However, like 19th century peace treaties with Native Americans, Uncle Sam apparently had his fingers crossed when making the deal. It now seems that the CIA held back dozens of zero day exploits for their own use.
This brings us to a hacking trend that’s gaining a lot of momentum and one discussed frequently in courses here on Cybrary.it: hacking the endpoint. Malicious activity on end points such as mobile devices and laptops often presents itself to detection methods as typical end user stupidity and thus evading detection. Attacking from the perimeter allows an adversary to gradually work its way further into the network, escalating privileges and working its way up the access chain as it goes. It was zero day exploits in Apple, Google, and Microsoft products that allowed CIA hackers to circumvent the encryption feature in WhatsApp, Signal, and Telegram to read users’ encrypted text messages.
And let’s not get started on the cursed IoT fiasco. The CIA devised a nifty little piece of malware that produces a “fake off” mode in Samsung internet-connected TVs, effectively turning them into good old fashioned bugs. “Get Smart” anyone? If you’re old enough to remember. Paging George Orwell. Big Brother has finally arrived. A talking head on the NBC Nightly news said to protect yourself simply unplug your TV when done watching. Sure, OK.
Who done it?
It’s little consolation that the docs containing code for these cyber tools apparently haven’t been released in their entirety. The fact that the world has been alerted to their existence is enough to undermine much of the effectiveness of both these tools and tactics. And you can bet CIA brass is scrambling to find out who is responsible for the leak which appears to be massive. Two possibilities exist: a disgruntled or whistle-blowing insider or could it be…the Russians! Who else better to blame than those scary Russian hackers?
My money is on a CIA insider. Neither the NSA or CIA has been successfully hacked to my knowledge other than their websites and some email accounts. A full-on data breach like the Target or GAO breach has yet to occur and if it did, well, shame on them. Data exfiltration executed by an insider is really tough to prevent let alone, discover. It’s only when the data is leaked, as in this case, or held for ransom that the victim is even aware that the exfiltration occurred.
Even less consolation comes as a result of knowing that these tools were used in support of cyberespionage campaigns directed at Europe and South America. Having them fall into the wrong hands could easily get the tables turned around and have them pointed at U.S. citizens and government agencies. Perhaps it’s a false equivalency to compare these tools to chemical and biological weapons, but the potential for unintended infection and ethical concerns arise. Some argue that “enhanced interrogation” techniques such as waterboarding are justified to protect the homeland from terrorist attack. It seems a similar argument can be made for tools that are dangerous and vile when directed at innocent victims but are justified when applied against America’s enemies.
And lastly, there’s a political angle to this story: it seems the CIA has curated a suite of malware created in Russia with all the signatures of having originated in Russia. The potential to use these tools to create a “false flag” incident is available to anyone so inclined. Regardless if anyone in the U.S. government directed the CIA to conduct such a campaign occurred, the timing of this release by WikiLeaks as the drumbeat grows louder for a special prosecutor to investigate Russian government interference into the 2016 U.S. election is curious. Let that one sink in for a millisecond while you tally up the Easter eggs I left for you.