WikiLeaks posts spy trove purporting to contain CIA hacking tools

WikiLeaks has released a trove of documents it claims detail the bulk of the Central Intelligence Agency's hacking tools and program data.

According to WikiLeaks, "Vault 7" will be an ongoing release of CIA documents and tools. The initial release, "Year Zero," includes 8,761 documents and files said to be from the CIA's Center for Cyber Intelligence.

"Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation," stated WikiLeaks in its press statement announcing the release of the documents.

"This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA," stated WikiLeaks.

“’Year Zero’ introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of ‘zero day’ weaponized exploits against a wide range of U.S. and European company products," the group said. Those products include "Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.”

The release does not include any actual exploit code or tools, so many experts are reserving judgment on the validity of the material and what WikiLeaks actually has. But one former senior government official told FCW that there are early indicators the information is authentic.

WikiLeaks stated that a group of former U.S. government hackers and contractors had been circulating the material and one of them provided WikiLeaks with portions of the data.

According to WikiLeaks, the source of the data said policy questions such as “whether the CIA's hacking capabilities exceed its mandated powers,” need to be explored. The source further “wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.”

The release raises a number of questions about the CIA and other government agencies’ collection of vulnerabilities in devices and operating systems, and how they go about sharing or withholding that information. The Vulnerabilities Equities Process is designed to vet vulnerabilities to determine whether their intelligence value outweighs the security risk to the public if they remain unpatched and can be exploited.

“Between this & Shadow Brokers it seems clear the government needs to seriously reassess the adequacy of the VEP,” tweeted Julian Sanchez, a senior fellow at the CATO Institute who focuses on technology and surveillance topics.

Former officials told FCW, however, that they think the VEP is working and people are respecting it.

“In my view, agencies approached the VEP forthrightly and did not try to ‘hide’ things from it,” Michael Daniel, the former White House cybersecurity coordinator, told FCW. “The VEP was robust and was achieving its intended goals.”

Another former official told FCW on background that as systems and devices have become more secure, “the more motivation and legitimate basis from an [intelligence community’s] perspective there is to retain some vulnerabilities.”

The official added that while the WikiLeaks release hints the CIA has a large portfolio of exploits and tools to turn phones and TVs into surveillance devices, “it's not yet clear to me how many zero days are really back beneath this long list of documents.”

Even if there are a large number of vulnerabilities, the official said, they might have predated the VEP. They also could apply to older devices that are less used, or they could be in devices or systems used overseas and are less likely to be used by Americans and require VEP protection.

At the same time, former officials concede it is possible that agencies like the CIA could try to hide vulnerabilities they find from the disclosure process, but actually verifying that amounts to “proving a negative.”

The former senior official said there are two other immediate takeaways from the release: that even sophisticated organizations still can’t keep their data secure, and that there are a lot of CISOs and security organizations panicking about what vulnerabilities they have that need patching.

The corollary is that intelligence entities or other actors are likely racing to exploit vulnerabilities before WikiLeaks can release the code and allow organizations to patch and contain the exploitation.

The former official also raised the question of why WikiLeaks released this information now and what the group's motivation is.

According to the release, WikiLeaks “published as soon as its verification and analysis were ready.”

Wikileaks said it “carefully reviewed” the material it has released to ensure it is not putting out any “armed” cyberweapons “until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed, disarmed and published.”