WikiLeaks exposes more alleged CIA cyber tools

WikiLeaks has released the latest chapter in its ongoing "Vault 7" series of cyber and hacking tools allegedly poached from the CIA.

The new release, according to WikiLeaks, includes 676 source code files from the CIA's "Marble Framework."

"Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA," WikiLeaks stated in its March 31 release.

WikiLeaks claimed that the released material helps “forensic investigators attribute previous hacking attacks and viruses to the CIA. Marble was in use at the CIA during 2016."

WikiLeaks implied that the tools could have been used to run false flag hacking operations.

The CIA would not authenticate the trove, but a spokesperson said that "the American public should be deeply troubled by any WikiLeaks disclosure designed to damage the intelligence community's ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize U.S. personnel and operations, but also equip our adversaries with tools and information to do us harm."

Jay Healey, senior research scholar at Columbia's School of International and Public Affairs and former government cybersecurity specialist told FCW that "the instinct of many threat researchers will be to shrug this off. It is normal spy tradecraft to be able to throw mild suspicion to hide one's own tracks."

But Healey added that those who mistrust the government might be inclined to see this as evidence the CIA could behind cyber incidents attributed to others.

"The truth, I suspect (or hope) is closer to the first. Any significant operation to blame another country, say for sabotage, would require a covert action including a finding from the president and informing Congress," he added. "That seems unlikely except in very, very limited circumstances."

Though, Healey said that either way, there could be significant ramifications if WikiLeaks releases the basic tool that allows others to better obfuscate.

"That doesn't hurt CIA's operations, but makes defense and attribution that much harder," he said. "It could be critical if it does in fact allow analysts to un-do CIA's obfuscation on code and confirm which are CIA operations and which are not," Healey added.

As WikiLeaks continues to trickle out chapters in its Vault 7 series, which it claims far exceeds the volume of documents in the Edward Snowden leaks, the question remains who exfiltrated the data from the CIA.

WikiLeaks indicated in its initial dump that the information came from a former government hacker or contractor, and many experts suspect the latter.

Former CIA chief information security officer Robert Bigman said last month on the program Government Matters that he believes the data theft was a consequence of the creation of the CIA's new digital directorate.

"I think this organization inside the CIA grew too fast too quickly and had too many opportunities to take advantage of and lots of tasks from the administration to work on that they didn't mind the store as well as they frankly should have," Bigman said.

"The agency knows how to do compartmentation and security -- we've been doing it for a long time," he added. "They have to go back and reapply those rules that we once learned in the [human intelligence] business to the computers operations business."

Healey said that Bigman's analysis makes sense if in fact the CIA tools were leaked by an insider and not stolen. He said it's particularly concerning given Snowden's previous theft of National Security Agency documents.

"I'd have thought the controls at CIA would have been improved enough to keep this from happening," Healey said. "If it is inevitable, why is it only happening to U.S. intelligence?"

The CIA spokesperson made a similar point, saying that "dictators and terrorists have no better friend in the world than Julian Assange, as theirs is the only privacy he protects."