After publishing thousands of politicised emails during the US presidential election, Wikileaks has turned its focus to the US intelligence services.
Julian Assange and his team have published more than 8,761 documents that are claimed to be from the US Central Intelligence Agency (CIA).
The trove of documents, dubbed Vault 7, is said to be the first of a number of disclosures that reveal the CIA's hacking abilities. "The series is the largest intelligence publication in history," Wikileaks says. "This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive."
Here's what you need to know:
The fourth release of Wikileak's CIA files, dubbed Grasshopper, dropped on April 7. Within the files are 27 documents, which the leaking organisation says were used by the CIA to build "customised malware payloads for Microsoft Windows operating systems".
"Grasshopper is provided with a variety of modules that can be used by a CIA operator as blocks to construct a customised implant that will behave differently, for example maintaining persistence on the computer differently, depending on what particular features or capabilities are selected in the process of building the bundle," Wikileaks says in a statement published alongside the documents.
The documents themselves mostly consist of user guides that relate to different computer system modules.
For instance, the 107-page Grasshopper-v1_1-AdminGuide explains it defines the modules and payloads needed for a person to build an "operation". Elsewhere, the organisation explains the documents talk about using malware that has been previously used by Russian organised crime units and also provides advice how CIA code can be used to avoid Microsoft security tools.
Wikileaks claims the documents provide insights into how the CIA builds "modern espionage tools" and makes use of vulnerabilities in Windows computers.
Part three of Wikileak's CIA disclosures, which was first made public on March 31, focuses on the agency's anti-forensics tools called Marble Framework. "Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA," Wikileaks says in its release of the documents.
In total Wikieaks has published 676 source code files that it claims are from the CIA. The technology Wikileaks discusses focusses on how the CIA's code is designed to make it easier for those writing malware to disguise who created it.
For instance, the leaks organisation says Marble has test examples in multiple languages: it is possible for a person creating malware to set their spoken language as being Chinese, Russian, Korean, Arabic and Farsi. Thus, CIA created malware could potentially be developed to appear as if it was emanating from another country. The CIA has not commented on the disclosures.
Wikileaks says: "The Marble source code also includes a deobfuscator to reverse CIA text obfuscation". Unlike previous disclosures in the Vault 7 files, Wikileaks has made the source code for Marble Framework public as it does not specifically contain any vulnerabilities. Previous releases from the files have not included source code as security vulnerabilities have been directly contained within them.
Released to the public on March 23, 2017, the second set of documents has been called 'Dark Matter'. Like with part one, it is said to include details of the CIA's global hacking program, and these documents describe hacking methods allegedly used by the agency to access Apple devices and upload data.
As WikiLeaks explains: "Dark Matter contains documentation for several CIA projects that infect Apple Mac firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA's Embedded Development Branch (EDB)."
In particular, the documents explain the techniques used by CIA to gain 'persistence' on Apple Mac devices, including Macs and iPhones using, among others, the "Sonic Screwdriver" project. As explained by the CIA, Sonic Screwdriver was a 2012 "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting". This would allow an attacker to boot its software from a USB stick, for example, "even when a firmware password is enabled".
The files reveal the CIA used it to install malware on Thunderbolt-to-Ethernet adaptors, like the Thunderstrike 2 exploit detailed at Black Hat in 2015. Apple fixed the exploit after the Black Hat disclosure meaning the CIA can no longer use that particular exploit to take over Macs.
Elsewhere, the DarkSeaSkies project involved "an implant that persists in the EFI firmware of an Apple MacBook Air computer" and consists of "DarkMatter", "SeaPea" and "NightSkies".
Apple has responded to the disclosures from Wikileaks by saying it has completed a preliminary investigation on the new information.
“Based on our initial analysis, the alleged iPhone vulnerability affected iPhone 3G only and was fixed in 2009 when iPhone 3GS was released,” the company said in a statement. “Additionally, our preliminary assessment shows the alleged Mac vulnerabilities were previously fixed in all Macs launched after 2013.”
It continued to say it has “not negotiated” with Wikileaks to be provided with information. Apple said: “Thus far, we have not received any information from them that isn’t in the public domain”.
Released to the public on March 7, 2017, the first set of documents was called 'Year Zero' by Wikileaks. Two of the most significant documents showed the CIA's iOS and Android exploits. The iOS issues are detailed here and Android vulnerabilities here.
In the iOS documents: the security issues detailed are all given codenames, such as the Elderpiggy, Juggernaut, and Winterspy. Listed in the details are the types of exploit (e.g. API); the types of access the code run (kernel and remote exploits are featured); what version of iOS the flaw works for; descriptions of the issues; and who it was found by (GCHQ, the NSA, and more are featured). Apple has since said the flaws highlighted in the documents had already been fixed in past patches.
For Android, there are details on the name, descriptions, proof-of-concept name; what devices are affected; whether it was purchased from a partner; and the type of issue found.
However, it isn't just mobile phones that are covered in the documents, web browsers such as Chrome, and even smart TVs have previously undisclosed security vulnerabilities discussed. Google also confirmed that Chrome and Android were not putting people at risk. "We’ve reviewed the documents and we're confident security updates and protections in both Chrome and Android already shield users from many of these alleged vulnerabilities," said Heather Adkins, Google’s director of information security and privacy.
"Our analysis is ongoing and we will implement any further necessary protections. We've always made security a top priority and we continue to invest in our defenses."
One of the exploits found in smart TVs was called 'Weeping Angel'. The documents show Weeping Angel targeted the Samsung F8000 Smart TV. They say the TV could be turned into "covert listening devices" by putting the TV into "fake-off" mode. When the televisions appeared to be off, it was possible for conversations to be recorded. The CIA documents, which are from 2014, state 'future work' on the vulnerability could include capturing video from the televisions and being able to leave Wi-Fi turned on while 'fake-off' mode was enabled.
Critics of the documents' content have said they show how the CIA works with other security agencies around the world to create vulnerabilities that can access the personal data stored on mobile phones and other devices. For instance, NGO Access Now said the CIA should be working with companies. "Many of these vulnerabilities could have been responsibly disclosed and patched," the NGO's senior legislative manager, Nathan White, said in a statement.
Also in the documents, the majority of which remain unread and unveiled by journalists, are suggestions that vehicle systems, the Internet of Things and more may be targeted by the CIA in the future.
Year Zero also details how the CIA's malware targets Windows, OSx, and Linux routers using USB sticks, software on CDs, and more. It is said CIA rules on how malware should be created include instructions to stop it being tracked back to the US. Wikileaks continued: "CIA hackers developed successful attacks against most well known anti-virus programs".
Possibly the biggest question of all. The CIA has neither denied nor confirmed whether the documents are real, saying it does not comment on the "authenticity or content of purported intelligence documents". It is not uncommon for security agencies and law enforcement bodies to take this approach.
Former NSA contractor and whistleblower Edward Snowden tweeted to say the documents "look authentic. "Program & office names, such as the JQJ (IOC) crypt series, are real. Only a cleared insider could know them," he wrote.
It is well known, from Snowden's own disclosures and also a group called the Shadow Brokers, that US officials can hack into devices and systems. The New York Times says it is "likely" the new Wikileaks' documents are real.
Also, Wikileaks has a history of publishing accurate documents obtained from its sources: its Collateral Murder videos showed US military bombing civilians in Iraq.
However, Wikileaks, arguably, lost credibility for its connections to Russia; promoting links to databases with sensitive personal information; and defending Milo Yiannopoulos.
Paul Calatayud, CTO of FireMon added: “The validity of the dumps from my 18 years of experience in cyber, including eight years within the army cyber teams, would lead me to state these claims have basis and are worth taking real consideration over. The tools are very noteworthy yet to be expected if you understand the space."
While both Apple and Google said the majority of the issues have been fixed, it is likely there will be more to come in subsequent disclosures.
To help the tech firms handle the vulnerabilities, and stop them being exploited once their existence is made public knowledge, Assange has said he will provide the Silicon Valley groups with access to the details.
In a press conference on March 10, from London's Ecuadorian embassy, Assange said he had "a lot more information" that would be revealed in the coming weeks and months.
"After considering what we think is the best way to proceed and hearing these calls from some of the manufacturers," he said. "We have decided to work with them to give them some exclusive access to the additional technical details that we have so that the fixes can be developed and pushed out, so people can be secure".
However, the Wikileaks boss did not explain why he had not disclosed the documents to the companies before the release of the 'Year Zero' files. Microsoft told WIRED US it would welcome being contacted but had not been spoken to by Assange.
Following publication, the CIA said it will work with the FBI to conduct a criminal investigation into the publication, but both bodies (and the Whitehouse) have declined to comment on the documents' authenticity.
"The American public should be deeply troubled by any Wikileaks disclosure designed to damage the intelligence community's ability to protect America against terrorists and other adversaries," the CIA told the BBC.
Its statement continued: "Such disclosures not only jeopardise US personnel and operations, but also equip our adversaries with tools and information to do us harm."
The ex-CIA director Michael Hayden added that the disclosure of the malware and documents, despite redactions of official names, had made the US and other countries "less safe".
Included in Vault 7's 'Year Zero' is the suggestion that secure messaging apps using end-to-end encryption had been made vulnerable – these include WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman.
Security experts have rebutted the claims, saying that the methods listed in the documents involve compromising a mobile device, not the specific apps. Snowden added that the CIA capabilities do not show hacking in the individual apps but the operating systems on mobile devices.
"There is a big difference between phone operating systems being hacked and message encryption being broken," the UK's Open Rights Group said in a statement. "If a messaging app’s encryption has been broken, that would affect every user of the app. The encryption in Signal and WhatsApp has not been broken."
This view was supported by other security experts:
The UK's secretive spying agency GCHQ and Mi5 are both mentioned within the Vault 7 documents and Wikileaks claims GCHQ developed and gave vulnerabilities to the CIA. The iOS and Android documents list GCHQ as being involved with finding or creating some of the listed vulnerabilities.
Within the documents on Weeping Angel, the smart TV hack, UK security agencies are mentioned. "Received sanitised source code from UK with comms and encryption removed," the document says.
"Programs like Weeping Angel, if true, reveal the broad scope of these arrangements, which continue to operate in secrecy without clear rules or oversight," UK NGO Privacy International, said of the programs.
There are a number of unknowns about the documents. The source of the Vault 7 documents is being kept private by Wikileaks but it gives some indication of where they originated.
The documents came from a "isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina," it says. Wikileaks continues that the archive had circulated among former US government hackers and contractors – with one of them providing the information. All the documents in 'Year Zero' were created between 2013 and 2016.
"Names, email addresses and external IP addresses have been redacted in the released pages (70,875 redactions in total) until further analysis is complete." Within the document redacted names are replaced by 'user numbers'.
This article was originally published by WIRED UK
