Wikileaks Dumps CIA’s Hacking Tools

Today, Wikileaks released a big chunk of documents pertaining to CIA’s hacking tools.

People will — and already have — treated this as yet another Russian effort to use Wikileaks as a cutout to release documents it wants out there. And that may well be the case. It would follow closely on the release, by Shadow Brokers, of a small subset of what were billed as NSA hacking tools (more on that in a bit).

Wikileaks attributes the files to two sources. First, it suggests a “US government hacker and contractor … provided WikiLeaks with portions of the archive.”

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

In an apparent reference to this source, Wikileaks explains,

In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public, including whether the CIA’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency. The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.

It also notes that developers may steal tools without a trace (though speaks of this in terms of proliferation, not this leak).

Securing such ‘weapons’ is particularly difficult since the same people who develop and use them have the skills to exfiltrate copies without leaving traces — sometimes by using the very same ‘weapons’ against the organizations that contain them.

But Wikileaks also suggests that, because the CIA doesn’t classify its attack tools, it leaves them more vulnerable to theft.

In what is surely one of the most astounding intelligence own goals in living memory, the CIA structured its classification regime such that for the most market valuable part of “Vault 7” — the CIA’s weaponized malware (implants + zero days), Listening Posts (LP), and Command and Control (C2) systems — the agency has little legal recourse.

The CIA made these systems unclassified.

Why the CIA chose to make its cyberarsenal unclassified reveals how concepts developed for military use do not easily crossover to the ‘battlefield’ of cyber ‘war’.

To attack its targets, the CIA usually requires that its implants communicate with their control programs over the internet. If CIA implants, Command & Control and Listening Post software were classified, then CIA officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet. Consequently the CIA has secretly made most of its cyber spying/war code unclassified. The U.S. government is not able to assert copyright either, due to restrictions in the U.S. Constitution. This means that cyber ‘arms’ manufactures and computer hackers can freely “pirate” these ‘weapons’ if they are obtained. The CIA has primarily had to rely on obfuscation to protect its malware secrets.

Wikileaks is trying to appear more responsible than it was with recent leaks, which doxed private individuals. It explains that it has anonymized names. (It very helpfully replaces those names with numbers, which leaves enough specificity such that over 30 CIA hackers will know Wikileaks has detailed information on them, down to their favorite memes.) And it has withheld the actual exploits, until such time — it claims — that further consensus can be developed on how such weapons should be analyzed. In addition, Wikileaks has withheld targets.

Wikileaks has carefully reviewed the “Year Zero” disclosure and published substantive CIA documentation while avoiding the distribution of ‘armed’ cyberweapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.

Wikileaks has also decided to redact and anonymise some identifying information in “Year Zero” for in depth analysis. These redactions include ten of thousands of CIA targets and attack machines throughout Latin America, Europe and the United States. While we are aware of the imperfect results of any approach chosen, we remain committed to our publishing model and note that the quantity of published pages in “Vault 7” part one (“Year Zero”) already eclipses the total number of pages published over the first three years of the Edward Snowden NSA leaks.

Several comments about this: First, whether for reasonable or unreasonable purpose, withholding such details (for now) is responsible. It prevents Wikileaks’ release from expanding the use of these tools. Wikileaks’ password for some of these files is, “SplinterItIntoAThousandPiecesAndScatterItIntoTheWinds,” suggesting the motive.

Of course, by revealing that these tools exist, but not releasing them, Wikileaks could (hypothetically) itself use them. Wikileaks doesn’t explain how it obtained upcoming parts of this release, but it’s possible that someone used CIA’s tools against itself.

In addition, by not revealing CIA’s targets, Wikileaks both explicitly and implicitly prevents CIA (and the US generally) to offer the excuse they always offer for their surveillance tools: that they’re chasing terrorists — though of course, this is just a matter of agency vocabulary.

Among the list of possible targets of the collection are ‘Asset’, ‘Liason [sic] Asset’, ‘System Administrator’, ‘Foreign Information Operations’, ‘Foreign Intelligence Agencies’ and ‘Foreign Government Entities’. Notably absent is any reference to extremists or transnational criminals.

We will no doubt have further debate about whether Wikileaks was responsible or not with this dump. But consider: various contractors (and to a much lesser degree, the US intelligence community) have been releasing details about Russian hacking for months. That is deemed to be in the common interest, because it permits targets to prevent being hacked by a state actor.

Any hacking CIA does comes on top of the simplified spying the US can do thanks to the presence of most tech companies in the US.

So why should CIA hacking be treated any differently than FSB or GRU hacking, at least by the non-American part of the world?

This leak may well be what Wikileaks claims it to be — a concerned insider exposing the CIA’s excesses. Or perhaps it’s part of a larger Russian op. (Those two things could even both be true.) But as we talk about cybersecurity, we would do well to remember that all nation-state hackers pose a threat to the digital commons.

47 replies
  1. TheraP says:

    Trump is a TV and twitter addict.

    That was my first thought. And my second: Karma!

    This is your forte, EW! Go for it!

  2. jerryy says:

    So maybe someone can explain why various government officials were in such a tizzy trying to force (phone, etc.) manufacturers to install backdoors ‘only available to law enforcement’?

    Are those same folks going to suddenly clamor that such items (refrigerators, light bulbs) need to be less susceptible to such exploits?

    • PeasantParty says:

      I see that the competition was upped between the FBI and CIA when that went down.  Of course, one could see a lot of other things in those actions.  However, we now know that Apple phone break in business was not really needed.  Makes me wonder why we pay billions a year for NSA type snooping.  They haven’t managed to catch anything and haven’t been able to provide proof of election steals.

    • SpaceLifeForm says:

      Retroactive cover. Try to get laws passed that allow them continue to do what they what they were already doing illegally all along.

  3. scribe says:

    Does this mean that if I were to persuade a neighbor to buy (or they already have) a Samsung “smart TV” I can get to watch their HBO for free?

    For those not up on the reference, one of the programs (freaking out the German media) is that one of the hacks was to turn Samsung smart TVs into surveillance devices, something along the lines of the video screens installed in every abode in 1984.

    The SZ (and other German media) also report that a lot of the software development work was done in the CIA facilities co-located with the US Consulate in Frankfurt. They also report that, among other things, the planning and construction of US torture prisons (they don’t mince words) was managed from the same offices, as was hacking Merkel’s smartphone.

    Note also the CIA was working on ways to hack cars….

    Among other things.

  4. earlofhuntingdon says:

    Neunzehnhundertvierundachtzig is here again.  By all means, ditch the surveillance appliances.  But who owns the collected data, how safely is it stored and for how long, how and for what purposes is it analyzed, and how easily can the consumer confirm that in writing.  How heavy are the penalties for failing to abide by those data protectgions? Of course, all those uses are made only after having obtained the consumer’s express consent, ja?

    A groundswell for EU-style data protection rules, extent in the developed world outside the great and powerful USofA, would do Americans a world of good.  It would certainly protect them a helluva lot more than any number of EO’s from Donaldo.

    • Avattoir says:

      Rhetorical, right? There’s a basis for regarding Wikileaks to be in partnership with Russian hackers (whether or not state agents or state approved). Despite where Snowden resides, AFAIK there’s no basis for regarding Snowden as being remotely like the sort inclined to phone in to Alex Jones.

      • John Casper says:

        “Politics makes strange bedfellows.”

        Trump’s base thinks Obama and the IC violated POTUS’ Constitutional rights.

  5. Avattoir says:

    Somewhat OT: is Ms. Wheeler considering a review of today’s Senate Judiciary Cmte’s confirmation hearing re: nominees Rosenstein and Brand?

    FWIW, both came across more or less as I expected, though distressingly so with respect to Ms. Brand.


    • John Casper says:

      Apologies if you followed her coverage of it on Twitter, available here under “Tweets.”

  6. Cort Youngen Greene says:

    Many state actors, governments, companies and hackers can do these same things and more. When is Wikileaks going to dump some Russian, Iranian, Chinese  and others surveillance data? It’s not just cars, cell phones, smart stoves and refrigs, light bulbs can be hacked also.

    • emptywheel says:

      Absolutely true. But as I tried to suggest above, there’s a very well funded security industry that — Kaspersky and F-Secure aside — tend to focus most closely on Russian, Chinese, and Iranian tools. So those tools are being exposed, because there’s a shit-ton of money to do so.

      Should we not welcome our own state’s tools being exposed, especially if there’s question about whether they’re exposing US companies’ equities in the process?

      • Cort Youngen Greene says:

        Yes, expose them all. Since 2000 I have told people about the FBI and NSA tools on spying and even before that.

        But if you just talk about the US you are leaving out a big part of the world. Example the US is fining ZTE for selling equipment to Iran (even though many US companies used third parties to do the same thing) this equipment was used for many things such as spying on Iranian activist’s in 2009 during uprising against the Iranian regime over the election fraud and repression.

  7. Karl Kolchak says:

    Once again: focusing on the source instead of the content, which with Wikileaks has NEVER been called into question.  As such, the content reveals that any so called liberal cheering on the intelligence community in its war against Trump should be ashamed of themselves.  Let each destroy the other, and we’ll all be better off.

    • lefty665 says:

      While it’s a nice idea, that would leave us with Pence as president. Things could be worse than Trump! A right wing, neocon, religious dingbat leading us on new Crusades is one of them.

  8. scribe says:

    Gotta wonder, EW, whether anyone thought to check an see whether the TeeVee(s) The Donald watches to get his news might have been hacked or, rather, repurposed like those Samsung Smart TVs.
    Be a listening device even when turned off, yadda yadda.

    • emptywheel says:

      Given that the TV hack has been around for 4 years, I’m sure USSS checks for that kind of thing.

  9. PeasantParty says:

    I knew they were doing the tv’s, even risked my reputation on it when I told everyone.  The thing that is bothering me now is the car hijacking.  Which makes all those “conspiracy” theories about Michael Hastings death not so much conspiracy anymore.


    I now think that this is EXACTLY what Hastings had on the CIA and they offed him to keep it in the dark.  Yeah, well.  I know.  You guys think I’m crazy.  So what?  When I’m wrong I always admit it and apologize.


    GREAT JOB, Marcy!


  10. bloopie2 says:

    When they hack my TV, do they put Fake News on it?  That would explain a lot, you know.  Communication is a two-way street.

  11. SpaceLifeForm says:

    Infowar. Information is money.
    For those of you that have never known no internet, I highly recommend that you google
    ‘mad magazine spy vs spy’

  12. CTuttle says:

    I take umbrage with UMBRAGE

    The CIA’s hand crafted hacking techniques pose a problem for the agency. Each technique it has created forms a “fingerprint” that can be used by forensic investigators to attribute multiple different attacks to the same entity.

    This is analogous to finding the same distinctive knife wound on multiple separate murder victims. The unique wounding style creates suspicion that a single murderer is responsible. As soon one murder in the set is solved then the other murders also find likely attribution.

    The CIA’s Remote Devices Branch‘s UMBRAGE group collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation.

    With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the “fingerprints” of the groups that the attack techniques were stolen from.UMBRAGE components cover keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques.


    • lefty665 says:

      Humm, wonder if that is why Brennan was so sure THE RUSSIANS DID IT!!! ?  The circumstantial evidence cited was that the hacks had all the characteristics of Russian state hacking. Curious.

  13. Anon says:

    @bloopie2 With respect to planting Child Porn, I’m afraid that is old news:

    The short version is that child porn is already traded around, and often stored remotely, by computer viruses. Infected machines are already storing content of this type without their owners’ knowledge. It can be costly and difficult to prove that the virus did it although that defense has been used.

  14. lefty665 says:

    Wikileaks puts a chilling frame on this 2013 statement by CIA CTO “Gus” Hunt:

    “Since you can’t connect dots you don’t have, it drives us into a mode of, we fundamentally try to collect everything and hang on to it forever,” Hunt said. “It is really very nearly within our grasp to be able to compute on all human generated information.”

    He ends with comments about how the “inanimate is becoming sentient,” how cognitive machines (e.g. Watson) are going to “explode upon us,” and how technology is moving faster than governments, legal systems, and even individuals can keep up. (Business Insider)

    This is from a presentation given by Ira “Gus” Hunt, the CIA CTO, at a recent (2013) tech conference in New York. The slide show is enlightening in its grasp of the future of information technology and its total dedication to the cult of national security.

  15. Ron Jondoe says:

    Given the much larger number of exposed IC exploits vs Snowden’s smaller contribution, and the seemingly minor “news event” this appears to be in the US media, and amongst the Fed Congress critters, dropping charges, expunging the active “shoot on sight” mentality surrounding Snowden, it would seem appropriate to drop all active charges/cases against Snowden and let him re-gain his rights as a US citizen and return to the US (if he so chooses…) without fear of being given a show-trial and Chelsea’d…. The “muted” media response to these explosive revelations (except on alt-media sites like this one…) is amusing, to say the least…

  16. lefty665 says:

    Would have loved to be a fly on the wall when NSA figured out they had to not only gather information but then had to figure out whether it was real or a CIA spoof complete with “fingerprints”.  Puts a whole new complexion on “Spy vs. Spy”. I’d bet that NSA was better at learning what CIA was doing than CIA was at hiding it.

    • SpaceLifeForm says:

      As to the ‘fingerprints’, well that was basically all of the ‘evidence’ that was leaked that pointed to russia. But as is now clear, it may not be evidence at all, leading to fake news.
      (this was always my suspiscion – you can not trust the net. Regarding the veracity of the evidence, i.e., the fingerprints, whether true evidence or not, if the intel is bad, you may get fake news (disinformation), but even if the intel is good, you may still get fake news.
      Intel and news make strange bedfellows)

      As to the NSA being better at learning what CIA was doing than CIA was at hiding it, well maybe that is doubtful. Note that the recent leak of docs contain few classification markings. At least I have seen nothing regarding TS/SCI at this point. If one or others in CIA suspect a NSA mole, you might have an incentive to not classify stuff so as to avoid classification review that a suspected mole would see.

      Speaking of strange bedfellows:
      Top graphic at the following link,

      Which one is NSA and which is CIA?

      • lefty665 says:

        Agree, there was an awful lot of accusatory talk and nada in the way of evidence to back it up. “Intel and news make strange bedfellows” Indeed, especially when the Intel operation making the news is in the propaganda business, like CIA, it is wise to never believe anything they say.  I had not been thinking about an NSA mole (Hayden, mole or turncoat?) so much as NSAs other national technical means, like tracing every byte and bit coming out of Frankfurt, Langley and elsewhere to see if that and their COMINT converges.

        Glad you revived “Spy vs Spy” it was always a bright spot in Mad. For sure CIA is black, but I’m not so sure that makes NSA white by default. Charitably, perhaps various shades of gray for both? “Spy vs Spy” in the new millennium.

        • SpaceLifeForm says:

          You are all GreySpys if your brain is not locked in (i.e., not having decided on Black/White).

          Grey Spy (or “Woman in Grey”)— She debuted in Mad magazine #73 (Sept. 1962) (the strip was temporarily renamed Spy vs. Spy vs. Spy). Grey Spy’s appearances were sporadic, but she always triumphed by using the infatuations of Black Spy and White Spy to her advantage. Prohías explained, “the lady Spy represented neutrality. She would decide for White Spy or Black Spy, and she also added some balance and variety to the basic ‘Spy vs. Spy’ formula.”[3] Grey Spy’s last appearance under Prohías was Mad Magazine #99 (Dec. 1965); she did not appear again until Bob Clarke and Duck Edwing took over the strip.

          • lefty665 says:

            Wow, first time my Spy vs. Spy vs. Spy synapses have fired in more than 50 years. Surprised they’re still in there. Thank you. I remember when she stirred up the strip. The others always fell for her to their detriment. He had run a lot of variations on the Spy vs. Spy theme before introducing her. She made it less predictable and sent a valuable message to us adolescent guys. Don’t be dorks and lose your heads over girls, it won’t end well.

            My maybe faulty memory thinks that was around the time Mad fold-ins became common.

  17. greengiant says:

    “CIA doesn’t classify its attack tools, it leaves them more vulnerable to theft.” Told you so, the most sensitive materials, the most sensitive operations ( I speculate), are not classified. You do not leave a trail. Some problems are when you don’t know really know who you are working for, hackers contractors, military etc, they tell you they are from XYZ, but are they really? Have they gone rogue? Same goes for Michael Hastings, thought he was being investigated by the FBI. Could have been someone else.
    Shout out to Sibel Edmonds for showing how the bureaucracy is at best a broken chain of imperial management for which career ending exile is the reward for raising questions.

  18. blueba says:

    I would like to clear up something for my own knowledge. I don’t read this blog often enough to always get a good picture.

    As I recall, emptywheel published mater-of-fact statements that it was the Russians who hacked the DNC. Is that the position today of emptywheel?

    Just as an aside, I think it is a term of derision and belittlement from other journalists against WikiLeaks to call their publications “dumps”.

    Something I notice is that the most important leaks sense Snowden have gone to WikiLeaks or ICIJ and other places and almost none to The Intercept. Maybe it has something to do with trust – that the documents you risked your life for will actually see the light of day rather than “curated” into just another secret pocket.

    • John Casper says:

      “As I recall, emptywheel published mater-of-fact statements that it was the Russians who hacked the DNC.”

      I’m no expert, but don’t recall that.

      There’s evidence that someone in the Ukraine hacked Podesta. IIRC, the last definitive statement was “everyone’s lying.” There could have been multiple hacks.

      • blueba says:

        Or no hacks at all but a leak or hacks maybe, but the leak is what got published.  Which is what has been reported by those close to the situation.  Always, the simplest explanation is the best to go with – a disgruntled DNC employee makes more sense that any other explanation I have seen.

  19. blueba says:

    I guess it’s just because Assange is a Russian operative that he gets all the best leaks while establishment sites such as the NYT or The Intercept don’t.  I’m sure it has nothing to do with trust.  That was true for LuxLeaks and the Panama Papers too.  Those Russians just don’t like Neoliberal establishment outlets I guess, and sense Saint Snowden there are only evil Russians and no more Saints.

    Every single document published by WikiLeaks has been authentic and in the public interest.

    Hiding behind discredited notions of the high authority of journalists to keep documents secret entirely on the grounds that it is within the power of individual journalists to decide what is in the public interest just doesn’t fly any more.

    If you haven’t noticed the entire established order – including especially the establishment journalism – has been deeply corrupted.  The same discredited reasons the NYT and WaPo use to justify their journalism – we are professionals – are the same discredited reasons used to rag on WikiLeaks.

    It seems like there is this clique of journalists who want to be part of the establishment, not oppose the establishment but are on some sort of crusade to “fix” it and prosper inside it.

    The constant smarmy treatment of WikiLeaks is both loathsome and petty.

    How about focusing on the content first and foremost?

    “People will — and already have — treated this as yet another Russian effort to use Wikileaks as a cutout to release documents it wants out there. And that may well be the case.”

    If your writing propaganda you could hardly start an article more cleverly.  Imply even suggest that WikiLeaks is a Russian front or tool or dupe before ever getting to the authentic documents and what they tell us.  Make sure your reader has the question about WikiLeaks in his mind before introducing the actual material so that the material is tainted by the suggestion that it’s really the Russians and WikiLeaks has a bad reputation to the extent that he would obviously want to work with the Russians.

  20. Ron Jondoe says:

    “Speaking to Sputnik about WikiLeaks’ publication of Vault 7, a massive trove of documents exposing the CIA’s hacking and spying capabilities, web security expert Troy Hunt said…” ..”Ultimately, Hunt suggested that the latest WikiLeaks revelations, important as they are, probably can’t match those regarding the NSA made public in 2013. “A few years ago, when news was breaking of the NSA stuff, this was really revolutionary; now it’s like ‘wow, there’s another vulnerability’. Yeah we know, it happens every day! So it’s become just another part of our normal lives.” People, the expert noted, have become very desensitized to these kinds of revelations…”
    As noted in a previous post to this thread, the CIA dump is being trivialized in comparison to NSA capabilities… While it is true that the NSA’s suction pump of personal private data without respect to origin, person, nationality (supposedly…) is another huge issue, the malicious nature of some of the described exploits created/employed by CIA, such as remote manipulation of vehicle driving operations for possible “covert assassinations”, directed data collection from a chosen, specific person’s phone, smart TV, etc, for surreptitious listening/recording for potential blackmail and/or capture/coercion, seems much more malignant than massive data trolling that may or may not even be reviewed by the IC, as supposedly done by NSA… ofc, this fellow Hunt’s opinion is just that and I don’t know what his credentials are that give credence to his opinion that this latest IC revelation is a “tempest in a teacup” due to other IC agency capabilities, but it does seem to give the impression of “move along, nothing to see here…” IMHO, this is something to see and just adds another layer to the depth of govt interference, co-option, parallel investigation capabilities with other IC agencies, invasion of privacy and possible use for various “black ops/wet work” to name a few things that, to me, are “big deals”… and that opinion piece was from Sputnik, a Russian organ, who you would think would be blasting out this information in the loudest ways possible. Oh well, move along, nothing to see or be done here…

  21. J2 says:


    Don’t understand.

    The Wikileaks refers to tens of thousands of targets in SA EU & US. Why would the targets not be worldwide?

    • SpaceLifeForm says:

      Targets likely tied to main ops areas.
      As you observed, not everywhere.
      Lots of reasons to be in those areas of course but also plenty of reasons they would not be in other areas. Think RISK (the board game) and risk (to assets). (asset being a non-greyspy)

    • emptywheel says:

      The IP addresses in question could be CIA controlled command and control locations, or they could be CIA hijacked machines. Both — especially the latter — would raise some interesting questions about CIA abiding by law.

Comments are closed.