Inside the secret world ofo CIA’s cyber warriors
Documents released by WikiLeaks give insight into scale of hacking operations
Oand n his workplace bio, he describes himself as a “malt beverage enthusiast”, a fitness buff fond of carrying a backpack full of bricks, and a “recovering World of Warcraft-aholic”. He is also a cyber warrior for the CIA, an experienced hacker whose resume lists assignments at clandestine branches devoted to finding vulnerabilities in smartphones and penetrating the computer defences of the Russian government. At the moment, according to his file, he is working for the Centre for Cyber Intelligence Europe, a major hacking hub engaged in electronic espionage across that continent and others.
The hacker — whose background appears in the thousands of CIA documents posted online on Wednesday by the anti-secrecy organisation WikiLeaks — is part of a digital operation that has grown so rapidly in size and influence in recent years that it ranks alongside spying and analysis divisions that were formed with the CIA itself nearly 70 years ago.
The trove of documents exposed by WikiLeaks provides an unprecedented view of the scale and structure of this operation, which encompasses at least 36 distinct branches devoted to cracking the espionage potential of cellphones, communication apps and computer networks supposedly sealed off from the internet.
But in their descriptions of elaborate exploits and sketches of specific employees, the documents also point to the CIA’s vulnerabilities. As much as it is organised to exploit the pervasive presence of digital technology abroad, the CIA’s own secrets are increasingly created, acquired or stored on computer files that can be copied in an instant.
“This is the double-edged sword of the digitisation of everything,” said Daniel Prieto, who served as director of cybersecurity policy for President Barack Obama. “Think back to the James Bond movies with a guy in the backroom with a camera that looks like a cigarette lighter taking 20 pictures of a weapons design system. Nowadays, one thumb drive can con- tain hundreds of thousands of pages.”
US officials said yesterday that they were still in the early stages of investigating the breach that left WikiLeaks in possession of thousands of sensitive files.
The complexity and magnitude of the theft has prompted speculation that it was carried out by Russia or another foreign government with the skills, resources and determination to target the CIA.
But others said that the decision to put the files on public display, rather than exploit their value in secret, makes it more likely that a disgruntled employee or contractor was responsible.
Daniel Prieto
WikiLeaks said the documents, which the Washington Post could not independently verify, came from a current or former CIA employee or contractor.
If so, that would be consistent with earlier breaches: the exposure of US diplomatic cables in 2010, the Edward Snowden revelations of 2013 and the discovery of a trove of classified National Security Agency files in a suburban Maryland home last year were the work of insiders.
Intelligence officials learned late last year that there was a suspected loss of sensitive CIA information, according to two US officials.
The CIA declined to comment on the authenticity of the documents or the direction of any internal probe under way.
In a statement, a CIA spokesman said that the agency’s mission “is to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries . . . It is also important to note that CIA is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and CIA does not do so.”
What WikiLeaks has released so far is not huge, amounting to about 1 gigabyte of data, experts said. And the cache does not appear to include source code for creating hacking tools.
Nonetheless, there are descriptions of tools and techniques that could be used to exploit computer systems as well as “implants” that can be deployed
This is the double-edged sword of the digitisation of everything. Think back to the James Bond movies with a guy in the backroom with a camera that looks like a cigarette lighter taking 20 pictures of a weapons design system. Nowadays, one thumb drive can contain hundreds of thousands of pages.
to collect data once inside a phone or a computer. These tools, or “implants”, are often used in the last stage of the “cyber kill chain” to spy on users, steal their data or monitor their activity.
The exposure of these capabilities is “hugely damaging” and likely will require the CIA to figure out a way to replace them, said Jake Williams, founder of Rendition InfoSec, a cybersecurity firm. “We’ve never seen these tools in the wild.”
The documents contain references to hundreds of hacking tools often with colourful names. One dubbed Brutal Kangaroo is used to take data from a machine without detection by antivirus software. Another called Hammerdrill is designed to get data from devices that are not connected to the internet.
Beyond describing specific weapons, the files provide a remarkably comprehensive bureaucratic map of the cyber divisions and branches that have multiplied across the CIA’s organisational chart in recent years, as well as glimmers of the geek humour shared on internal networks.
As part of a sweeping reorganisation in 2015 under then-CIA Director John Brennan, the agency consolidated much of its computer expertise under a new division, the Directorate of Digital Innovation, that reports directly to the CIA chief.
The bulk of the CIA’s offensive capability appears to reside in an entity called the Centre for Cyber Intelligence, an organisation that oversees dozens of subordinate branches and groups devoted to specific missions and targets, from cracking security on Apple iPhones to penetrating the communications nodes of Isis (Islamic State).
Though the centre is based at CIA headquarters in Northern Virginia, it appears to have major outposts overseas. Among them is a large hacking station at the US Consulate in Frankfurt, Germany, a group whose operations reach across Europe and the Middle East and into Africa, according to the documents.
One of the files offers travelling tips for 20-something hackers making the excursion to Frankfurt. It urges employees to fly Lufthansa: “Booze is free so enjoy (within reason)!” Clearly written for neophyte CIA officers, it cautions against using terms that would betray that “people are not ‘State Department’ employees”. The document also suggests scripts for clearing airport screening: “Breeze through German Customs because you have your cover-for-action story down pat.”
Among those apparently assigned to the Frankfurt base is the engineer who listed World of Warcraft and malt beverages as areas of keen interest on his CIA bio. His name, and that of other employees, was redacted from the WikiLeaks-released pages.
Some specialists believe the heist had to be from within. “I’d be almost positive this material was stolen by an insider,” Williams said.
Some of the documents were marked top secret.
“To be in a position to steal this, you’d be in a position to steal so much more operational data that fits better with WikiLeaks’s narrative” discrediting the agency, Williams said. There would be data on who the CIA is targeting and the access they have — information that would be far more embarrassing to the US and, therefore, material WikiLeaks would presumably be eager to expose.
The files also provide clues to how the CIA has assembled its digital arsenal.
The agency appears to rely heavily on open-source tools used by commercial security firms. The CIA kit also includes “public exploits” — tools posted online that are often traced to hacking groups.