The Atlanta Journal-Constitution
WikiLeaks reveals CIA’s hacking arsenal
Documents catalog tools used to bypass computer security.
WASHINGTON — In what appears to be the largest leak of CIA documents in history, WikiLeaks released on Tuesday thousands of pages describing sophisticated software tools and techniques used by the agency to break into smartphones, computers and even internet-connected televisions. The documents amount to a detailed, highly technical catalog of tools. They include instructions for compromising a wide range of common computer tools for use in spying: the online calling service Skype; Wi-Fi networks; documents in PDF format; and even commercial antivirus programs of the kind used by millions of people to protect their computers.
A program called Wrecking Crew explains how to crash a targeted computer, and another
tells how to steal passwords using the autocomplete function on Internet Explorer. Other programs were called Crunchy Lime Skies, Elder Piggy, Anger Quake and McNugget.
The document dump was the latest coup for the anti-secrecy organization and a serious blow to the CIA, which uses its hacking abilities to carry out espionage against foreign targets.
The initial release, which WikiLeaks said was only the first installment in a larger collection of secret CIA material, included 7,818 web pages with 943 attachments, many of them partly redacted by WikiLeaks editors to avoid disclosing the actual code for cyberweapons. The entire archive of CIA material consists of several hundred million lines of computer code, the group claimed.
In one revelation that may especially trouble the tech world if confirmed, WikiLeaks said that the CIA and allied intelligence services have managed to compromise both Apple and Android smartphones, allowing their officers to bypass the encryption on popular services such as Signal, WhatsApp and Telegram. According to WikiLeaks, government hackers can penetrate smartphones and collect “audio and message traffic before encryption is applied.”
Unlike the National Security Agency documents Edward Snowden gave to journalists in 2013, the documents released Tuesday do not include examples of how the tools have been used against actual foreign targets. That could limit the damage to national security from the leak. But the breach was highly embarrassing for an agency that depends on secrecy.
There was no public confirmation of the authenticity of the documents, which were produced by the CIA’s Center for Cyber Intelligence and are mostly dated from 2013 to 2016. But one government official said the documents were real, and a former intelligence officer said some of the code names for CIA programs, an organization chart and the description of a CIA hacking base appeared to be genuine.
The agency appeared to be taken by surprise by the document dump on Tuesday morning. A CIA spokesman, Dean Boyd, said, “We do not comment on the authenticity or content of purported intelligence documents.”
In some regard, the CIA documents confirmed and filled in the details on abilities that have long been suspected in technical circles.
“The people who know a lot about security and hacking assumed that the CIA was at least investing in these capabilities, and if they weren’t, then somebody else was — China, Iran, Russia, as well as a lot of other private actors,” said Beau Woods, the deputy director of the Cyber Statecraft Initiative at the Atlantic Council in Washington. He said the disclosures may raise concerns in the United States and abroad about “the trustworthiness of technology where cybersecurity can impact human life and public safety.”
There is no evidence that the CIA hacking tools have been used against Americans. But Ben Wizner, the director of the American Civil Liberties Union’s Speech, Privacy, and Technology Project, said the documents suggest that the government has deliberately allowed vulnerabilities in phones and other devices to persist to make spying easier.
“Those vulnerabilities will be exploited not just by our security agencies, but by hackers and governments around the world,” Wizner said. “Patching security holes immediately, not stockpiling them, is the best way to make everyone’s digital life safer.”
WikiLeaks did not identify the source of the documents, which it called Vault 7, but said they had been “circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”
WikiLeaks said the source, in a statement, set out policy questions that “urgently need to be debated in public, including whether the CIA’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency.” The source, the group said, “wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.” But James Lewis, an expert on cybersecurity at the Center for Strategic and International Studies in Washington, raised another possibility: that a foreign state, most likely Russia, stole the documents by hacking or other means and delivered them to WikiLeaks, which may not know how they were obtained. “I think a foreign power is much more likely the source of these documents than a conscience-stricken CIA whistleblower,” Lewis said.