Anti-Malware , Cybersecurity , Data Loss

7 Facts: 'Vault 7' CIA Hacking Tool Dump by WikiLeaks

Firmware and Android Under Fire, But No False Flags Found
7 Facts: 'Vault 7' CIA Hacking Tool Dump by WikiLeaks

The Vault7 dump released by WikiLeaks details the CIA's alleged "hacking arsenal," across 8,761 documents and files that provide details into a variety of exploit tools and capabilities.

See Also: How the New World of Digital Banking is Transforming Fraud Detection

The leaked information is from 2013 to 2016, but who leaked it - and why - remains an open question.

WikiLeaks, meanwhile, says it's releasing "the largest intelligence publication in history" because it believes that "'cyberwar' programs are a serious proliferation risk," implying that it's irresponsible for an intelligence agency to gather attack code.

Here's how information security experts have reacted to WikiLeaks' claims as well as the dump and information contained therein.

1. The CIA Hacks; News at 11

WikiLeaks says the leaked information is meant "to initiate a public debate about the security, creation, use, proliferation and democratic control of cyber weapons."

But many security experts have responded to the leak by saying, in effect, that it shows the CIA doing what it was designed to do - collecting intelligence to help the president and senior U.S. government policymakers make the best possible national security decisions, via a variety of means.

"CIA's job includes spying on targets who might have various electronics. This is exactly the sort of toolkit you'd expect them to have," cryptographer Matt Blaze, an associate professor of computer and information science at the University of Pennsylvania, says via Twitter, commenting on the types of attack tools revealed in the Vault 7 dump.

"It's not some sort of deep secret that that's the CIA's job. I think it may be on their web page," he adds.

2. Silicon Valley Resists Assange's Offer

Many of the specific exploits have been redacted from the leaks. Assange, in a live-streamed press conference from the Ecuadorian Embassy in London - where he has claimed diplomatic asylum since 2012 - said his organization would share vulnerability details directly with affected firms.

"We have decided to work with them, to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out," Assange said.

Responding to WikiLeaks offering to work directly with manufacturers, Dublin-based cybersecurity consultant Brian Honan, who advises the EU law enforcement intelligence agency Europol, says via Twitter that it shows "how WikiLeaks is trying to make itself relevant again."

At least some technology industry figures have declined that invitation and questioned Assange's motives, saying that they see him - unwittingly or not - aiding Russian's geopolitical agenda.

Thomas Rid, a professor in security studies at King's College London, asks why WikiLeaks has chosen to dump this data now. "In the recent past they carefully timed releases for political effect," he says via Twitter.

Intentionally or otherwise, the leaks have been seized on by conservative U.S. commentators, such as Fox TV News host Sean Hannity, to cast doubt on the U.S. government's attribution of 2016 presidential election interference to Russia.

3. No False Flags Found

WikiLeaks, in a summary of Vault 7 information, says that the UMBRAGE team - part of the CIA's Remote Devices Branch - "collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states, including the Russian Federation." It's not clear why it singles out Russia.

WikiLeaks also claims: "With UMBRAGE and related projects, the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the 'fingerprints' of the groups that the attack techniques were stolen from." It notes that the capabilities revealed in the leak range from keyloggers and password collection to webcam capture and data destruction.

But security experts say there's nothing to back up WikiLeaks' assertion that the CIA is attempting to run any such false-flag operations using these harvested malware components.

"There's nothing in the CIA #Vault7 leaks that calls into question strong attribution, like Russia being responsible for the DNC hacks," says Robert Graham, CEO of offensive security research firm Errata Security, in a blog post.

According to the CIA documents, the UMBRAGE team "maintains a library of application development techniques borrowed from in-the-wild malware," and that "the goal of this repository is to provide functional code snippets that can be rapidly combined into custom solutions."

"What we can conclusively say from the evidence in the documents is that they're creating snippets of code for use in other projects and they're reusing methods in code that they find on the internet," Graham tells The Intercept. "Elsewhere, they talk about obscuring attacks so you can't see where it's coming from, but there's no concrete plan to do a false flag operation. They're not trying to say, 'We're going to make this look like Russia.'"

4. Anti-Virus Check: No Backdoors

One reveal from the leaked documents is that the CIA was sitting on exploits for anti-virus software, including tools built by Finnish security firm F-Secure. Andy Patel, F-Secure's Cyber Gandalf - actual job title - is responsible for having built much of that software. He says F-Secure is reviewing "very seriously" allegations contained in the dump that there's a "by-pass" for F-Secure's anti-virus software.

The discovery of bugs in a security product isn't unusual (see Yes Virginia, Even Security Software Has Flaws).

If there's one upside to the leaked data - and no, the firm says it doesn't plan to pay a bug bounty to the CIA - it's that it shows no collusion between the CIA and anti-virus vendors. "As you can see, nation state adversaries need to make an effort to bypass our products, just like cyber criminals," Patel says.

5. Android at Greater Risk Than iOS

The CIA leaks, which include information as recent as 2016, show that the intelligence agency amassed exploits for mobile operating systems, including Apple iOS and Google Android. And both technology giants have responded to the leaks.

Apple says that it believes that many of the revealed exploits have been patched, as of the latest version of iOS. A spokeswoman tells ISMG in a statement: "Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system."

Google also says it's also continuing to review the leaks. "We're confident that security updates and protections in both Chrome and Android already shield users from many of these alleged vulnerabilities," Heather Adkins, Google's director of information security and privacy, told BuzzFeed News.

The speed with which Google Android (left) versus Apple iOS (right) operating system updates get onto end users' devices.

But most Android users simply aren't getting security and OS updates, and that leaves them vulnerable to having their devices get exploited via known flaws, according to data gathered by F-Secure via its VPN customers. "Here's the big problem - while the latest version of Android OS might be secure - the version of Android actually installed on the vast majority of phones is not. Not by a long shot," says Sean Sullian, a security adviser at F-Secure, in a blog post.

To maximize their security and privacy, Android users need to "choose your hardware with care," he says. "Only a few select vendors are currently focused on providing Google's monthly security updates to end users."

6. Firmware at Risk - Scan It

Some of the leaked attack capabilities have revealed exploits that target firmware vulnerabilities. To help ensure that firmware doesn't get tampered with, Intel Security researchers Christiaan Beek and Raj Samani have "developed a simple module for the CHIPSEC framework that can be used to verify the integrity of EFI firmware executables on potentially impacted systems," they say. The open source CHIPSEC framework can be used to assess the security and integrity of a variety of different types of hardware, BIOS, and platform configurations.

Their new CHIPSEC module can also be used to scan for the presence of EFI firmware malware for Mac OS X systems, called DarkMatter.

"EFI firmware malware is a new frontier for stealth and persistent attacks that may be used by sophisticated adversaries to penetrate and persist within organizations and national infrastructure for a very long time," the researchers say in a blog post. "Use open-source CHIPSEC to defend from this threat and stay safe."

7. We're Phish Food

Nation-state attacks and worrying about zero-day flaws has long preoccupied cybersecurity watchers. Without a doubt, weaponized exploits are sexy stuff.

But the longstanding advice about being the target of an intelligence agency stands. That is, if you're a target, then take precautions. For everyone else, focus your priorities. On the hacking front, that means watching out for phishing attacks and safeguarding your passwords, says the operational security expert known as the Grugq, who recommends using a password manager, as many other security experts have long done.

And don't forget to keep your software up to date, says Runa Sandvik, director of information security at The New York Times, via Twitter. "If only we talked about passwords, two-factor and updates as much as we do 0days and nation states," Sandvik says.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network