The WikiLeaks “Vault 7” series, which exposed a number of the CIA’s secret hacking tools, was the major cybersecurity news item of early 2017. A special Wikileaks Task Force was quickly appointed to investigate the issue internally, but the result of this investigation was not made available to the public.
Some insight into that process has finally become available thanks to a declassified portion of the report’s findings being attached to a letter to the Director of National Intelligence (DNI). Among other things, it indicates that the CIA had become too focused on the development of cyber weapons and that the agency was riddled with systemic access control issues.
How Wikileaks embarrassed the CIA
Wikileaks began publishing its Vault 7 series in early March 2017, but the information had been obtained and allegedly leaked by CIA software engineer Joshua Schulte almost a year earlier. The stolen documents, 34 terabytes of information (about 2.2 billion pages) in total, detailed a wide variety of CIA hacking tools that were in use or development from 2013 to 2016. These included some highly disturbing capabilities: the ability to hack the cameras and microphones of smart TVs, hidden beacons in documents designed to track whistleblowers, and zero-day exploits of a number of major operating systems and web browsers as well as Cisco routers among them.
During his trial, the government alleged that Schulte had intentionally leaked the documents because he was a disgruntled employee looking for revenge on former colleagues and co-workers. Schulte’s lawyer countered with the argument that CIA cybersecurity was so poor that it was impossible to tell who the leaker of the hacking tools actually was. The early 2020 trial ended in a hung jury, with a retrial pending with an uncertain date due to the coronavirus.
While the truth of the case may well be somewhere in the middle, the letter from Senator Ron Wyden of Oregon (ranking member of the Committee on Finance and member of the select Committee on Intelligence) to DNI director John Ratcliffe certainly bolsters the points of the defense. The letter cites portions of the 2017 task force investigation’s report that were made public in court filings earlier this year, highlighting “multiple ongoing CIA failures” that the senator believes stems from intelligence agency exemptions from blanket federal Department of Homeland Security (DHS) cybersecurity directives.
The task force report found that day-to-day security at the CIA’s Center for Cyber Intelligence (CCI) had become “woefully lax” as the agency put all of its focus into developing new cyber weapons. Admin-level passwords were reportedly shared among employees, sensitive hacking tools were not compartmented, there were no mitigation plans in place in the event sensitive cyber weapons were compromised, and there were no security controls on use of removable media. The stolen information also apparently resided on a server that did not have user activity monitoring or ability to audit, leaving the agency completely unaware of the breach until Wikileaks published the hacking tools nearly a year later.
The hacking tools described in the Wikileaks report also exposed the existence of Longhorn, a CIA-run advanced persistent threat (APT) group that may have been active since 2007. The group was implicated in attacks in the Middle East, Europe, Asia, and Africa during this time; Symantec had suspected US involvement since 2014, but the unique malware code confirmed it.
The report goes on to note that these failures are not unique to the CIA, citing unaddressed concerns from evaluations conducted by the Inspector General’s office at other agencies. The common theme seems to be the ability of intelligence agencies to exempt themselves from DHS cybersecurity requirements, putting too much of a focus on collaboration in the creation of new hacking tools.
A history of breached hacking tools
While the Wikileaks incident represents an egregious internal security failure on its own merits, it’s that much worse considering that it came only a few short years after the internal intelligence breaches by Chelsea Manning and Edward Snowden.
One clear thread between all of these incidents is poor access control, with lower-level employees essentially handed the “keys to the kingdom” and with inadequate measures in place to track their activity in the event of a breach. While this is a common state of affairs at many organizations, it is somewhat shocking to see an American spy agency doing no better. The agency may have been relying too heavily on front-end screening to determine the risk of an employee or contractor engaging in unauthorized access of information and hacking tools.
Chris Roberts, Hacker in Residence at Semperis, provides additional observations on basic best practices that were not followed: ” … there are some basic things AND some basic attack vectors that we all know understand and recognize in our industry, and when those basics are not followed, or red tape gets in the way of sensible decisions, that’s when mistakes happen, and adversaries or bad actors/internal threats can take advantage of a situation. So, if authentication and Active Directory were well monitored, managed, and controlled, you’d certainly slow down someone trying to get to the data. You put correct access controls, oversight, and reporting on that sensitive data. You’ve got another layer for someone to deliberately break through (and you NOT to notice the alerts) and then exfiltration you can only walk out with something IF someone lets you.”
Shared admin-level passwords and lack of control on removable media are among the #security issues that caused 2016 #Wikileaks breach of CIA #hacking tools. #respectdata Click to Tweet
It is impossible to tell to what degree the intelligence agencies have shored up their systems since the 2017 Wikileaks incident, but new legislation may force some changes if they have not been made voluntarily by those that are exempt from DHS standards. A March report from the Cyberspace Solarium Commission called for an improved and layered cybersecurity strategy for the whole of the United States government, recommending that the National Cyber Strategy be updated and that the Cybersecurity and Infrastructure Security Agency be expanded and strengthened. Among the measures it proposes is having the Department of Defense conduct regular vulnerability assessments. Expansion of DHS cyber authority may also be on the table given the contents of the report.