The anti-secrecy organization WikiLeaks said Tuesday that it has obtained a vast portion of the CIA’s computer hacking arsenal, and began posting the files online in a breach that may expose some of the U.S. intelligence community’s most closely guarded cyber weapons.
WikiLeaks touted its trove as exceeding in scale and significance the massive collection of National Security Agency documents exposed by former U.S. intelligence contractor Edward Snowden.
A statement from WikiLeaks indicated that it planned to post nearly 9,000 files describing code developed in secret by the CIA to steal data from targets overseas and turn ordinary devices including cellphones, computers and even television sets into surveillance tools.
The authenticity of the trove could not immediately be determined. A CIA spokesman would say only that “we do not comment on the authenticity or content of purported intelligence documents.” But current and former U.S. officials said that details contained in the documents suggest that they are legitimate.
Such a breach of U.S. intelligence capabilities, and the potential fallout it might cause among U.S. allies, could pose a significant challenge to President Trump, who in the past has praised WikiLeaks and disparaged the CIA.
WikiLeaks indicated that it obtained the files from a current or former CIA contractor, saying that “the archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”
“At first glance,” the data release “is probably legitimate or contains a lot of legitimate stuff, which means somebody managed to extract a lot of data from a classified CIA system and is willing to let the world know that,” said Nicholas Weaver, a computer security researcher at the University of California at Berkeley.
Faking a large quantity of data is difficult, but not impossible, he noted. Weaver said he knows of one case of WikiLeaks deliberately neglecting to include a document in a data release and one case of WikiLeaks deliberately mislabeling stolen data, “but no cases yet of deliberately fraudulent information.”
U.S. officials also allege WikiLeaks has ties to Russian intelligence agencies. The website posted thousands of emails stolen from Democratic Party computer networks during the 2016 presidential campaign, files that U.S. intelligence agencies concluded were obtained and turned over to WikiLeaks as part of a cyber campaign orchestrated by the Kremlin.
U.S. intelligence officials appeared to have been caught off guard by Tuesday’s disclosure. Senior White House and Pentagon officials had not been aware of the breach.
One U.S. official said investigators were only beginning to look at the files being posted online and declined to say whether the CIA had anticipated the leak or warned other agencies.
“We’ll see what it is whenever they release the codes,” said the official, who spoke on the condition of anonymity, citing the sensitivity of the matter.
WikiLeaks said the trove comprised tools – including malware, viruses, trojans and weaponized “zero day” exploits – developed by a CIA entity known as the Engineering Development Group, part of a sprawling cyber directorate created in recent years as the agency shifted resources and attention to online espionage.
The digital files are designed to exploit vulnerabilities in consumer devices including Apple’s iPhone, Google’s Android software and Samsung television sets, according to WikiLeaks, which labeled the trove “Year Zero.”
In its news release, WikiLeaks said the files enable the agency to bypass popular encryption-enabled applications – including WhatsApp, Signal and Telegram – used by millions of people to safeguard their communications.
But experts said that rather than defeating the encryption of those applications, the CIA’s methods rely on exploiting vulnerabilities in the devices on which they are installed, a method referred to as “hacking the endpoint.”
WikiLeaks said the files were created between 2013 and 2016, and that it would only publish a portion of the archive – redacting some sensitive samples of code – “until a consensus emerges on the technical and political nature of the CIA’s program.”
The data release alarmed cybersecurity experts.
“This is explosive,” said Jake Williams, founder of Rendition Infosec, a cybersecurity firm. The material highlights specific anti-virus products that can be defeated, going further than a release of NSA hacking tools last year, he said. The CIA hackers, according to WikiLeaks, even “discussed what the NSA’s . . . hackers did wrong and how the CIA’s malware makers could avoid similar exposure.”
Hackers who worked at the NSA’s Tailored Access Operations unit said the CIA’s library of tools looked comparable. The implants, which are back doors, or software that enables a hacker to get into a computer, are “very, very complex” and “at least on par with the NSA,” said one former TAO hacker who spoke on the condition that his name not be used.
Beyond hacking weapons, the files also purportedly reveal information about the organization of the CIA’s cyber directorate, with an organization chart and files that indicate that the agency uses the U.S. consulate in Frankfurt, Germany, as a hub of digital operations in Europe, the Middle East and Africa.
Though primarily thought of as an agency that recruits spies, the CIA has taken on a larger role in electronic espionage over the past decade. In a measure of that shifting focus, the agency created a special office, the Directorate of Digital Innovation, as part of a broad reorganization in 2015, effectively putting cyber work on equal footing decades-old divisions devoted to human spying and analysis.
The CIA’s focus is more narrow and targeted than that of the NSA, which is responsible for sweeping up electronic communications on a large scale around the globe. CIA efforts mainly focus on “close in” operations in which the agency at times relies on individuals to implant code on computer systems not connected to the Internet.
The CIA and NSA have historically been rivals in cyberspace, although, by some accounts, they increasingly have put aside institutional rivalries to join forces in gathering intelligence on adversaries, and they cooperated under the Obama administration in an operation code named Olympic Games aimed at disrupting Iran’s nuclear capability.
The WikiLeaks release revealed that they have sophisticated “stealth” capabilities that enable hackers not only to infiltrate systems, but evade detection, and abilities to “escalate privileges” or move inside a system as if they owned it.
“The only thing that separates NSA from commodity malware in the first place is their ability to remain hidden,” the former TAO hacker said. “So when you talk about the stealth components, it’s huge that you’re seeing a tangible example here of them using and researching stealth.”
The breach, if proven legitimate, adds to WikiLeaks’s expanding library of sensitive U.S. government documents, after previous releases of sensitive U.S. diplomatic cables and military records.
The leak is also likely to create political ripples for the Trump administration. Trump declared “I love WikiLeaks” last October during a campaign rally when he read from a trove of stolen emails about his Democratic opponent, Hillary Clinton.
Trump also initially sided with WikiLeaks, which disputed that its Clinton email archive had been stolen by hackers associated with Russian intelligence services. Trump dismissed the CIA’s conclusion that Russia was behind the hack, but has since said he now thinks Moscow may have been responsible.