Vault 7, Year Zero
Unless you live under a rock, none could’ve missed the headlines in the news stating the fact that a bunch of documents and hacking tools, stolen from CIA, had been handed over to Wikileaks who now released the first part in a partly censored form. It was censored to hide the identities of the CIA staff but also censored in order to not spread the actual tools of the trade that allowed the likes of CIA, GCHQ and such to hack Joe Public as, and when, they see fit. Wikileaks asked people what they should do with the actual tools – Release them? Throw them away? Or release them to the tech companies first so they can patch all vulnerabilities – and then release it all to the public? I voted for the latter and this is also what’s happening.
It is safe to say that CIA’s been in crisis meetings ever since Wikileaks released the password to the encrypted ~500MB file they previously made public. The password was “SplinterItIntoAThousandPiecesAndScatterItIntoTheWinds” which is a quote by President John F. Kennedy, which he gave to a journalist sometime in 1966 – shortly before he was assassinated – and it was referring to CIA and a possible black flag operation directed towards Cuba that JFK didn’t approve. It is clear that some people clearly doesn’t approve of CIA’s actions and operations, hence the old quote.
So what was this dump then? Well, there’s been a lot written about this is media and virtually none know anything about what they are talking about… The ~500MB 7z-file that was released by Wikileaks is a copy of CIA’s IOC internal Confluence wiki – i.e their intranet and its live documentation – including all attachments like pictures, pdf’s, archives (gzip/zip’ed files) and binaries.
One benefit of Confluence as a internal wiki for any company or organisation is that it’s simple, powerful – and pretty portable since it doesn’t need a fancy web server with extensions to run. The downside is that it is very simple to just copy as long as you have read access – and the boys & girls employed at these shady locations can easily acquire read access even if they’re not supposed to…
Why this happened is simply because government players like CIA, GCHQ, NSA and their partners in Five Eyes, went totally rogue in their quest to acquire information that they deemed necessarily to secure their respective nations, and instead of just collecting intel old-school style about their identified enemies they now started collecting data on a massive scale thinking if they knew everything everyone said on the phone, sent as a text message or by email, they could be one step ahead of their “enemies”. The first known rollout of this global mass spy organisation and means of collecting it was called Echelon. Echelon has “secret” sites in US, UK, Canada, Australia, New Zeeland and possibly Netherlands and a few more places. They basically put themselves on top of a national communication trunk that runs data for both fixed and mobile communications, radio and internet – and with the help of gigantic supercomputers, and a lot of staff, they basically listen in on EVERYTHING that is transmitted. This isn’t legal in any way, shape or form, but since Five Eyes still won’t admit Echelon even exists – although we know where their sites are – they think they will get away with it, and they have for all these years.
Echelon site at Menwith Hill, Yorkshire, UK. (Photo by Matt Crypto, Wikipedia)
At some stage CIA obviously decided that they wanted to have their own version of NSA, but in-house in order to not have to answer for their espionage tactics and means, and that’s why CIA have expanded their own line of methodologies and tools. These in-house tools and tactics can be deployed without the knowledge of NSA or Congress, and especially not Joe Public – and since everything is classified and top secret you can’t stop them from operation because that would require that you admitted to illegal, and secret, activities. Catch 22 in order terms and this is why we have had a few whistleblowers today who said enough is enough – even if it meant them being locked up for life, having to hide for the rest of their lives – or being terminated by CIA and their operatives. Shady stuff…
Back to the contents of the Vault 7 leak then.
What we are initially presented with is an organisational chart of CIA’s Information Operations Center (IOC) and this post will focus on the box Engineering Development Group (EDG) and its underlying departments.
Embedded Development Branch (EDB) has the following mission statement “To be the premiere development shop for customized hardware and software solutions for Information Operations: utilizing operating system knowledge, hardware design, software craftsmanship, and network expertise to support the IOC Mission.”
Their main responsibility seems to be in developing various tools for covert surveillance by exploits and hacking. They have also developed custom hardware like Pterodactyl. Notable projects are Hive, YarnBall, Weeping Angel (Samsung TV exploit), MaddeningWhisters, sontaran etc.
Remote Development Branch (RDB) is focusing on remote intrusion and hacking but instead of in-house development they buy/steal/borrow their tools and 0day vulnerabilities from various shady hacker groups around the world and they have an extensive collection in their repository. This is how the UMBRAGE team describes itself: “The UMBRAGE team maintains a library of application development techniques borrowed from in-the-wild malware. The goal of this repository is to provide functional code snippets that can be rapidly combined into custom solutions. Rather than building feature-rich tools, which are often costly and can have significant CI value, this effort focuses on developing smaller and more targeted solutions built to operational specifications.” Main focus seems to be in data collection and intrusion.
Operational Support Branch (OSB) seems to be a collection of more shady, less “government” type employees and they describe their projects like this: “Ah yeah, OSB Projects y’all! You know we got the all the dankest trojans and collection tools for all your windows asset assist and QRC needs.” Hardly standard vocabulary for a CIA employee…
They are a bunch of crackers who solely develop tools and vulnerabilities in order to penetrate target devices in order to monitor, collect data and to leave backdoors for future access, and tools for decryption of target data. OSB seems to be where to best coders/programmers/crackers work. Some of their work is really well made! OSB has the most, and best, documented parts on the intranet with everything you need as a new employee to get up and running to detailed project and tool pages. This will be very interesting to read when WikiLeaks release the un-censored version which includes source code! Although I don’t approve of the methods CIA are using I can still enjoy well written shady code!
Mobile Development Branch (MDB) is either a very small, or new, team because they have very little posted on this Confluence wiki. Only one project is listed – Tomahawk. A qualified guess is that they do the in-house mobile development for Android and iOS.
Automated Implant Branch (AIB) seems to focus on automation, and more specifically test automation. They might be responsible for running automated test suits in order to find vulnerabilities and ways around anti-virus software?
Network Devices Branch (NDB) are responsible for setting up, and running, all back-end servers for all tools deployed and used within EDG. They have an impressive list of hardware they are administrating.
Technical Advisory Council (TAC) probably consists of more senior engineers who are responsible for requirements and standardisation. They also own processes like Code Review etc.
CCI Europe Engineering provides ad hoc engineering support for deployment of EDG tools in both unilateral and liaison operations in Europe, Africa and the Middle East. These are the people who base their operations in the US consulate in Frankfurt, Germany, posting as tech support. They have a whole page on their wiki on just how to behave when in transit to Frankfurt, how to “breeze through customs with a well prepared cover”. Their standard phrase if asked why they have travelled to Frankfurt is “Supporting technical consultations at the Consulate.” As they are posing as consulate personell they are exempt from searches. They have a complete detailed list of everything you’d need whilst being temporary relocated to the Frankfurt office – down to the tiniest detail. This means that they travel often and that it involves a lot of people. Hacking foreign nationals on foreign soil… That’s highly illegal last time I checked, and to do it whilst flying under “diplomatic status” must breach several pages of paragraphs…
When in Frankfurt, Germany, they can travel to other Schengen countries without the use of a passport – hence why they use this consulate as a shady front in order to get in with diplomatic papers. Germany is not impressed by learning this information from this leak and they have started an investigation, but since they can’t enter the premises there’s no chance they can ever find out the size of the operation. Consulates and embassies are often used by intelligence because they can work locally, but undisturbed, and they can travel further with diplomatic papers, or no papers at all.
This is only a small part of what was stolen
The Confluence dump contained a lot of details about the people who work at EDG and WikiLeaks has carefully removed all such references from all files and images. Scripts deemed ok for release have been converted into pdf documents in order to render them safe in case they are harmful, but all source code included in the first release has been removed in order not to create thousands of mini-CIA teams causing mayhem until the vulnerabilities have been patched. This data will be released to the affected vendors though so any bugs and vulnerabilities can be patched asap. Here is what WikiLeaks says about the redactions from this release:
Names, email addresses and external IP addresses have been redacted in the released pages (70,875 redactions in total) until further analysis is complete.
- Over-redaction: Some items may have been redacted that are not employees, contractors, targets or otherwise related to the agency, but are, for example, authors of documentation for otherwise public projects that are used by the agency.
- Identity vs. person: the redacted names are replaced by user IDs (numbers) to allow readers to assign multiple pages to a single author. Given the redaction process used a single person may be represented by more than one assigned identifier but no identifier refers to more than one real person.
- Archive attachments (zip, tar.gz, …) are replaced with a PDF listing all the file names in the archive. As the archive content is assessed it may be made available; until then the archive is redacted.
- Attachments with other binary content are replaced by a hex dump of the content to prevent accidental invocation of binaries that may have been infected with weaponized CIA malware. As the content is assessed it may be made available; until then the content is redacted.
- The tens of thousands of routable IP addresses references (including more than 22 thousand within the United States) that correspond to possible targets, CIA covert listening post servers, intermediary and test systems, are redacted for further exclusive investigation.
- Binary files of non-public origin are only available as dumps to prevent accidental invocation of CIA malware infected binaries.
Upon reading further amongst all these pages from their intranet it is clear that CIA has severely taken the liberty to bend the law as much as they could and stop at nothing in order to get the data they so badly wanted/needed. In order to avoid, or at least minimise the risk of getting caught they have cleverly – on purpose – used hacking tools obtained from eastern European shady hacking groups because they would leave traces looking like “Russian hackers”. They have gone so far as to ensure compilation timestamps on all files are within the usual working hours of eastern Europe! Reading this – clearly described in detail – and at the same time reading the allegations that “The Russians hacked the DNC” or “The Russians hacked the election” makes you think…
…what if it was CIA that “hacked” some servers at DNC, on order from NSA or even POTUS, in order to leave tracks and cover up the actual insider leak that gave WikiLeaks the Clintons private emails? What if?
Makes you think… 😉
CIA today obviously employs a lot of good, but shady, programmers/hackers/engineers who loves hacking, good or evil – regardless if it’s for the government and is illegal. Problem is that CIA can’t employ the really shady ones so they are brought in as subcontractors via various firms. The problem with these people is that they hack for a living and the satisfaction of success is the true salary – not the paycheck. Let these in to CIA and it won’t take long before they do the same there – in order to get a real buzz!
This leak isn’t a hack at all, it’s merely someone who just made a tarball, like this “tar -zcvf 1337-c14-ph1l3s.tar.gz confluence-web-root” and pulled the file with a USB memory or similar. Apparently this was circulated amongst some of these really shady people outside work until one of them decided that this is bad and sent it to WikiLeaks. CIA is probably still in meetings ever since the password was posted and the data was out. This means that ALL tools, vulnerabilities, processes and methods are void and they have to start from scratch! Ok, they probably have other tools and gizmos already in the pipeline, and it’s possible that GCHQ might have new(er) stuff for CIA to buy – and let’s not forget that they buy EVERY 0day that hackers worldwide are selling to highest bidder! But the beans are spilled and people are now looking at CIA and they are demanding answers. Governments are demanding answers. Countries are demanding answers. Even other agencies are demanding answers!
This is about as deep as I go in this first part and there is a lot to read, although most of it is stuff I already knew – but there are some really interesting bits in there and I’ll try to focus on a few of them next time!
Lastly I want to say that intelligence is important and we need the likes of CIA, NSA, FSB, CGHQ, MI5 etc to gather data in order to avoid major issues – but spying on everyone by processing all phone calls, text messages and emails – and storing them and the details on who said what to whom in order to use this for future cross-referencing etc is NOT acceptable! It is NOT acceptable to use a consulate as a covert hacking site! It is NOT acceptable to withhold information about serious vulnerabilities in computers and phone software from the manufacturers! It is NOT acceptable to leave traces to try to pretend you are “Russian hackers”! Get your shit sorted!
Also, CIA got caught. Don’t think for a second that GCHQ, MI5, MI6, FSB, NSA, ASIO and other major players in the field are any less bad.
Final note: I have not used any data from the CIA Confluence dump here, nor made any copy & paste actions simply because just because the data is out doesn’t mean it’s any less classified. I don’t live in US so they can’t touch me regardless, and I know my rights and their rights – but as someone who’s been working with classified data all his life I do respect the meaning of NDA and secrecy. I do think it was the right thing to leak this, but the data is available on WikiLeaks for you to read so I’m not going to use it for padding. I will write about my findings, my view and why we should care – and get upset about this.