A vast portion of the CIA’s computer hacking arsenal appeared to have been exposed Tuesday by the anti-secrecy organization WikiLeaks, which posted thousands of files revealing secret cyber-tools used by the agency to convert cellphones, televisions and other ordinary devices into implements of espionage.
The trove appeared to lay bare the design and capabilities of some of the U.S. intelligence community’s most closely guarded cyberweapons, a breach that is likely to cause immediate damage to the CIA’s efforts to gather intelligence overseas and place new strain on the U.S. government’s relationship with Silicon Valley giants including Apple and Google.
WikiLeaks, which claimed to have gotten the files from a current or former CIA contractor, touted the trove as comparable in scale and significance to the collection of National Security Agency documents exposed by former U.S. intelligence contractor Edward Snowden.
But while the Snowden files revealed massive surveillance programs that gathered data on millions of Americans, the CIA documents posted so far by WikiLeaks appear mainly to unmask hacking methods that many experts already assumed the agency had developed.
U.S. intelligence officials and experts said details contained in the newly released documents suggest that they are legitimate, although that could not be independently verified, raising new worries about the U.S. government’s ability to safeguard its secrets in an era of cascading leaks of classified data.
The files mention pieces of malware with names like “Assassin” and “Medusa” that seem drawn from a spy film, describing tools that the CIA uses to steal data from iPhones, seize control of Microsoft-powered computers or even make Internet-connected Samsung television sets secretly function as microphones.
The release of so many sensitive files appeared to catch the CIA, the White House and other government entities off-guard. A CIA spokesman would say only that “we do not comment on the authenticity of purported intelligence documents.”
In a statement, WikiLeaks indicated that the initial stockpile it put online was part of a broader collection of nearly 9,000 files that would be posted over time describing code developed in secret by the CIA to steal data from a range of targets. WikiLeaks said it redacted lists of CIA surveillance targets, though it said they included targets and machines in Latin America, Europe and the United States.
The release was described as a huge loss to the CIA by security experts and former U.S. intelligence officials. “It looks like really the backbone of their network exploitation kit,” said a former hacker who worked for the National Security Agency and, like others, spoke on the condition of anonymity, citing the sensitivity of the subject.
The breach could undermine the CIA’s ability to carry out key parts of its mission, from targeting the Islamic State and other terrorist networks to penetrating the computer defenses of sophisticated cyber-adversaries including Russia, China and Iran, former officials and tech specialists said.
“Any exposure of these tools is going to cause grave if not irreparable damage to the ability of our intelligence agencies to conduct our mission,” a former senior U.S. intelligence official said.
If legitimate, the release represents the latest major breach of sensitive U.S. government data to be put on global display in humiliating fashion by WikiLeaks, which came to prominence in 2010 with the exposure of thousands of classified U.S. diplomatic cables and military files. WikiLeaks founder Julian Assange has engaged in an escalating feud with the United States while taking refuge at the Ecuadoran Embassy in London from Swedish sexual assault allegations.
WikiLeaks’ latest assault on U.S. secrets may pose an early, potentially awkward security issue for President Trump, who has repeatedly praised WikiLeaks and disparaged the CIA.
Trump declared “I love WikiLeaks” last October during a campaign rally when he read from a trove of stolen emails about his Democratic opponent, Hillary Clinton, that had been posted to the organization's website.
White House press secretary Sean Spicer declined to comment when asked about the CIA breach during a news briefing Tuesday.
WikiLeaks indicated that it obtained the files from a current or former CIA contractor, saying that “the archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”
But the counterintelligence investigation underway at the CIA is also likely to search for clues to whether Russia had any role in the theft of the agency’s digital arsenal. U.S. intelligence officials allege that WikiLeaks has ties to Russian intelligence services. The website posted thousands of emails stolen from Democratic Party computer networks during the 2016 presidential campaign, files that U.S. intelligence agencies concluded were obtained and turned over to WikiLeaks as part of a cyber-campaign orchestrated by the Kremlin.
Experts and former intelligence officials said the latest files appear to be authentic in part because they refer to code names and capabilities known to have been developed by the CIA’s cyber-branch.
“At first glance,” the data release “is probably legitimate or contains a lot of legitimate stuff, which means somebody managed to extract a lot of data from a classified CIA system and is willing to let the world know that,” said Nicholas Weaver, a computer security researcher at the University of California at Berkeley.
Faking a large quantity of data is difficult but not impossible, he noted. Weaver said he knows of one case of
WikiLeaks deliberately neglecting to include a document in a data release and one case of WikiLeaks deliberately mislabeling stolen data, “but no cases yet of deliberately fraudulent information.”
WikiLeaks said the trove comprised tools — including malware, viruses, trojans and weaponized “zero day” exploits — developed by a CIA entity known as the Engineering Development Group, part of a sprawling cyber-directorate created in recent years as the agency shifted resources and attention to online espionage.
WikiLeaks labeled the trove “Vault 7” and said that it contains several hundred million lines of code, many of which are designed to exploit vulnerabilities in everyday consumer devices.
In a statement, WikiLeaks said the files enable the agency to bypass popular encryption-enabled applications — including WhatsApp, Signal and Telegram — used by millions of people to safeguard their communications.
But experts said that rather than defeating the encryption of those applications, the CIA’s methods rely on exploiting vulnerabilities in the devices on which they are installed, a method referred to as “hacking the endpoint.”
WikiLeaks said that the files were created between 2013 and 2016 and that it would publish only a portion of the archive — redacting some sensitive samples of code — “until a consensus emerges on the technical and political nature of the CIA’s program.”
The organization did not clarify what achieving such a consensus would entail, but for now it appeared to be withholding fully formed pieces of ready-made code that could be used by other intelligence services or even novice hackers.
Still, the data release alarmed cybersecurity experts, who said the files contain snippets of code that could enable adversaries to replicate CIA capabilities or identify and root out CIA “implants” currently in place.
“This is explosive,” said Jake Williams, founder of Rendition InfoSec, a cybersecurity firm. The material highlights specific anti-virus products that can be defeated, going further than a release of NSA hacking tools last year, he said.
The CIA hackers, according to WikiLeaks, even “discussed what the NSA’s . . . hackers did wrong and how the CIA’s malware makers could avoid similar exposure.”
Hackers who worked at the NSA’s Tailored Access Operations unit said the CIA’s library of tools looked comparable.
The implants — software that enables hackers to remotely control a compromised device — are “very, very complex” and “at least on par with the NSA,” said one former TAO hacker.
Beyond hacking weapons, the files also purportedly reveal information about the organization of the CIA’s cyber-directorate and indicate that the agency uses the U.S. Consulate in Frankfurt, Germany, as a hacking hub for operations in Europe, the Middle East and Africa.
Though primarily thought of as an agency that recruits spies, the CIA has taken on a larger role in electronic espionage over the past decade. In 2015 the agency created the Directorate of Digital Innovation, a division that puts cyber-work on equal footing with long-standing directorates devoted to conventional spying and analysis.
The CIA’s focus is more narrow and targeted than that of the NSA, which is responsible for sweeping up electronic communications on a large scale around the globe. By contrast, CIA efforts mainly focus on “close in” operations in which the agency at times relies on individuals carrying thumb drives or other devices to implant code on computer systems not connected to the Internet.
One of the most intriguing tools described in the files, called “Weeping Angel,” can apparently be used to put certain television sets into a fake “off” mode while activating a microphone that enables the CIA to capture any conversations in the surrounding space.