Vault 7: The CIA’s cyber capabilities escape from the lab

Reviewing the collection of documents from this week’s Wikileaks release, at times it feels as though one is reading through chat logs taken from a start-up. There are push-up competitions, exploits named after Pokemon, internet memes and supposedly “all the dankest trojans and collection tools for all your windows asset assist and QRC needs.” This is not what one might, at least initially, expect to see when reviewing internal documents from a department within the Central Intelligence Agency (CIA) tasked to develop tools with such damaging capabilities.

Like much of technology, these ‘cyber weapons’ (malicious software including malware, viruses, trojans, weaponized ‘zero day’ exploits and malware remote control systems) aren’t exclusively useful to ‘the good guys’; they can be used for whatever purposes those who possess them wish. The fact that Wikileaks possesses this cache means that someone is able to exfiltrate and has exfiltrated malicious software and a large number of documents from the CIA. We do not yet know who is responsible – to whom this information has additionally been passed to – and thus who else now possesses the ability to hack into whichever devices or destroy whatever data these tools permit. One thing we can determine, though, is that the level of security one would hope for at the CIA, for such potentially damaging tools, was not in place.

Cyber weapons, unlike conventional weapons, if taken, can proliferate and be reused at low to no cost by multiple parties. These weapons can have widespread and systemically dangerous consequences depending upon who acquires them and for what purpose(s) they are used. It is not a question of if these weapons will one day ‘escape the lab.’ As this release reminds us, it is more a question of when.

First light on the CIA’s cyber capabilities

Once again, a large cache of documents – allegedly including malicious software the U.S. government has created for hacking purposes (which Wikileaks has not released) – has been taken from a U.S. intelligence agency. This week, Wikileaks made its first release, ‘Year Zero,’ from an archive dubbed ‘Vault 7.’ According to Wikileaks, this archive “appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.” Wikileaks claims this release is 1% of the total archive.

The archive contains documents pertaining to the operations of the CIA Center for Cyber Intelligence over the period 2013-2016. The first release “introduces the scope and direction of the CIA’s global covert hacking program, its malware arsenal and dozens of ‘zero day’ weaponized exploits against a wide range of U.S. and European company products.”

The CIA has been restructuring over recent years to continue to expand its activities more traditionally associated with the signals intelligence activities of the National Security Agency (NSA). A major development occurred in 2015 when the CIA created a Directorate of Digital Innovation in which the Center for Cyber Intelligence is situated. Up until now, only limited information on the activities of this Directorate has been made public. This has subsequently made it difficult to understand what capabilities the CIA has developed, the sophistication of these capabilities, how they are being used and the risk associated with the development of these capabilities.

This release provides partial answers to some of these questions. It raises a number of concerns, which have subsequent implications on policy in the U.S. and abroad.

Sharing vulnerabilities and exploits

These documents provide a greater understanding of the extent to which government agencies are involved in the discovery and purchasing of software and hardware vulnerabilities.

The discussion about government discovery and disclosure of vulnerabilities typically revolves around ‘zero days,’ which are, in short, vulnerabilities that are unknown to the product vendor. This in turn typically leads to a discussion about the Vulnerability Equities Process (VEP), which is a policy framework put in place to help determine if and when a zero day discovered or acquired by a U.S. government agency should be disclosed to the vendor for patching.

These documents seem to indicate that there are continuing problems with this process. Vulnerabilities are sometimes found and shared between CIA, NSA, FBI (in the U.S.) and with MI5 and GCHQ (in the UK). They are sometimes purchased from private sector contractors (e.g. Baitshop). For many, the source is simply attributed to a code name (the majority come from just two sources: ANGLERFISH and FANGTOOTH).  Yet t is not clear from this release whether or not these vulnerabilities went through the VEP and if or when they were subsequently disclosed to vendors.

In any case, a narrow focus on disclosure alone might miss the larger picture. If vulnerabilities are found and reported to vendors, there is a period of time before fixing the flaw (called “patching”). During this time the vulnerabilities remain open for exploitation and the user remains at risk. Even once released, however, patches might not be implemented by users for some time. If the product is not patched, the user remains at risk. Unfortunately, it appears that some of the vulnerabilities leveraged by these tools have been languishing unfixed for years in many cases.

These documents demonstrate that the CIA makes use of publicly disclosed vulnerabilities in their exploits; instead of ‘zero days’, they also use ‘old days,’ where vendors have not patched a known vulnerability or users have not implemented the patch. For instance, one document mentions a vulnerability released by “Public vulnerability researcher: Steffan Esser (i0nic)” being used in an iOS exploit. Esser claims that his vulnerability, in an Apple product, was disclosed (publicly) and was not patched promptly.

The takeaway is that one does not need to use a zero day vulnerability to develop potentially damaging exploits. While attention to zero days and the VEP are welcome, focus also needs to be placed on ways to incentivize vendors to:

1. Minimize vulnerabilities present in software or hardware to begin with.
2. Avoid vulnerabilities being inserted into software or hardware during manufacture and transport.
3. Discover and patch vulnerabilities in software and hardware post release.
4. Rapidly patch software and hardware in the event that vulnerabilities are reported to the vendor.
5. Increase the rate at which users subsequently patch their products.

Vulnerabilities in ‘The Things in the Internet of Things’

Hints of what lies in store for the future are scattered throughout this release. Two elements, when brought together, point to risks ahead if action is not taken.

The Center for Cyber Intelligence has an Embedded Development Branch (EBD), which develops exploits for ‘embedded systems’ (termed for a non-technical audience as “The Things in the Internet of Things”). This document recounts a meeting between heads of the EDB in late 2014. Under the sub-heading ‘Potential Mission Areas for EDB,’ a number of items are listed. Three items are of particular attention: internet of things, vehicle systems, and ICS/SCADA. The latter acronym bears particular concern, referring to industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. These systems are essential to the reliable functioning of critical infrastructures, including power and water, as well as widespread manufacturing processes.

In addition, one document explains measures that programmers should take so as to operate in a way that conceals the presence and/or origin of CIA actions. One simple example, among many more technically complex ones, recommends avoidance of US-centric timestamp forms because it “Maintains consistency across tools, and avoids associations with the United States.” For an organization that undertakes covert actions, this is to be expected.

Bringing the two concepts together, the development of tools that have limited attribution ability and the capability to disrupt the functioning of critical infrastructures, in an environment where these tools can be exfiltrated – knowingly or not – and shared, is particularly concerning. Moreover, it has to be remembered that, if the CIA has developed or plans on developing tools for these purposes, then equivalent agencies in other countries are likely to be doing the same. This release is a potent reminder of a dangerous arms race currently underway worldwide revolving around offensive government hacking and the risks that a new wave of embedded devices (Internet of Things) will create.