The government agents charged with uncovering foreign secrets have had their own laid bare.
Secret Central Intelligence Agency files published Tuesday paint a portrait many would expect of government cyberespionage efforts, yet they threaten to again disrupt the nation’s digital spying programs.
The nearly 9,000 documents shared online by the anti-secrecy organization WikiLeaks show the CIA sought to observe targets’ conversations, online browsing and other activities by infiltrating the technology that surrounded them, including Apple and Android smartphones, laptops, TVs and even cars. Operatives worked closely with intelligence agencies at U.S. allies to develop the hacking techniques. And they borrowed ideas from adversaries and the private sector too, refining tools that originated from Russia, criminals and university researchers.
Though it’s no surprise the CIA deploys malicious software to gather information about specific individuals, the documents provide the first detailed glimpse into the agency’s hacking capabilities. That unwelcome spotlight on U.S. spycraft could give an edge to enemies and raise fresh troubles for both President Trump and a digital-spying community that’s been battered by repeated leaks this decade. Most concerning is whether further disclosures might reveal an agency that’s overstepped its bounds.
The CIA declined to comment on the files’ authenticity, but WikiLeaks’ track record in vetting leaks and initial analysis by cybersecurity experts gave credence to them.
The data confirm the CIA maintains “an extensive database of cyberweapons,” said Matt Suiche, a well-known hacker who founded cybersecurity start-up Comae Technologies. “It also shows they are buying from third parties, and that they are closely following every advancement” in cybersecurity.
For example, one file details a hacking tactic code-named Fight Club, in which the CIA loads a virus onto USB thumb drives and tries to get them installed on a specific computer by someone who has access to the target's office or home. Another passage describes turning a TV into a listening device by getting someone to infect it with a thumb drive.
Such disclosures are unlikely to have the far-reaching repercussions of those revealed by former National Security Agency contractor Edward Snowden, who in 2013 disclosed domestic spying that bore deep into the Internet. Those revelations frosted the ties between the nation’s tech industry and the law enforcement and intelligence communities. They endangered foreign relations and forced public discussion for the first time about previously inconceivable programs.
The NSA disclosures revealed an agency that conducted surveillance with a broad brush — collecting data from anyone who talks on the phone or surfs online. The CIA files, on the other hand, show spies concentrating on precision attacks that involve being close to a subject to infiltrate specific devices, limiting their application.
But for a guarded organization such as the CIA, disclosures bring unwanted attention and force tactical changes.
“If true, it can certainly set back the agency's cyberprogram,” said Robert Bigman, who served as the CIA's chief information security officer until 2012. After leaks by Snowden, court-martialed Army soldier Chelsea Manning and others in recent years, the Obama administration attempted to crack down on unauthorized disclosures. Yet, someone appears to have compromised a top-secret CIA software development server last year and unleashed the material to the world, experts said.
“They embarrassed our intelligence community,” said John Bambenek, threat systems manager of Fidelis Cybersecurity. “Right now, the biggest issue is that this data got taken away from the intelligence community again — and given to [WikiLeaks founder] Julian Assange again — and how many times does this have to happen before you make this stop?”
WikiLeaks said the documents had been circulating illicitly among former U.S. agents and contractors before being passed to the activist organization, which is known for publishing large, sensitive and compromised databases. Several cybersecurity experts expressed doubts about the claim, though, with some speculating that a foreign intelligence agency may have been behind the dump.
Last year, Russia fed damaging material to WikiLeaks that included emails stolen from Democratic Party leaders as well as Hillary Clinton’s campaign chairman, John Podesta, U.S. intelligence agencies found.
The FBI, CIA and NSA concluded that Moscow “most likely chose WikiLeaks because of its self-proclaimed reputation for authenticity.” The agencies assessed with “high confidence” that Russia's Main Intelligence Directorate had passed Podesta’s emails to WikiLeaks indirectly, allowing the website to deny cooperation with the Russian intelligence agencies, which Assange has done.
Then-presidential candidate Donald Trump praised WikiLeaks at a campaign rally, saying “it’s amazing how nothing is secret today when you talk about the Internet.”
The CIA may be learning that up close this week. The WikiLeaks files contain notes by software developers trying to hack software, including online office banter such as “Dude, this isn't funny code, this is good stuff.” They list the capabilities of different hacking methods and offer broad descriptions of the tactics they used.
WikiLeaks says it redacted the most important details about the cyberattacks developed by the CIA — including the code that reveals the inner-workings of the malware. But just because it’s not out yet doesn’t mean it won’t be published later. WikiLeaks said it might to do so after assessing the benefits and risks.
In Bambenek’s view, everything shared with WikiLeaks should be considered compromised as companies race to fix any newly disclosed flaws in their products and enemies adjust behavior to counteract CIA methods.
“There’s going to be a cost to the utility of these exploits,” he said.
The disclosure reveals the CIA operates at a much smaller scale than the NSA, conducting its business like any hacker outside the government would. Its tools don’t appear more powerful than those of the private sector, and they build upon existing creations as any independent cybersecurity professional does.
Industry experts added that what’s been released so far shows an agency sticking to its mission: Help the president make national security decisions by figuring out what other countries’ leaders are up to.
“The Secret Service suppresses cellphones near the presidential motorcade” to prevent bombs from being triggered, said Robert Graham, chief executive of of Errata Security. “The Air Force flies above in a special airplane that hacks Wi-Fi on the ground. The NSA does remote hacks from across the Internet or via radio. The CIA develops relationships with people across the world, and uses them as part of its operations.”
Some methods described in the documents — including taking over webcams and stealing saved passwords from Internet browsers — didn’t include any indication of how, or if they had been used. Evidence of widespread dissemination of such malware could raise red flags. There also was no immediate evidence that the CIA was hacking into the devices of U.S. citizens.
“If they were using iPhone exploits on Black Lives Matter protesters, now we might be talking of an abuse of power,” Bambenek said.
Public advocacy groups raised questions about whether the CIA was doing enough to tell technology companies about vulnerabilities in their products. Under a practice established under the Obama administration, the government is to carefully weigh whether it’s better to hold onto a secret hacking technique or share it with manufacturers. Not disclosing it could leave U.S. systems vulnerable if adversaries come up with the same method.
“It’s simply a fantasy to believe that only the ‘good guys’ will be able to use these tools,” said Nathan White, senior legislative manager at Silicon Valley-funded Access Now. “It is critical for governments, law enforcement, technologists, and civil society to have an honest conversation about the impact of government hacking in the digital age.”
The documents appear to span a period from 2013 to early 2016, which could explain why devices popularized in the last year such as the Amazon Echo and Google Home virtual assistant speakers weren’t spotted in the trove.
Many tactics mentioned date back years earlier. Makers of protection software apparently defeated by CIA malware offered limited comment, saying the issues are outdated or fixed.
“We will continue to monitor the situation,” one such vendor, Kaspersky Lab, said.
Apple said in a statement that its "initial analysis indicates that many of the issues leaked today were already" fixed in its latest mobile operating system. “We will continue work to rapidly address any identified vulnerabilities,” the statement continued.
7:35 p.m.: This article was updated to include comment from Apple Inc.
This article was originally published at 5:50 p.m.