WikiLeaks CIA trove more smoke than fire, experts say

Wikileaks on Friday released its fourth round of documents purportedly leaked from a secure CIA server. And for a fourth time, experts largely agreed the leaks were more smoke than fire.

The experts told The Hill it’s hard see the documents as anything more than proof the CIA has been doing its job. 

Friday’s release came on the one-month anniversary of the first leaks in the series Wikileaks has nicknamed Vault 7. The files describe hacking techniques used by the CIA. 

The latest tranche of documents concern “Grasshopper,” CIA software designed to install malware on a target system without triggering security software. Grasshopper can evade antivirus programs, something that is common in malware. 

“I hope, as a taxpayer, they are hacking for intelligence,” said Jake Williams, founder of Rendition Infosec. 

“And if they aren’t avoiding antiviruses when they are hacking, I want my tax money back.”

Similarly, Williams said there’s noting exceptional about the CIA’s Grasshopper module “Stolen Goods,” which used ideas from a program named Carberp. Carberp is believed to have been designed by Russia, leading some to speculate that the CIA could be using the program to frame Russia for hacking.

But lots of hackers — including criminal ones — use source code or ideas from Carberp because the source code was leaked online. In fact, the manual for Stolen Goods says the CIA completely recoded most of the ideas it used from Carberp.

Williams said he would be more offended if the CIA had not taken advantage of publicly available source code whenever possible.

Nearly all of the general concepts and techniques trumpeted by WikiLeaks in the CIA leaks are all well known to hackers. Though the site has publicized that the CIA hacks cell phones and consumer devices, considered hacking cars and takes steps to make it tough to evaluate its malware, all of those tactics are well known.  

Contrary to WikiLeaks, Williams said the documents released Friday may indicate the CIA is fairly restrained in its hacking and careful not to overstep legal and ethical boundaries — a contrast from how many people interpreted the bulk surveillance revealed in the Edward Snowden leaks. 

Williams notes the user guide for the “Stolen Goods” module shows the software was tested against antivirus software from four different manufacturers — Qihoo 360, ESET, Symantec and Kaspersky.  The companies that were selected for testing, and those that were not, says a lot about the CIA’s targets, he said. 

Qihoo 360 is a major player in Asia but is unknown in most of the West. McAfee and Trend Micro, both popular in the United States, were not included in the tests. 

“If there is something clear, whoever is building this is not targeting Americans,” Williams said. 

The techniques described by the documents are mostly useful for targeted surveillance of individuals, unlike the NSA’s controversial bulk surveillance revealed by Snowden. In fact, many of the techniques described in the Vault 7 releases only work with physical access to devices and can only be installed one at a time.  

WikiLeaks has portrayed the CIA actions described in the documents as more controversial than most cybersecurity and national security experts believe they are. At best, experts find the descriptions WikiLeaks provides of the documents misleading. That includes a series of statements implying that the techniques revealed in the documents could be used to frame other countries for CIA hacks.

“Objectively false,” Williams said about the claims of framing other countries. Software designed to replace text strings in malware code could insert other languages, but would likely never convince anyone that the code was from those countries. In fact, an attack on banks recently attributed to North Korea through analysis of the source code included Russian language artifacts, believed to be an unsuccessful attempt to frame Moscow. 

“Wikileaks had time to do a thorough analysis on these documents,” Williams said. “The fact that they’ve gotten the analysis so wrong makes you wonder who is doing the analysis.”

The documents do, however, show the CIA kept security flaws in popular products secret to use in attacks. But intelligence agencies have been public about their use of these types of flaws. During last year’s San Bernardino investigation, for example, FBI announced it had contracted a third party to hack a suspected terrorist’s cell phone.

“We learned nothing new,” said Nate Cardozo, senior staff attorney for the Electronic Frontier Foundation, a digital rights advocacy group that has opposed surveillance overreach. 

“What made the Snowden and [Chelsea] Manning leaks so important was we learned about methods, but also targets and violations of civil liberties. Vault 7 is just methods — not about misuse.” 

There are plenty of questions Cardozo has about the CIA’s hacking, including the standards they use to decide which security flaws they should keep secret to use in attacks and which to disclose to manufacturers for repair.

These documents, he said, don’t provide answers to the important questions.