15 March 2017

WikiLeaks disclosure exposes rapid growth of CIA digital operations — and agency vulnerabilities

By Greg MillerEllen Nakashima and Julie Tate

On his workplace bio, he describes himself as a “malt beverage enthusiast,” a fitness buff fond of carrying a backpack full of bricks, and a “recovering World of Warcraft-aholic.” 

He is also a cyberwarrior for the CIA, an experienced hacker whose résumé lists assignments at clandestine branches devoted to finding vulnerabilities in smartphones and penetrating the computer defenses of the Russian government. At the moment, according to his file, he is working for the Center for Cyber Intelligence Europe, a major hacking hub engaged in electronic espionage across that continent and others. 

The hacker — whose background appears in the thousands of CIA documents posted online Tuesday by the anti-secrecy organization WikiLeaks — is part of a digital operation that has grown so rapidly in size and influence in recent years that it ranks alongside spying and analysis divisions that were created at the same time as the CIA decades ago. 

The trove of documents exposed by WikiLeaks provides an unprecedented view of the scale and structure of this operation, which encompasses at least 36 distinct branches devoted to cracking the espionage potential of cellphones, communication apps and computer networks supposedly sealed off from the Internet. 

But in their descriptions of elaborate exploits and sketches of specific employees, the documents also point to the CIA’s vulnerabilities. As much as it is organized to exploit the pervasive presence of digital technology abroad, the CIA’s own secrets are increasingly created, acquired or stored on computer files that can be copied in an instant. 

“This is the double-edged sword of the digitization of everything,” said Daniel Prieto, who served as director of cybersecurity policy for President Barack Obama. “Think back to the James Bond movies with a guy in the backroom with a camera that looks like a cigarette lighter taking 20 pictures of a weapons design system. Nowadays, one thumb drive can contain hundreds of thousands of pages.” 

U.S. officials said Wednesday that they were still in the early stages of investigating the breach that left WikiLeaks in possession of thousands of sensitive files. 

The complexity and magnitude of the theft have prompted speculation that it was carried out by Russia or another foreign government with the skills, resources and determination to target the CIA. 

But others said that the decision to put the files on public display, rather than exploit their value in secret, makes it more likely that a disgruntled employee or contractor was responsible. WikiLeaks said the documents, which The Washington Post could not independently verify, came from a current or former CIA employee or contractor. 

If so, that would be consistent with earlier breaches: the exposure of U.S. diplomatic cables in 2010, the Edward Snowden revelations of 2013 and the discovery of a trove of classified National Security Agency files in a suburban Maryland home last year were the work of insiders. 

Intelligence officials learned late last year that there was a suspected loss of sensitive CIA information, according to two U.S. officials. 

The CIA declined to comment on the authenticity of the documents or the direction of any internal probe underway. In a statement, a CIA spokesman said that the agency’s mission “is to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries … It is also important to note that CIA is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and CIA does not do so.” 

What WikiLeaks has released so far is not huge, amounting to about 1 gigabyte of data, experts said. And the cache does not appear to include source code for creating hacking tools. 

Nonetheless, there are descriptions of tools and techniques that could be used to exploit computer systems as well as “implants” that can be deployed to collect data once inside a phone or a computer. These tools or “implants” are often used in the last stage of the “cyber kill chain” to spy on users, steal their data or monitor their activity. 

The exposure of these capabilities is “hugely damaging” and probably will require the CIA to figure out a way to replace them, said Jake Williams, founder of Rendition InfoSec, a cybersecurity firm. “We’ve never seen these tools in the wild.” 

The documents contain references to hundreds of hacking tools often with colorful names. One, dubbed “Brutal Kangaroo,” is used to take data from a machine without detection by anti-virus software. Another, called Hammerdrill, is designed to get data from devices that are not connected to the Internet. 

Beyond describing specific weapons, the files provide a remarkably comprehensive bureaucratic map of the cyber-divisions and branches that have multiplied across the CIA’s organizational chart in recent years, as well as glimmers of the geek humor shared on internal networks. 

As part of a sweeping reorganization in 2015 under then-CIA Director John Brennan, the agency consolidated much of its computer expertise under a new division, the Directorate of Digital Innovation, that reports directly to the CIA chief. 

The bulk of the CIA’s offensive capability appears to reside in an entity called the Center for Cyber Intelligence, an organization that oversees dozens of subordinate branches and groups devoted to specific missions and targets, from cracking security on Apple iPhones to penetrating the communications nodes of the Islamic State. 

Though the center is based at CIA headquarters in Northern Virginia, it appears to have major outposts overseas. 

Among them is a large hacking station at the U.S. Consulate in Frankfurt, Germany, a group whose operations reach across Europe and the Middle East and into Africa, according to the documents. 

One of the files offers traveling tips for 20-something hackers making the excursion to Frankfurt. It urges employees to fly Lufthansa: “Booze is free so enjoy (within reason)!” Clearly written for neophyte CIA officers, it cautions against using terms that would betray that “people are not ‘State Department’ employees.” 

The document also suggests scripts for clearing airport screening: “Breeze through German Customs because you have your cover-for-action story down pat.” 

Among those apparently assigned to the Frankfurt base is the engineer who listed World of Warcraft and malt beverages as areas of keen interest on his CIA bio. 

His name, and that of other employees, was redacted from the WikiLeaks-released pages. 

Some specialists believe the heist had to be from within. “I’d be almost positive this material was stolen by an insider,” Williams said. 

Some of the documents were marked top secret. “To be in a position to steal this, you’d be in a position to steal so much more operational data that fits better with WikiLeaks’s narrative” discrediting the agency, Williams said. There would be data on who the CIA is targeting and the access they have — information that would be far more embarrassing to the United States and, therefore, material WikiLeaks would presumably be eager to expose. 

The files also provide clues to how the CIA has assembled its digital arsenal. 

The agency appears to rely heavily on open-source tools used by commercial security firms. The CIA kit also includes “public exploits” — tools posted online that are often traced to hacking groups. 

One document amounts to a catalogue of “exploits” that can be used against Apple’s iOS phone operating system. The entries include descriptions of how they were obtained. 

Some are listed as being “purchased by NSA” before being shared with the CIA. Others appear to have been provided by or developed in collaboration with the British intelligence service GCHQ. 

Several are listed as having been purchased from independent groups or individuals, including one identified as “Baitshop,” an entity described by WikiLeaks as a cyber-arms contractor. 

Some described the damage as extensive but far from permanent. Vulnerabilities in phones and other devices tend to be fleeting, lasting only until the next patch or operating system upgrade. The documents make clear that the CIA has adapted to this timetable and will probably accelerate its development and purchasing cycles to reopen any hacking windows that WikiLeaks closed. 

“It’s not some huge crisis,” said Nicholas Weaver, a computer security researcher at the University of California at Berkeley. The CIA can purchase new exploits or turn to the NSA to help shore up its exposed archive. Buying its way back could be pricey, experts said. Exploits for Apple iPhones can go for $1 million or more. 

Devlin Barrett and Ashkan Soltani contributed to this report.

No comments: