Professional Documents
Culture Documents
ToolsRevealed
Contents
PressRelease
Analysis
Examples
FrequentlyAskedQuestions
PressRelease
Today,Tuesday7March2017,WikiLeaksbeginsitsnewseries
ofleaksontheU.S.CentralIntelligenceAgency.Codenamed
"Vault7"byWikiLeaks,itisthelargesteverpublicationof
confidentialdocumentsontheagency.
Thefirstfullpartoftheseries,"YearZero",comprises8,761
documentsandfilesfromanisolated,highsecuritynetwork
situatedinsidetheCIA'sCenterforCyberIntelligence(files/org
chart.png)inLangley,Virgina.Itfollowsanintroductorydisclosure
lastmonthofCIAtargetingFrenchpoliticalpartiesand
candidatesintheleaduptothe2012presidentialelection
(https://wikileaks.org/ciafranceelections2012).
Recently,theCIAlostcontrolofthemajorityofitshackingarsenal
includingmalware,viruses,trojans,weaponized"zeroday"
exploits,malwareremotecontrolsystemsandassociated
documentation.Thisextraordinarycollection,whichamountsto
morethanseveralhundredmillionlinesofcode,givesits
possessortheentirehackingcapacityoftheCIA.Thearchive
appearstohavebeencirculatedamongformerU.S.government
hackersandcontractorsinanunauthorizedmanner,oneofwhom
hasprovidedWikiLeakswithportionsofthearchive.
"YearZero"introducesthescopeanddirectionoftheCIA'sglobal
coverthackingprogram,itsmalwarearsenalanddozensof"zero
day"weaponizedexploitsagainstawiderangeofU.S.and
Europeancompanyproducts,includeApple'siPhone,Google's
AndroidandMicrosoft'sWindowsandevenSamsungTVs,which
areturnedintocovertmicrophones.
Since2001theCIAhasgainedpoliticalandbudgetary
preeminenceovertheU.S.NationalSecurityAgency(NSA).The
CIAfounditselfbuildingnotjustitsnowinfamousdronefleet,buta
verydifferenttypeofcovert,globespanningforceitsown
substantialfleetofhackers.Theagency'shackingdivisionfreedit
fromhavingtodiscloseitsoftencontroversialoperationstothe
NSA(itsprimarybureaucraticrival)inordertodrawontheNSA's
hackingcapacities.
Bytheendof2016,theCIA'shackingdivision,whichformallyfalls
undertheagency'sCenterforCyberIntelligence(files/org
chart.png)(CCI),hadover5000registeredusersandhad
producedmorethanathousandhackingsystems,trojans,
viruses,andother"weaponized"malware.Suchisthescaleofthe
CIA'sundertakingthatby2016,itshackershadutilizedmore
codethanthatusedtorunFacebook.TheCIAhadcreated,in
effect,its"ownNSA"withevenlessaccountabilityandwithout
publiclyansweringthequestionastowhethersuchamassive
budgetaryspendonduplicatingthecapacitiesofarivalagency
couldbejustified.
InastatementtoWikiLeaksthesourcedetailspolicyquestions
thattheysayurgentlyneedtobedebatedinpublic,including
whethertheCIA'shackingcapabilitiesexceeditsmandated
powersandtheproblemofpublicoversightoftheagency.The
sourcewishestoinitiateapublicdebateaboutthesecurity,
creation,use,proliferationanddemocraticcontrolof
cyberweapons.
Onceasinglecyber'weapon'is'loose'itcanspreadaroundthe
worldinseconds,tobeusedbyrivalstates,cybermafiaand
teenagehackersalike.
JulianAssange,WikiLeakseditorstatedthat"Thereisan
extremeproliferationriskinthedevelopmentofcyber'weapons'.
Comparisonscanbedrawnbetweentheuncontrolledproliferation
ofsuch'weapons',whichresultsfromtheinabilitytocontainthem
combinedwiththeirhighmarketvalue,andtheglobalarmstrade.
Butthesignificanceof"YearZero"goeswellbeyondthechoice
betweencyberwarandcyberpeace.Thedisclosureisalso
exceptionalfromapolitical,legalandforensicperspective."
Wikileakshascarefullyreviewedthe"YearZero"disclosureand
publishedsubstantiveCIAdocumentationwhileavoidingthe
distributionof'armed'cyberweaponsuntilaconsensusemerges
onthetechnicalandpoliticalnatureoftheCIA'sprogramandhow
such'weapons'shouldanalyzed,disarmedandpublished.
Wikileakshasalsodecidedtoredactandanonymisesome
identifyinginformationin"YearZero"forindepthanalysis.These
redactionsincludetenofthousandsofCIAtargetsandattack
machinesthroughoutLatinAmerica,EuropeandtheUnited
States.Whileweareawareoftheimperfectresultsofany
approachchosen,weremaincommittedtoourpublishingmodel
andnotethatthequantityofpublishedpagesin"Vault7"partone
(YearZero)alreadyeclipsesthetotalnumberofpages
publishedoverthefirstthreeyearsoftheEdwardSnowdenNSA
leaks.
Analysis
CIAmalwaretargetsiPhone,Android,
smartTVs
CIAmalwareandhackingtoolsarebuiltbyEDG(Engineering
DevelopmentGroup),asoftwaredevelopmentgroupwithinCCI
(CenterforCyberIntelligence),adepartmentbelongingtothe
CIA'sDDI(DirectorateforDigitalInnovation).TheDDIisoneof
thefivemajordirectoratesoftheCIA(seethisorganizational
chart(files/orgchart.png)oftheCIAformoredetails).
TheEDGisresponsibleforthedevelopment,testingand
operationalsupportofallbackdoors,exploits,malicious
payloads,trojans,virusesandanyotherkindofmalwareusedby
theCIAinitscovertoperationsworldwide.
Theincreasingsophisticationofsurveillancetechniqueshas
drawncomparisonswithGeorgeOrwell's1984,but"Weeping
Angel",developedbytheCIA'sEmbeddedDevicesBranch
(EDB)(cms/space_753667.html),whichinfestssmartTVs,
transformingthemintocovertmicrophones,issurelyitsmost
emblematicrealization.
TheattackagainstSamsungsmartTVs
(cms/page_12353643.html)wasdevelopedincooperationwith
theUnitedKingdom'sMI5/BTSS.Afterinfestation,Weeping
AngelplacesthetargetTVina'FakeOff'mode,sothattheowner
falselybelievestheTVisoffwhenitison.In'FakeOff'modethe
TVoperatesasabug,recordingconversationsintheroomand
sendingthemovertheInternettoacovertCIAserver.
AsofOctober2014theCIAwasalsolookingatinfectingthe
vehiclecontrolsystemsusedbymoderncarsandtrucks
(cms/page_13763790.html).Thepurposeofsuchcontrolisnot
specified,butitwouldpermittheCIAtoengageinnearly
undetectableassassinations.
TheCIA'sMobileDevicesBranch(MDB)developednumerous
attackstoremotelyhackandcontrolpopularsmartphones
(cms/space_3276804.html).Infectedphonescanbeinstructedto
sendtheCIAtheuser'sgeolocation,audioandtext
communicationsaswellascovertlyactivatethephone'scamera
andmicrophone.
DespiteiPhone'sminorityshare(14.5%)oftheglobalsmart
phonemarketin2016,aspecializedunitintheCIA'sMobile
DevelopmentBranchproducesmalwaretoinfest,controland
exfiltratedatafromiPhonesandotherAppleproductsrunning
iOS,suchasiPads(cms/space_2359301.html).CIA'sarsenal
includesnumerouslocalandremote"zerodays"
(cms/page_13205587.html)developedbyCIAorobtainedfrom
GCHQ,NSA,FBIorpurchasedfromcyberarmscontractorssuch
asBaitshop.ThedisproportionatefocusoniOSmaybe
explainedbythepopularityoftheiPhoneamongsocial,political,
diplomaticandbusinesselites.
AsimilarunittargetsGoogle'sAndroidwhichisusedtorunthe
majorityoftheworld'ssmartphones(~85%)includingSamsung,
HTCandSony(cms/space_11763721.html).1.15billionAndroid
poweredphonesweresoldlastyear."YearZero"showsthatasof
2016theCIAhad24"weaponized"Android"zerodays"
(cms/page_11629096.html)whichithasdevelopeditselfand
obtainedfromGCHQ,NSAandcyberarmscontractors.
ThesetechniquespermittheCIAtobypasstheencryptionof
WhatsApp,Signal,Telegram,Wiebo,ConfideandCloackmanby
hackingthe"smart"phonesthattheyrunonandcollectingaudio
andmessagetrafficbeforeencryptionisapplied.
CIAmalwaretargetsWindows,OSx,
Linux,routers
TheCIAalsorunsaverysubstantialefforttoinfectandcontrol
MicrosoftWindowsusers(cms/page_11628612.html)withits
malware.Thisincludesmultiplelocalandremoteweaponized
"zerodays",airgapjumpingvirusessuchas"HammerDrill"
(cms/page_17072172.html)whichinfectssoftwaredistributedon
CD/DVDs,infectorsforremovablemediasuchasUSBs
(cms/page_13762636.html),systemstohidedatainimages
(cms/page_13763247.html)orincovertdiskareas("Brutal
Kangaroo"(cms/page_13763236.html))andtokeepitsmalware
infestationsgoing(cms/page_13763650.html).
ManyoftheseinfectioneffortsarepulledtogetherbytheCIA's
AutomatedImplantBranch(AIB)(cms/space_3276805.html),
whichhasdevelopedseveralattacksystemsforautomated
infestationandcontrolofCIAmalware,suchas"Assassin"and
"Medusa".
AttacksagainstInternetinfrastructureandwebserversare
developedbytheCIA'sNetworkDevicesBranch(NDB)
(cms/space_15204355.html).
TheCIAhasdevelopedautomatedmultiplatformmalwareattack
andcontrolsystemscoveringWindows,MacOSX,Solaris,Linux
andmore,suchasEDB's"HIVE"andtherelated"Cutthroat"and
"Swindle"tools,whicharedescribedintheexamplessection
below.
CIA'hoarded'vulnerabilities("zero
days")
InthewakeofEdwardSnowden'sleaksabouttheNSA,theU.S.
technologyindustrysecuredacommitmentfromtheObama
administrationthattheexecutivewoulddiscloseonanongoing
basisratherthanhoardseriousvulnerabilities,exploits,
bugsor"zerodays"toApple,Google,Microsoft,andotherUS
basedmanufacturers.
Seriousvulnerabilitiesnotdisclosedtothemanufacturersplaces
hugeswathesofthepopulationandcriticalinfrastructureatriskto
foreignintelligenceorcybercriminalswhoindependentlydiscover
orhearrumorsofthevulnerability.IftheCIAcandiscoversuch
vulnerabilitiessocanothers.
TheU.S.government'scommitmenttotheVulnerabilitiesEquities
Process(https://is.gd/vepvep)cameaftersignificantlobbyingby
UStechnologycompanies,whorisklosingtheirshareofthe
globalmarketoverrealandperceivedhiddenvulnerabilities.The
governmentstatedthatitwoulddiscloseallpervasive
vulnerabilitiesdiscoveredafter2010onanongoingbasis.
"YearZero"documentsshowthattheCIAbreachedtheObama
administration'scommitments.Manyofthevulnerabilitiesusedin
theCIA'scyberarsenalarepervasiveandsomemayalready
havebeenfoundbyrivalintelligenceagenciesorcybercriminals.
Asanexample,specificCIAmalwarerevealedin"YearZero"is
abletopenetrate,infestandcontrolboththeAndroidphoneand
iPhonesoftwarethatrunsorhasrunpresidentialTwitteraccounts.
TheCIAattacksthissoftwarebyusingundisclosedsecurity
vulnerabilities("zerodays")possessedbytheCIAbutiftheCIA
canhackthesephonesthensocaneveryoneelsewhohas
obtainedordiscoveredthevulnerability.AslongastheCIAkeeps
thesevulnerabilitiesconcealedfromAppleandGoogle(who
makethephones)theywillnotbefixed,andthephoneswill
remainhackable.
Thesamevulnerabilitiesexistforthepopulationatlarge,including
theU.S.Cabinet,Congress,topCEOs,systemadministrators,
securityofficersandengineers.Byhidingthesesecurityflaws
frommanufacturerslikeAppleandGoogletheCIAensuresthatit
canhackeveryone&mdshattheexpenseofleavingeveryone
hackable.
'Cyberwar'programsareaserious
proliferationrisk
Cyber'weapons'arenotpossibletokeepundereffectivecontrol.
Whilenuclearproliferationhasbeenrestrainedbytheenormous
costsandvisibleinfrastructureinvolvedinassemblingenough
fissilematerialtoproduceacriticalnuclearmass,cyber
'weapons',oncedeveloped,areveryhardtoretain.
Cyber'weapons'areinfactjustcomputerprogramswhichcanbe
piratedlikeanyother.Sincetheyareentirelycomprisedof
informationtheycanbecopiedquicklywithnomarginalcost.
Securingsuch'weapons'isparticularlydifficultsincethesame
peoplewhodevelopandusethemhavetheskillstoexfiltrate
copieswithoutleavingtracessometimesbyusingthevery
same'weapons'againsttheorganizationsthatcontainthem.
Therearesubstantialpriceincentivesforgovernmenthackers
andconsultantstoobtaincopiessincethereisaglobal
"vulnerabilitymarket"thatwillpayhundredsofthousandsto
millionsofdollarsforcopiesofsuch'weapons'.Similarly,
contractorsandcompanieswhoobtainsuch'weapons'
sometimesusethemfortheirownpurposes,obtainingadvantage
overtheircompetitorsinselling'hacking'services.
OverthelastthreeyearstheUnitedStatesintelligencesector,
whichconsistsofgovernmentagenciessuchastheCIAandNSA
andtheircontractors,suchasBoozAllanHamilton,hasbeen
subjecttounprecedentedseriesofdataexfiltrationsbyitsown
workers.
Anumberofintelligencecommunitymembersnotyetpublicly
namedhavebeenarrestedorsubjecttofederalcriminal
investigationsinseparateincidents.
Mostvisibly,onFebruary8,2017aU.S.federalgrandjury
indictedHaroldT.MartinIIIwith20countsofmishandling
classifiedinformation.TheDepartmentofJusticeallegedthatit
seizedsome50,000gigabytesofinformationfromHaroldT.
MartinIIIthathehadobtainedfromclassifiedprogramsatNSA
andCIA,includingthesourcecodefornumeroushackingtools.
Onceasinglecyber'weapon'is'loose'itcanspreadaroundthe
worldinseconds,tobeusedbypeerstates,cybermafiaand
teenagehackersalike.
U.S.ConsulateinFrankfurtisa
covertCIAhackerbase
InadditiontoitsoperationsinLangley,VirginiatheCIAalsouses
theU.S.consulateinFrankfurtasacovertbaseforitshackers
coveringEurope,theMiddleEastandAfrica.
CIAhackersoperatingoutoftheFrankfurtconsulate("Centerfor
CyberIntelligenceEurope"(cms/page_20251151.html)orCCIE)
aregivendiplomatic("black")passportsandStateDepartment
cover.TheinstructionsforincomingCIAhackers
(cms/page_26607630.html)makeGermany'scounterintelligence
effortsappearinconsequential:"BreezethroughGerman
Customsbecauseyouhaveyourcoverforactionstorydownpat,
andalltheydidwasstampyourpassport"
YourCoverStory(forthistrip)
Q:Whyareyouhere?
A:SupportingtechnicalconsultationsattheConsulate.
TwoearlierWikiLeakspublicationsgivefurtherdetailonCIA
approachestocustoms(/ciatravel/)andsecondaryscreening
procedures(/ciatravel/).
OnceinFrankfurtCIAhackerscantravelwithoutfurtherborder
checkstothe25EuropeancountriesthatarepartoftheShengen
openborderareaincludingFrance,ItalyandSwitzerland.
AnumberoftheCIA'selectronicattackmethodsaredesignedfor
physicalproximity.Theseattackmethodsareabletopenetrate
highsecuritynetworksthataredisconnectedfromtheinternet,
suchaspolicerecorddatabase.Inthesecases,aCIAofficer,
agentoralliedintelligenceofficeractingunderinstructions,
physicallyinfiltratesthetargetedworkplace.Theattackeris
providedwithaUSBcontainingmalwaredevelopedfortheCIA
forthispurpose,whichisinsertedintothetargetedcomputer.The
attackertheninfectsandexfiltratesdatatoremovablemedia.For
example,theCIAattacksystemFineDining
(cms/page_20251107.html),provides24decoyapplicationsfor
CIAspiestouse.Towitnesses,thespyappearstoberunninga
programshowingvideos(e.gVLC),presentingslides(Prezi),
playingacomputergame(Breakout2,2048)orevenrunninga
fakevirusscanner(Kaspersky,McAfee,Sophos).Butwhilethe
decoyapplicationisonthescreen,theunderlayingsystemis
automaticallyinfectedandransacked.
HowtheCIAdramaticallyincreased
proliferationrisks
Inwhatissurelyoneofthemostastoundingintelligenceown
goalsinlivingmemory,theCIAstructureditsclassificationregime
suchthatforthemostmarketvaluablepartof"Vault7"the
CIA'sweaponizedmalware(implants+zerodays),Listening
Posts(LP),andCommandandControl(C2)systemsthe
agencyhaslittlelegalrecourse.
TheCIAmadethesesystemsunclassified.
WhytheCIAchosetomakeitscyberarsenalunclassifiedreveals
howconceptsdevelopedformilitaryusedonoteasilycrossover
tothe'battlefield'ofcyber'war'.
Toattackitstargets,theCIAusuallyrequiresthatitsimplants
communicatewiththeircontrolprogramsovertheinternet.IfCIA
implants,Command&ControlandListeningPostsoftwarewere
classified,thenCIAofficerscouldbeprosecutedordismissedfor
violatingrulesthatprohibitplacingclassifiedinformationontothe
Internet.ConsequentlytheCIAhassecretlymademostofits
cyberspying/warcodeunclassified.TheU.S.governmentisnot
abletoassertcopyrighteither,duetorestrictionsintheU.S.
Constitution.Thismeansthatcyber'arms'manufacturesand
computerhackerscanfreely"pirate"these'weapons'iftheyare
obtained.TheCIAhasprimarilyhadtorelyonobfuscationto
protectitsmalwaresecrets.
Conventionalweaponssuchasmissilesmaybefiredatthe
enemy(i.eintoanunsecuredarea).Proximitytoorimpactwith
thetargetdetonatestheordnanceincludingitsclassifiedparts.
Hencemilitarypersonneldonotviolateclassificationrulesby
firingordnancewithclassifiedparts.Ordnancewilllikelyexplode.
Ifitdoesnot,thatisnottheoperator'sintent.
OverthelastdecadeU.S.hackingoperationshavebeen
increasinglydressedupinmilitaryjargontotapintoDepartment
ofDefensefundingstreams.Forinstance,attempted"malware
injections"(commercialjargon)or"implantdrops"(NSAjargon)
arebeingcalled"fires"asifaweaponwasbeingfired.However
theanalogyisquestionable.
Unlikebullets,bombsormissiles,mostCIAmalwareisdesigned
tolivefordaysorevenyearsafterithasreachedits'target'.CIA
malwaredoesnot"explodeonimpact"butratherpermanently
infestsitstarget.Inordertoinfecttarget'sdevice,copiesofthe
malwaremustbeplacedonthetarget'sdevices,givingphysical
possessionofthemalwaretothetarget.Toexfiltratedatabackto
theCIAortoawaitfurtherinstructionsthemalwaremust
communicatewithCIACommand&Control(C2)systemsplaced
oninternetconnectedservers.Butsuchserversaretypicallynot
approvedtoholdclassifiedinformation,soCIAcommandand
controlsystemsarealsomadeunclassified.
Asuccessful'attack'onatarget'scomputersystemismorelikea
seriesofcomplexstockmaneuversinahostiletakeoverbidor
thecarefulplantingofrumorsinordertogaincontroloveran
organization'sleadershipratherthanthefiringofaweapons
system.Ifthereisamilitaryanalogytobemade,theinfestationof
atargetisperhapsakintotheexecutionofawholeseriesof
militarymaneuversagainstthetarget'sterritoryincluding
observation,infiltration,occupationandexploitation.
Evadingforensicsandantivirus
AseriesofstandardslayoutCIAmalwareinfestationpatterns
whicharelikelytoassistforensiccrimesceneinvestigatorsas
wellasApple,Microsoft,Google,Samsung,Nokia,Blackberry,
Siemensandantiviruscompaniesattributeanddefendagainst
attacks.
"TradecraftDO'sandDON'Ts"(cms/page_14587109.html)
containsCIArulesonhowitsmalwareshouldbewrittentoavoid
fingerprintsimplicatingthe"CIA,USgovernment,oritswitting
partnercompanies"in"forensicreview".Similarsecretstandards
covertheuseofencryptiontohideCIAhackerandmalware
communication
(cms/files/NOD%20Cryptographic%20Requirements%20v1.1%20TOP%20SECRET.pdf)
(pdf),describingtargets&exfiltrateddata(cms/files/Codex
Specv1SECRET.pdf)(pdf)aswellasexecutingpayloads
(cms/files/ICESpecv3finalSECRET.pdf)(pdf)andpersisting
(cms/files/PersistedDLLSpecv2SECRET.pdf)(pdf)inthe
target'smachinesovertime.
CIAhackersdevelopedsuccessfulattacksagainstmostwell
knownantivirusprograms.ThesearedocumentedinAVdefeats
(cms/page_2064514.html),PersonalSecurityProducts
(cms/page_13762910.html),DetectinganddefeatingPSPs
(cms/page_7995642.html)andPSP/Debugger/REAvoidance
(cms/page_2621845.html).Forexample,Comodowasdefeated
byCIAmalwareplacingitselfintheWindow's"RecycleBin"
(cms/page_5341269.html).WhileComodo6.xhasa"Gaping
HoleofDOOM"(cms/page_5341272.html).
CIAhackersdiscussedwhattheNSA's"EquationGroup"
hackersdidwrongandhowtheCIA'smalwaremakerscould
avoidsimilarexposure(cms/page_14588809.html).
Examples
TheCIA'sEngineeringDevelopmentGroup(EDG)management
systemcontainsaround500differentprojects(onlysomeofwhich
aredocumentedby"YearZero")eachwiththeirownsubprojects,
malwareandhackertools.
Themajorityoftheseprojectsrelatetotoolsthatareusedfor
penetration,infestation("implanting"),control,andexfiltration.
Anotherbranchofdevelopmentfocusesonthedevelopmentand
operationofListeningPosts(LP)andCommandandControl
(C2)systemsusedtocommunicatewithandcontrolCIAimplants
specialprojectsareusedtotargetspecifichardwarefromrouters
tosmartTVs.
Someexampleprojectsaredescribedbelow,butseethetableof
contents(cms/index.html)forthefulllistofprojectsdescribedby
WikiLeaks'"YearZero".
UMBRAGE
UMBRAGE
TheCIA'shandcraftedhackingtechniquesposeaproblemfor
theagency.Eachtechniqueithascreatedformsa"fingerprint"
thatcanbeusedbyforensicinvestigatorstoattributemultiple
differentattackstothesameentity.
Thisisanalogoustofindingthesamedistinctiveknifewoundon
multipleseparatemurdervictims.Theuniquewoundingstyle
createssuspicionthatasinglemurdererisresponsible.Assoon
onemurderinthesetissolvedthentheothermurdersalsofind
likelyattribution.
TheCIA'sRemoteDevicesBranch(cms/space_753668.html)'s
UMBRAGEgroup(cms/page_2621751.html)collectsand
maintainsasubstantiallibrary(cms/page_2621753.html)of
attacktechniques'stolen'frommalwareproducedinotherstates
includingtheRussianFederation.
WithUMBRAGEandrelatedprojectstheCIAcannotonly
increaseitstotalnumberofattacktypesbutalsomisdirect
attributionbyleavingbehindthe"fingerprints"ofthegroupsthat
theattacktechniqueswerestolenfrom.
UMBRAGEcomponentscoverkeyloggers,passwordcollection,
webcamcapture,datadestruction,persistence,privilege
escalation,stealth,antivirus(PSP)avoidanceandsurvey
techniques.
FineDining
FineDiningcomeswithastandardizedquestionnairei.emenu
thatCIAcaseofficersfillout.Thequestionnaireisusedbythe
agency'sOSB(OperationalSupportBranch
(cms/space_1736706.html))totransformtherequestsofcase
officersintotechnicalrequirementsforhackingattacks(typically
"exfiltrating"informationfromcomputersystems)forspecific
operations.ThequestionnaireallowstheOSBtoidentifyhowto
adaptexistingtoolsfortheoperation,andcommunicatethisto
CIAmalwareconfigurationstaff.TheOSBfunctionsasthe
interfacebetweenCIAoperationalstaffandtherelevanttechnical
supportstaff.
Amongthelistofpossibletargetsofthecollectionare'Asset',
'LiasonAsset','SystemAdministrator','ForeignInformation
Operations','ForeignIntelligenceAgencies'and'Foreign
GovernmentEntities'.Notablyabsentisanyreferenceto
extremistsortransnationalcriminals.The'CaseOfficer'isalso
askedtospecifytheenvironmentofthetargetlikethetypeof
computer,operatingsystemused,Internetconnectivityand
installedantivirusutilities(PSPs)aswellasalistoffiletypesto
beexfiltratedlikeOfficedocuments,audio,video,imagesor
customfiletypes.The'menu'alsoasksforinformationifrecurring
accesstothetargetispossibleandhowlongunobservedaccess
tothecomputercanbemaintained.Thisinformationisusedby
theCIA's'JQJIMPROVISE'software(seebelow)toconfigurea
setofCIAmalwaresuitedtothespecificneedsofanoperation.
Improvise(JQJIMPROVISE)
'Improvise'isatoolsetforconfiguration,postprocessing,payload
setupandexecutionvectorselectionforsurvey/exfiltrationtools
supportingallmajoroperatingsystemslikeWindows(Bartender),
MacOS(JukeBox)andLinux(DanceFloor).Itsconfiguration
utilitieslikeMargaritaallowstheNOC(NetworkOperation
Center)tocustomizetoolsbasedonrequirementsfrom'Fine
Dining'questionairies.
HIVE
HIVEisamultiplatformCIAmalwaresuiteanditsassociated
controlsoftware.Theprojectprovidescustomizableimplantsfor
Windows,Solaris,MikroTik(usedininternetrouters)andLinux
platformsandaListeningPost(LP)/CommandandControl(C2)
infrastructuretocommunicatewiththeseimplants.
TheimplantsareconfiguredtocommunicateviaHTTPSwiththe
webserverofacoverdomaineachoperationutilizingthese
implantshasaseparatecoverdomainandtheinfrastructurecan
handleanynumberofcoverdomains.
EachcoverdomainresolvestoanIPaddressthatislocatedata
commercialVPS(VirtualPrivateServer)provider.Thepublic
facingserverforwardsallincomingtrafficviaaVPNtoa'Blot'
serverthathandlesactualconnectionrequestsfromclients.Itis
setupforoptionalSSLclientauthentication:ifaclientsendsa
validclientcertificate(onlyimplantscandothat),theconnectionis
forwardedtothe'Honeycomb'toolserverthatcommunicateswith
theimplantifavalidcertificateismissing(whichisthecaseif
someonetriestoopenthecoverdomainwebsitebyaccident),
thetrafficisforwardedtoacoverserverthatdeliversan
unsuspiciouslookingwebsite.
TheHoneycombtoolserverreceivesexfiltratedinformationfrom
theimplantanoperatorcanalsotasktheimplanttoexecutejobs
onthetargetcomputer,sothetoolserveractsasaC2(command
andcontrol)serverfortheimplant.
Similarfunctionality(thoughlimitedtoWindows)isprovidedby
theRickBobbyproject.
Seetheclassifieduser(cms/files/UsersGuide.pdf)anddeveloper
(cms/files/DevelopersGuide.pdf)guidesforHIVE.
FrequentlyAsked
Questions
Whynow?
WikiLeakspublishedassoonasitsverificationandanalysiswere
ready.
InFebuarytheTrumpadministrationhasissuedanExecutive
Ordercallingfora"Cyberwar"reviewtobepreparedwithin30
days.
Whilethereviewincreasesthetimelinessandrelevanceofthe
publicationitdidnotplayaroleinsettingthepublicationdate.
Redactions
Names,emailaddressesandexternalIPaddresseshavebeen
redactedinthereleasedpages(70,875redactionsintotal)until
furtheranalysisiscomplete.
1.Overredaction:Someitemsmayhavebeenredactedthat
arenotemployees,contractors,targetsorotherwiserelated
totheagency,butare,forexample,authorsof
documentationforotherwisepublicprojectsthatareused
bytheagency.
2.Identityvs.person:theredactednamesarereplacedby
userIDs(numbers)toallowreaderstoassignmultiple
pagestoasingleauthor.Giventheredactionprocessused
asinglepersonmayberepresentedbymorethanone
assignedidentifierbutnoidentifierreferstomorethanone
realperson.
3.Archiveattachments(zip,tar.gz,...)arereplacedwitha
PDFlistingallthefilenamesinthearchive.Asthearchive
contentisassesseditmaybemadeavailableuntilthenthe
archiveisredacted.
4.Attachmentswithotherbinarycontentarereplacedby
ahexdumpofthecontenttopreventaccidentalinvocation
ofbinariesthatmayhavebeeninfectedwithweaponized
CIAmalware.Asthecontentisassesseditmaybemade
availableuntilthenthecontentisredacted.
5.ThetensofthousandsofroutableIPaddresses
references(includingmorethan22thousandwithinthe
UnitedStates)thatcorrespondtopossibletargets,CIA
covertlisteningpostservers,intermediaryandtestsystems,
areredactedforfurtherexclusiveinvestigation.
6.Binaryfilesofnonpublicoriginareonlyavailableas
dumpstopreventaccidentalinvocationofCIAmalware
infectedbinaries.
OrganizationalChart
Theorganizationalchart(files/orgchart.png)correspondstothe
materialpublishedbyWikiLeakssofar.
SincetheorganizationalstructureoftheCIAbelowthelevelof
Directoratesisnotpublic,theplacementoftheEDGandits
brancheswithintheorgchartoftheagencyisreconstructedfrom
informationcontainedinthedocumentsreleasedsofar.Itis
intendedtobeusedasaroughoutlineoftheinternalorganization
pleasebeawarethatthereconstructedorgchartisincomplete
andthatinternalreorganizationsoccurfrequently.
Wikipages
"YearZero"contains7818webpageswith943attachmentsfrom
theinternaldevelopmentgroupware.Thesoftwareusedforthis
purposeiscalledConfluence,aproprietarysoftwarefrom
Atlassian.Webpagesinthissystem(likeinWikipedia)havea
versionhistorythatcanprovideinterestinginsightsonhowa
documentevolvedovertimethe7818documentsincludethese
pagehistoriesfor1136latestversions.
Theorderofnamedpageswithineachlevelisdeterminedby
date(oldestfirst).Pagecontentisnotpresentifitwasoriginally
dynamicallycreatedbytheConfluencesoftware(asindicatedon
thereconstructedpage).
Whattimeperiodiscovered?
Theyears2013to2016.Thesortorderofthepageswithineach
levelisdeterminedbydate(oldestfirst).
WikiLeakshasobtainedtheCIA'screation/lastmodificationdate
foreachpagebutthesedonotyetappearfortechnicalreasons.
Usuallythedatecanbediscernedorapproximatedfromthe
contentandthepageorder.Ifitiscriticaltoknowtheexact
time/datecontactWikiLeaks.
Whatis"Vault7"
"Vault7"isasubstantialcollectionofmaterialaboutCIAactivities
obtainedbyWikiLeaks.
Whenwaseachpartof"Vault7"
obtained?
Partonewasobtainedrecentlyandcoversthrough2016.Details
ontheotherpartswillbeavailableatthetimeofpublication.
Iseachpartof"Vault7"froma
differentsource?
Detailsontheotherpartswillbeavailableatthetimeof
publication.
Whatisthetotalsizeof"Vault7"?
Theseriesisthelargestintelligencepublicationinhistory.
HowdidWikiLeaksobtaineachpart
of"Vault7"?
SourcestrustWikiLeakstonotrevealinformationthatmighthelp
identifythem.
Isn'tWikiLeaksworriedthattheCIA
willactagainstitsstafftostopthe
series?
No.Thatwouldbecertainlycounterproductive.
HasWikiLeaksalready'mined'allthe
beststories?
No.WikiLeakshasintentionallynotwrittenuphundredsof
impactfulstoriestoencourageotherstofindthemandsocreate
expertiseintheareaforsubsequentpartsintheseries.They're
there.Look.Thosewhodemonstratejournalisticexcellencemay
beconsideredforearlyaccesstofutureparts.
Won'totherjournalistsfindallthe
beststoriesbeforeme?
Unlikely.Thereareveryconsiderablymorestoriesthanthereare
journalistsoracademicswhoareinapositiontowritethem.
Top
(https://www.facebook.com/wikileaks) (https://twitter.com/wikileaks)