DOJ Indicts "Vault 7" Leak Suspect; WikiLeaks Release Was Largest Breach In CIA History

A 29-year-old former CIA computer engineer, Joshua Adam Schulte, was indicted Monday by the Department of Justice on charges of masterminding the largest leak of classified information in the spy agency's history.

Schulte, who created malware for the U.S. Government to break into adversaries computers, has been sitting in jail since his August 24, 2017 arrest on unrelated charges of posessing and transporting child pornography - which was discovered in a search of his New York apartment after Schulte was named as the prime suspect in the cyber-breach one week after WikiLeaks published the "Vault 7" series of classified files. Schulte was arrested and jailed on the child porn charges while the DOJ ostensibly built their case leading to Monday's additional charges.

[I]nstead of charging Mr. Schulte in the breach, referred to as the Vault 7 leak, prosecutors charged him last August with possessing child pornography, saying agents had found 10,000 illicit images on a server he created as a business in 2009 while studying at the University of Texas at Austin.

Court papers quote messages from Mr. Schulte that suggest he was aware of the encrypted images of children being molested by adults on his computer, though he advised one user, “Just don’t put anything too illegal on there.” -New York Times

Monday's DOJ announcement adds new charges related to stealing classified national defense information from the Central Intelligence Agency in 2016 and transmitting it to WikiLeaks ("Organization-1"). 

The Vault 7 release - a series of 24 documents which began to publish on March 7, 2017 - reveal that the CIA had a wide variety of tools to use against adversaries, including the ability to "spoof" its malware to appear as though it was created by a foreign intelligence agency, as well as the ability to take control of Samsung Smart TV's and surveil a target using a "Fake Off" mode in which they appear to be powered down while eavesdropping.

The CIA's hand crafted hacking techniques pose a problem for the agency. Each technique it has created forms a "fingerprint" that can be used by forensic investigators to attribute multiple different attacks to the same entity.

...

The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation.

With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the "fingerprints" of the groups that the attack techniques were stolen from.

UMBRAGE components cover keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques. -WikiLeaks

Schulte previously worked for the NSA before joining the CIA, then "left the intelligence community in 2016 and took a job in the private sector," according to a statement reviewed in May by The Washington Post.

Schulte also claimed that he reported “incompetent management and bureaucracy” at the CIA to that agency’s inspector general as well as a congressional oversight committee. That painted him as a disgruntled employee, he said, and when he left the CIA in 2016, suspicion fell upon him as “the only one to have recently departed [the CIA engineering group] on poor terms,” Schulte wrote. -WaPo

Part of that investigation, reported WaPo, has been analyzing whether the Tor network - which allows internet users to hide their location (in theory) "was used in transmitting classified information." 

In other hearings in Schulte’s case, prosecutors have alleged that he used Tor at his New York apartment, but they have provided no evidence that he did so to disclose classified information. Schulte’s attorneys have said that Tor is used for all kinds of communications and have maintained that he played no role in the Vault 7 leaks. -WaPo

Schulte says he's innocent: “Due to these unfortunate coincidences the FBI ultimately made the snap judgment that I was guilty of the leaks and targeted me,” Schulte said. He launched Facebook and GoFundMe pages to raise money for his defense, which despite a $50 million goal, has yet to receive a single donation.

As The Post noted in May, the Vault 7 release was one of the most significant leaks in the CIA's history, "exposing secret cyberweapons and spying techniques that might be used against the United States, according to current and former intelligence officials."

The CIA's toy chest includes:

  • Tools code named "Marble" can misdirect forensic investigators from attributing viruses, trojans and hacking attacks to their agency by inserted code fragments in foreign languages.  The tool was in use as recently as 2016.  Per the WikiLeaks release:

"The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, --- but there are other possibilities, such as hiding fake error messages."

  • iPads / iPhones / Android devices and Smart TV’s are all susceptible to hacks and malware. The agency's "Dark Matter" project reveals that the CIA has been bugging “factory fresh” iPhones since at least 2008 through suppliers. Another, "Sonic Screwdriver" allows the CIA to execute code on a Mac laptop or desktop while it's booting up.
  • The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell’s 1984, but “Weeping Angel”, developed by the CIA’s Embedded Devices Branch (EDB), which infests smart TVs, transforming them into covert microphones, is surely its most emblematic realization.
  • The Obama administration promised to disclose all serious vulnerabilities they found to Apple, Google, Microsoft, and other US-based manufacturers. The US Government broke that commitment.

"Year Zero" documents show that the CIA breached the Obama administration's commitments. Many of the vulnerabilities used in the CIA's cyber arsenal are pervasive and some may already have been found by rival intelligence agencies or cyber criminals.

In addition to its operations in Langley, Virginia the CIA also uses the U.S. consulate in Frankfurt as a covert base for its hackers covering Europe, the Middle East and Africa.

CIA hackers operating out of the Frankfurt consulate ( "Center for Cyber Intelligence Europe" or CCIE) are given diplomatic ("black") passports and State Department cover. 

  • Instant messaging encryption is a joke.

These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the "smart" phones that they run on and collecting audio and message traffic before encryption is applied.

  • The CIA laughs at Anti-Virus / Anti-Malware programs.

CIA hackers developed successful attacks against most well known anti-virus programs. These are documented in AV defeatsPersonal Security ProductsDetecting and defeating PSPs and PSP/Debugger/RE Avoidance. For example, Comodo was defeated by CIA malware placing itself in the Window's "Recycle Bin". While Comodo 6.x has a "Gaping Hole of DOOM".

You can see the entire Vault7 release here.

A DOJ statement involving the Vault7 charges reads: 

“Joshua Schulte, a former employee of the CIA, allegedly used his access at the agency to transmit classified material to an outside organization.  During the course of this investigation, federal agents also discovered alleged child pornography in Schulte’s New York City residence," said Manhattan U.S. Attorney Geoffrey S. Berman. 

On March 7, 2017, Organization-1 released on the Internet classified national defense material belonging to the CIA (the “Classified Information”).  In 2016, SCHULTE, who was then employed by the CIA, stole the Classified Information from a computer network at the CIA and later transmitted it to Organization-1.  SCHULTE also intentionally caused damage without authorization to a CIA computer system by granting himself unauthorized access to the system, deleting records of his activities, and denying others access to the system.  SCHULTE subsequently made material false statements to FBI agents concerning his conduct at the CIA.         

Schulte faces 135 years in prison if convicted on all 13 charges: 

  1. Illegal Gathering of National Defense Information, 18 U.S.C. §§ 793(b) and 2
  2. Illegal Transmission of Lawfully Possessed National Defense Information, 18 U.S.C. §§ 793(d) and 2
  3. Illegal Transmission of Unlawfully Possessed National Defense Information, 18 U.S.C. §§ 793(e) and 2 
  4. Unauthorized Access to a Computer To Obtain Classified Information, 18 U.S.C. §§ 1030(a)(1) and 2
  5. Theft of Government Property, 18 U.S.C. §§ 641 and 2
  6. Unauthorized Access of a Computer to Obtain Information from a Department or Agency of the United States, 18 U.S.C. §§ 1030(a)(2) and 2
  7. Causing Transmission of a Harmful Computer Program, Information, Code, or Command, 18 U.S.C. §§ 1030(a)(5) and 2
  8. Making False Statements, 18 U.S.C. §§ 1001 and 2
  9. Obstruction of Justice, 18 U.S.C. §§ 1503 and 2
  10. Receipt of Child Pornography, 18 U.S.C. §§ 2252A(a)(2)(B), (b)(1), and 2
  11. Possession of Child Pornography, 18 U.S.C. §§ 2252A(a)(5)(B), (b)(2), and 2
  12. Transportation of Child Pornography, 18 U.S.C. § 2252A(a)(1)
  13. Criminal Copyright Infringement, 17 U.S.C. § 506(a)(1)(A) and 18 U.S.C. § 2319(b)(1)