Home – Implications of WikiLeaks’ Publishing Details of CIA’s Cyber Arsenal

Implications of WikiLeaks’ Publishing Details of CIA’s Cyber Arsenal

This is a collaborative commentary by the Ankura Consulting Cybersecurity and Geopolitical teams. The original article was published on March 21, 2017, and was updated for the LexisNexis Corporate Law Advisory on August 2, 2017.


On March 7, WikiLeaks, the whistleblowing website run by Julian Assange, released a cache of Central Intelligence Agency documents known as Vault 7, which contain details of CIA hacking tools. The cache included approximately 9,000 documents, dating from 2013 to 2016, which describe spyware, malware, and other tools allegedly used by the CIA to bypass encrypted messaging services by penetrating computer and mobile operating systems, including two global U.S. tech companies. It also suggests that developers can inject these tools without the owners’ knowledge, thus turning computers, network routers, smartphones, and web-enabled household appliances, electronics, and smart systems into remote spying devices. The documents also have the potential to reveal unprecedented level of details about the CIA’s electronic spying tools at tremendous cost to U.S. national security.


It has been widely reported in the media that the CIA has identified Russian officials as having fed materials hacked from the Democratic National Committee to WikiLeaks. In fact, it has also been said that the U.S. intelligence community believes WikiLeaks has a relationship with Russian intelligence, even if WikiLeaks is simply being used as an outlet for leaked material damaging to the U.S. On Sept. 7, 2016, in the aftermath of the Russian breach of the DNC’s servers, James Clapper, then-director of national intelligence, stated, “The Russians hack our systems all the time, not just government but also corporate and personal systems.” On March 20, FBI Director James Comey confirmed the existence of an official investigation into the allegation that the Russians did in fact use cyberattacks to interfere in and influence the outcome of the 2016 U.S. presidential election. The Vault 7 release has already inflamed the political dialogue over Russian interference in the 2016 U.S. election, and will now likely contribute to the increasing fear that Moscow is using the same cybotactic to influence upcoming European elections.


It should come as no surprise to anyone that the CIA has invested heavily in leading-edge cyber-hacking methods to further its intelligence-gathering mission. Contrary to the claims of WikiLeaks, the revelations thus far do not indicate vulnerabilities in commercial decryption or encryption tools. Instead, the Vault 7 discoveries indicate that commercial encryption is so strong that the CIA would need to introduce surveillance tools onto each individual device to be able to read data prior to encryption. This process requires a much more laborious and tedious mix of human and technical intelligence, focused specifically on an individual or the individuals being targeted, rather than just overriding technology en masse. The fact that today’s encryption technology is so strong that the CIA cannot break it without embedded surveillance techniques should reassure all who practice good cybersecurity protocols. But everyone should be clear that it does not mean that people and companies are completely safe from other types of cyberattacks, particularly insider threats that bypass encryption by originating behind the firewall or the use of embedded surveillance by increasingly sophisticated cybercriminals.


 Michelle DiGruttolo, head of the Ankura geopolitical advisory practice, said, “It is worrisome that because of this leak, people now think that the CIA can simply turn home appliances into surveillance tools. This is not true. The reason why this leak is concerning is a much greater issue. The real reason is that important coding details connected to cyber tools are now available to criminals, which potentially puts commercial secrets at risk. Also, from a technical standpoint, the leaks have revealed novel and heretofore unknown methods, at least to the average consumer, for transforming everyday electronic equipment into effective surveillance tools.”


Internet of Things Vulnerabilities


 If the WikiLeaks allegations and materials are accurate, this is a clear demonstration of the fundamental vulnerability of the Internet of Things; devices manufactured for mass entertainment and consumer productivity rather than security. For example, the WikiLeaks writer notes that the CIA considered leveraging these newly discovered tactics to exploit a smart TV as a voice-recording mechanism. Luke Tenery, head of the Ankura cybersecurity practice, advises that “organizations should consider that a broad mix of consumer technologies, never identified as such before, can now become threat vectors which might allow intelligence-gathering actors to probe and attack adversaries.” An example of this was the Oct. 21, 2016, IoT distributed denial-of-service attack in which the Domain Name System provider Dyn was significantly disrupted, subsequently impacting the availability of major internet platforms and services across the globe. During this attack, the now-identified Mirai botnet was launched to orchestrate a novel and unprecedented cyber incident using nontraditional devices, including approximately 50,000 closed-circuit television cameras. These devices, in retrospect, were very easily compromised due to the use of simple default passwords. Tenery continues, “The exact same botnet technique could be applied today to launch similar attacks. The CCTV cameras are the tip of the iceberg, as more and more devices—regardless of whether it makes sense or not—are being sold with smart capabilities and with internet connectivity. Hacking communities now have a much larger repertoire of tools to choose from—and their toolbox is growing every day—when they formulate these types of attacks.”


These cyber incidents present a new reality for corporations. Today, cybercriminals are not just compromising company workstation computers, smartphones and company servers. They are now able to hack into a company’s infrastructure using household devices normally located in any company kitchen or breakroom—devices that to date have never needed to be factored in as potential security threats. Who would have considered before this past decade that the breakroom coffee pot might be hacked for nefarious purposes? Further and more frightening examples of what is now possible in daily life include surveillance hacks using televisions and baby monitors.


 Other concerns for corporations to consider include the ways they could be unknowingly vulnerable to attacks on their competitors or other nonrelated businesses. Ankura cybersecurity expert Ted Theisen postulates, “Imagine if a smart toaster in a company kitchen, or another web-connected appliance within a corporate facility, is inadvertently connected to the internet, compromised, and subsequently used as a drone in a botnet collective to attack another corporation. Many hypothetical questions arise. Some of those questions include the following: ‘Is the corporation now responsible for securing nontraditional endpoints? Should corporations hold the provider of the IoT device accountable to ensure no backdoors are open to third parties? Should third parties include governments? Should some devices, such as a toaster, even be connected to the internet and, if they are going to continue to be, regardless of the common sense of it, what are the regulatory requirements needed in this space going forward?’”


A further implication of the Vault 7 postings is the now-reinforced obligation to protect corporate infrastructure from new and unconventional vectors of attack. For example, traditional signature-based security will more than likely be rendered less effective at preventing—let alone initially identifying—these new threats; the CIA leaks reveal the existence of tactics useful for defeating traditional security defenses. Tenery recommends, “These tactics amplify the urgent need for new and highly sophisticated cybersecurity defense and detection mechanisms with a deeper analytical approach to detecting anomalous computing behavior.” Beyond the current common practice of trusting a sole-detection mechanism to block the known “bad’ identified malware, such as the traditional antivirus signature model, more innovative methods need to be devised immediately for the ‘known-unknown bad’ and even for the anticipated and eventual ‘unknown-unknown bad.’ We have to be thinking analytically about how to identify cyber-threat attributes, and we need to do that now.”


Modern corporations are no longer, technologically speaking, simply four walls and a perimeter firewall connecting internal computers to the internet. The modern corporate technology enterprise continues to evolve toward a dispersed and distributed network of individuals and devices. The WikiLeaks revelations confirm the broader industry suspicions that a more complex and interdependent cyber landscape is now in play—availing attackers of yet unseen points of entry. Theisen concludes, “Cyberattacks are on an exponential rise. A cyber-induced catastrophe resulting in extensive physical destruction and human suffering in real time will transcend a mere ‘cost of doing business’ calculation for everyone. Organizations and their stakeholders must begin considering a cybersecurity strategy both holistically and creatively. By doing this, they will be armed and able to maintain the safety of their business data confidentiality, data integrity and data availability for their workforce. This is critical for any business’s cybersecurity and mission assurance responsibilities today.”




Since the original March publication date of this article, the world has seen several additional cyberattack outbreaks—made possible in part by the WikiLeaks Vault 7 cache—that have included breaches to major law firms, to energy infrastructure in the U.S., and to healthcare systems in both the UK and U.S. The scenarios once only considered a mere possibility have moved into a plausible outcome in just months. In the Petya, Wannacry and NotPetya cyberattack incidents, the legal industry is under pressure, as the industry is required to provide guidance to clients in the middle of a cyber incident, as well as honestly and confidently convey to their clients that the technical infrastructure of their firm, and in turn their clients’ data that resides at their firm, is adequately protected. As protective software catches up to the fast-paced actions of today’s cybercriminals, best practices for protection include:

  • Confirming that vulnerability management and patching cycles are maintaining their proper rigor
  • Ensuring backups of highly critical information stores exist
  • For systems that cannot be patched, considering compensating controls such as network segregation and software reputation management to limit exposure to the vulnerability
  • Limiting/controlling the use of power user applications
  • Enabling strong spam filters to prevent phishing emails from reaching end users
  • Scanning all incoming and outgoing emails to detect threats and filter executable files from reaching end users
  • Ensuring antivirus and anti-malware solutions are set to automatically conduct regular scans
  • Managing the use of privileged accounts. Implementing the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary
  • Configuring access controls—including file, directory and network share permissions—with least privilege in mind. If a user only needs to read specific files, he or she should not have write access to those files, directories or shares
  • Disabling macro scripts from Microsoft® Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office suite applications
  • Developing, instituting and practicing employee education programs for identifying scams, malicious links and attempted social engineering
  • Running regular penetration tests against the network, no less than once a year. Ideally, run these as often as possible and practical