Skip to content
Naked Security Naked Security

What WikiLeaks’ massive CIA leak tells us about cybersecurity

The document dump released yesterday by WikiLeaks is huge, but a few themes are emerging as researchers get to grips with its contents

Here we go again.

In 2010, WikiLeaks published a disturbing heads-up video of US helicopters strafing “insurgents” who turned out to be Reuters journalists. Weeks later came Cablegate, a leak by Bradley (now Chelsea) Manning of 251,000 US diplomatic cables.

By the time Edward Snowden’s name became famous in 2013, the mystique around US intelligence agencies was disappearing faster than the movie assassins who fancied a crack at killing Jason Bourne.

Yesterday, WikiLeaks returned with a further instalment dubbed “Vault 7/Year Zero” that exposes the first cache of 7,818 partly redacted web pages and 943 attachments that make up some of the CIA’s most precious software riddles.

What’s inside Vault 7? Let’s start with an interesting sentence from WikiLeaks’ intro:

Year Zero introduces the scope and direction of the CIA’s global covert hacking program, its malware arsenal and dozens of zero day weaponized exploits against a wide range of US and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.

Which tells us several things.

The CIA hacks stuff

Of course it does, and doubtless other nation states have been crawling all over TVs and smartphones too. The significance of Samsung TV hacking is not that the CIA will do this to the average citizen – CIA target lists are tiny – but that they can do that at all. As we know from numerous IoT vulnerability stories, these devices have a security problem.

Secure messaging apps are still secure

Apparently, the CIA has been infecting Android and iOS devices to bypass secure messaging software encryption. Except this technique goes back donkey’s years and is even openly used by some police forces. No matter how secure its encryption, no app can stop a compromise of the platform on which the app is running, but using encryption raises the bar for an attacker.

Lots of old zero-days

WikiLeaks documents a pile of zero-days affecting Android and iOS that have been used by the CIA but these all appear to either be old or (in the case of Android) affect very old versions of the OS. As far as we can tell, most will either have been patched or will affect only obsolete devices.

This is mild stuff beside the four completely new zero-days the famous Stuxnet cyberweapon deployed to disrupt Iran’s nuclear program – still a record number for any malware.

Leaks are everybody’s problem

Losing control of spying tools is a disaster, but these are only one piece of a larger US arsenal that includes potent programmes run by the NSA. The bigger menace is that nation states or cybercriminals might get hold of the CIA tools and use them against civilian targets.

False flags

On that topic, Vault 7 reveals that the CIA has started doing precisely the same thing by borrowing dastardly techniques from other malware, including other nation state malware. This muddies attribution because it makes an operation look like someone else’s.

And yet the CIA can’t secure itself

The intriguing issue is how WikiLeaks obtained this cache. A sequence of US intelligence leaks is starting to look less like a trend than the symptom of a deeper reality that nothing can be kept secret by anyone. It’s as if rogue insiders (who may well be the source of this data) have become the ultimate cyberweapon.

Reports suggest that hundreds of thousands people might have had access to highly sensitive US intelligence data at the time of Snowden in 2013. That is not insecure so much as unsecurable. After operating quietly in the shadows for decades, the world of intelligence service secrecy is starting to look like a golden era that has gone for good.




I find your comments somewhat cavalier. The released documents show a bypass for SOPHOS, among other anti-malware companies.There is a note that there is a hack for Notepad++. Those folks have fixed their software. What is Sophos doing? There is an acknowledgement that these tools can and are being used by people outside the CIA. Even if they are not, what is Sophos doing to thwart the CIA hack of your software?


Paul Ducklin wrote a follow-up piece I believe addresses this quite well. If you still have questions after reading it, let us know and we’ll work on more clarity:


There’s one scenario most writers don’t seem to have looked at: honeypots.
If I were the CIA, and I knew I had leaks going on, I would collect up some old or useless information, and spread it out to my potential leak points. And, I would include unique information for each of the possible leak points, so I could identify who leaked the information once it made it to the outside world.
If a person is a leak point, s/he might be a little frightened right now.


I’d wager all intelligence services already do that – letting false data leak to see where it goes and how fast. It’s been widely discussed. Interesting though.


I recall a looooong time ago, Q3 beta was leaked it was altered for each vendor so that if it was leaked they would know who did it. Might have been criminal, but it was one memorable night playing that foggy Tim map. So yeah, the leakers can be found that way.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!