The US government has named a suspect – a former CIA employee who worked in a group that designs surveillance tools – in last year’s leak of a huge cache of the agency’s cyber weapons.
WikiLeaks dubbed the leak Vault 7.
The Feds have been investigating Joshua Adam Schulte for months, it turns out. In an 8 January 2018 court hearing, federal prosecutors acknowledged that they believed that Schulte is behind the leak of thousands of the CIA’s confidential documents and files, which were stolen from an isolated, high-security network inside CIA headquarters in Langley, Virginia and handed over to WikiLeaks.
That hearing escaped public notice at the time. As the hearing transcript shows, the prosecutor – Matthew Laroche, an assistant U.S. attorney in the Southern District of New York – said that part of the ongoing investigation was analyzing whether Schulte’s use of Tor, was allowing him to hide his location in order to “[transmit] classified information.”
Laroche said in January that Schulte “remains a target of that investigation.”
The ex-CIA employee is now in jail in Manhattan on charges of possessing, receiving and transporting child abuse imagery, according to an indictment filed in September. Schulte has pleaded not guilty to the charges, which concern a large cache of images on a server he maintained. Schulte designed the server years ago to share movies and other digital files, and he argues that between 50 and 100 people have had access to it.
Schulte has written what The Washington Post calls a “lengthy” statement, in which he said that he reported “incompetent management and bureaucracy” at the CIA to that agency’s inspector general as well as to a congressional oversight committee. When he left the CIA in 2016, his complaints made him out to be a disgruntled employee, Schulte said – the “only one to have recently departed [the CIA engineering group] on poor terms.”
Schulte also claims that a planned vacation to Mexico with his brother led the FBI to make a “snap judgment” to target him because it looked like he was guilty of the leaks and was trying to flee.
Schulte has said that he initially cooperated with the FBI’s investigation, but then, following the March 2017 search of his apartment, prosecutors waited six months to bring the child abuse charges.
WikiLeaks called the initial document dump – published on 28 February 2017 and containing 8,761 documents and files – “Year Zero”. WikiLeaks claimed that the Vault 7 series of leaks would be the largest dump of confidential CIA documents in history.
The hacking arsenal painted an intimate picture of the US’s cyber-espionage efforts.
The cyber-attack tools included malware, viruses, Trojans and weaponized zero-day exploits, including those that target a wide range of big tech companies’ most popular products: Apple’s iPhone, Google’s Android, Microsoft’s Windows, and even Samsung TVs, which could apparently be turned into covert microphones.
Schulte was working at the CIA’s Engineering Development Group at the time of the code theft, prosecutors said.
The government immediately had enough evidence to establish that he was a target of that investigation. They conducted a number of search warrants on the defendant’s residence.
According to The Post, which reviewed a copy of the search warrant, when federal authorities searched Schulte’s New York apartment last year, they seized computer equipment, notebooks and handwritten notes.
The evidence wasn’t enough to indict Schulte over the WikiLeaks disclosures. That doesn’t mean the investigation is over, though. A former federal prosecutor told The Post that it’s not unusual to hold a suspect for one alleged crime on unrelated charges – in Schulte’s case, that means the child abuse charges.
The former prosecutor, who spoke on the condition of anonymity, also said that the fact that government lawyers had acknowledged in the public hearing on 8 January that Schulte was a target probably means that they believe he acted alone.