 WikiLeaks Vault 7 CIA Hacking Tools Revealed Year Zero Press Release Today, Tuesday, 7 March 2017, WikiLeaks begins its new series of leaks on the CIA's Central Intelligence Agency, codenamed Vault 7 by WikiLeaks. It is the largest ever publication confidential documents on the agency. The first Vault part of the series, Year Zero, comprises 8,761 documents and files from an isolated, highly secure network situated inside the CIA's Center for Cyber Intelligence in Langley, Virginia. It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead-up to the 2012 presidential elections. Recently, the CIA lost control of the majority of its hacking arsenal, including malware, viruses, trojans, weaponized zero-day exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capability capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner. One of whom has provided WikiLeaks with portions of the archive. Year Zero introduces the scope of direction of the CIA's global covert hacking program. Its malware arsenal and dozens of zero-day weaponized exploits against the wide range of U.S. and European company products, including Apple's iPhone, Google's Android, and Microsoft, Windows, and even Samsung TVs, which are turned into covert microphones. Since 2001, the CIA has gained political and budgetary permanence over the U.S. National Security Agency, NSA. The CIA found itself building not just its now infamous drone fleet, but a very different type of covert global spanning force, its own substantial fleet of hackers. The agency's hacking division, freighted from having to disclose its often controversial operations to the NSA, is premier bureaucratic rival in order to draw on the NSA's hacking capacities. In the end of 2016, the CIA's hacking division, which formally falls under the agency's Center for Cyber Intelligence, CCI, had over 5,000 registered users and had produced more than 1,000 hacking systems, Trojans, viruses, and other weaponized malware. Such as the scale of the CIA's undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its own NSA with even less accountability than without publicly answering the question as to whether such a massive budgetary spent on duplicating the capacities of a rival agency could be justified. In a statement to WikiLeaks, the source details policy questions that they say urgently need to be debated in public, including whether the CIA's hacking capabilities exceed its mandated powers and the problem of public oversight of the agency. The source wishes to meet about the security, creation, use, proliferation, and democratic control of cyber weapons. Once a single cyber weapon is loose, it can spread around the world in seconds to be used by rival states, cyber mafia, and teenage hackers alike. Julian Assange, WikiLeaks director, stated that there's extreme proliferation risk in the development of cyber weapons. Comparisons can be drawn between uncontrolled proliferation of such weapons, which results from the combined with their high market value and the global arms trade, but the significance of Year Zero goes well beyond the choice between cyber war and cyber peace. The disclosure is also exceptional from a political, legal, and forensic perspective. WikiLeaks has carefully reviewed the Year Zero disclosure and published substantive CIA documentation while avoiding the distribution of armed cyber weapons until the consensus emerges on the technical and political nature of the CIA's program and how such weapons should analyze, disarm, and publish. WikiLeaks has also decided to redact and animise some identifying information in Year Zero for in-depth analysis. These redactions include tens of thousands of CIA targets and attack machines throughout Latin America, Europe, and the United States. While we are aware of the imperfect results of any approach chosen, we remain committed to our publishing model, and note that the quantity of published pages involved 7 part 1, Year Zero already encompasses the total number of pages published over the first three years of Edward Stone's NSA leak analysis. CIA malware targets iPhone, Android, Smart TVs. CIA malware and hacking tools are built by even CCI Center for Cyber Intelligence at the department belonging to the CIA's DD5 major directors of the CIA. See this organization chart of the CIA for more details. The EDG is responsible for the development, testing, and operational stupus by the CIA in its covert operations worldwide. The increasing sophistication of surveillance techniques has drawn comparison with George Orwell's 1984, developed by the CIA's embedded devices, Perange EDB, which invests Smart TVs, transforming them into covert microphones is surely its most emblematic realization. The attack against Samsung's Smart TVs was developed in cooperation with the United Kingdom's MI5 BTSS. After infestation, Weeping Angel places the target TV in a fake off mode so that the owner falsely believes the TV is off when it is on, as a bug recording conversations in the room, and sending them CIA server. As of October 2014, the CIA was also looking at infecting systems used by modern cars and trucks. The purpose of such controls is not specific, but it would permit the CIA to engage in nearly undetectable assassinations. The CIA's mobile device, Perange MDB, developed numerous attacks to remotely hack and control popular smartphones. Infected phones can be instructed to send the CIA the user's geolocation, audio and text communication, as well as covertly activate the phone's camera and microphone. Despite iPhone's minority share, 14.5% of global smart phone market in 2016, a specialized unit in the CIA's mobile development branch produced malware to invest, control and exfiltrate data from iPhones and other Apple products running iOS, such as iPads. CIA's arsenal includes numerous local and remote zero-day develop developed by CIA or obtained from GCHQ, NSA, FBI, or purchased for cyber arms contractors such as Pate Shop. The disproportionate focus on iOS may be explained by the popularity of iPhone among social, political, diplomatic, and business elites. A similar unit targets Google's Android, which is used to run the majority of the world's smartphones 85%, including Samsung, HTC, and Sony. 1.15 billion Android-powered phones were sold last year. Year zero shows that as of 2016, the CIA had 24 weaponized Android zero-days, which has developed itself and obtained from NSA and cyber arms contractors. These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Weibo, Confide, and Cloakman by hacking the smartphones that they run on and collecting audio and message trans traffic before encryption is applied, targets Windows, OSX, Linux, and routers. The CIA also runs a very substantial effort to infect and control Microsoft window users with its malware. This includes multiple local and remote-weaponized zero-day air-cap jumping viruses such as Hammer Drill, which can infect software distributed on CDDDS such as USBs, systems to hide data in images or in covert disc areas. Actions, efforts, or develop several attack systems for automated investigation control of CIA malware such as Assassin and Medusa against internet infrastructures and web servers are developed by the CIA's network devices branch, NDP. The CIA has developed automated multi-platform malware attack and control systems covering Windows, Mac, OSX, Solaris, Linux, and more such as EDBs hide below CIA-ordered vulnerabilities, zero days. The NSA, the U.S. technology industry, secured a commitment from the Obama administration that the executive would disclose on any ongoing basis that the hard, serious vulnerabilities exploits bugs for zero days to Apple, Google, Microsoft, and other U.S.-based manufacturers. Serious vulnerabilities not disclosed to the manufacturers places huge swaths of the population critical infrastructure at risk to foreign intelligence or cyber criminals who independently discover or hear rumors of the vulnerability. If the CIA can discover such vulnerabilities, so can others. The U.S. government's commitment to the vulnerabilities equities process came after significant lobbying by U.S. technology companies who risk losing the share of the global market over real and perceived vulnerabilities. The government stated that it would disclose all pervasive vulnerabilities discovered after 2010 on an ongoing basis. Year zero documents show that the CIA breached the Obama administration's commitments. Many of the vulnerabilities used in the CIA's cyber arsenal are pervasive and some may already have been found by rival intelligence agencies or cyber criminals. As an example, a specific CIA malware revealed in year zero is able to penetrate, invest, and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts. The CIA attacks the software by using undisclosed security vulnerabilities zero days possessed by the CIA, but if the CIA can hack these phones, then so can everyone else who has obtained or discovered the vulnerability. As long as the CIA keeps these vulnerabilities concealed from Apple and Google to make the phones, they will not be fixed and the phones will remain hackable. The same vulnerabilities exist for the population at large, including the U.S. cabinet, Congress, top CEOs, system administrators, security officials, and engineers. By hiding the security flaws from manufacturers like Apple and Google, the CIA ensures that it can hack everyone at the expense of leaving everyone hackable. Cyber warfare programs are a serious proliferation risk. Cyber weapons are not possible to keep under enormous cost and visible infrastructure. This old material to produce a critical nuclear mass, cyber weapons, once developed, are very hard to retain. Cyber weapons are, in fact, just computer programs which can be pirated like any other. Since they are entirely comprised of information, they can be copied. Carrying such weapons is particularly difficult since the same people who developed and used them have the skills to exfiltrate copies without leaving traces, sometimes by using the very same weapons against organizations that contain them. There are substantial price incentives for government hackers and consultants. A piece says there is a global vulnerability market that will pay hundreds of thousands to millions of dollars for copies of such weapons. Similarly, contractors and companies who obtain such weapons sometimes use them for their own purposes, obtaining advantage over their competitors in selling hacking services. Over the last three years, the United States intelligence sector, which consists of government agencies such as the CIA and NSA, and their contractors such as Booth Allen Hamilton, has been subject to unprecedented series of data exfiltrations by its own workers in the number of intelligence communities arrested or subject to federal crime investigations in separate incidents. Most visibly, on February 8, 2017, a U.S. federal grand jury in the counts of mishandling classified information, the Department of Justice alleged that it sees some 50,000 gigabytes of information from classified programs at NSA and CIA, including the search code for numerous hacking tools. Once a single cyber weapon is loose, it can spread around the world in seconds to be used by peer states, cyber mafia, and teenage hackers alike. U.S. consulate in Frankfurt is a covert CIA hacker base. In addition to its operations in Langley, Virginia, the CIA also uses the U.S. consulate in Frankfurt as a covert base for its hackers covering CIA hackers operating out of Frankfurt consulate sent for Cyber Intelligence Europe or CCIE are given diplomatic blank passports and state the instructions for incoming CIA hackers make Germany's counterintelligence efforts appear inconsequential. Breeze through German customs because you have your cover for action story down pat and all they did was stamp your passport your cover story for this trip answer support technical consultation at the consulate your WikiLeaks publications give further details on CIA approaches to customs and secondary screening procedures. Once in Frankfurt, CIA hackers can travel without further border checks to the 25 European countries that are part of the France, Italy, and Switzerland. A number of the CIA's electronic attack methods are designed for physical proximity. These attack methods are all are able to penetrate our security networks that are disconnected from the internet such as police record database. In these cases, a CIA officer, agent, or allied intelligence officer acting under instruction physically infiltrates the targeted workplace. The attacker is provided with a USB containing malware developed for the CIA for this purpose, which is inserted into the targeted computer. The attacker then invests in exfiltrates. For example, the CIA attack center system fine dining provides 24 decoy applications for CIA spies to use. To witnesses, the spy appears to be running a program showing videos, example, VLC, presenting slides, peresy, playing a computer green, breakout two, 2048, or even running a fake virus scanner, Casper ski, McAfee, Sophos. But while the decoy application is on the screen, the underlying system is automatically infected and ransacked. How the CIA dramatically increases proliferation risks. In what is surely one of the most astounding intelligence on goals in living memory, the CIA structured its classification regimes such that the most market value part of Vault 7, the CIA's weaponized malware in Blast Blunt Zero Days, listening post LP drill C2 systems. The agency has little, the CIA made the systems unclassified. Why the CIA chose to make a cyber arsenal unclassified reveals how concepts developed for military use do not easily cross over to the battlefield of cyber war. To attack its target, the CIA usually requires that its implants communicate. If CIA implants command and control and listening post software were classified, then CIA officers could be prosecuted or dismissed for violating rules that prevent placing classified information onto the internet. Consequently, the CIA has security made, secretly made most of its cyber spying war code unclassified. The US government is not able to assert copyright either due to restrictions in the US Constitution. This means that cyber arms manufacturers and computer hackers can freely pirate these weapons if they are obtained. The CIA has primary had to rely on obfuscation to protect its malware secrets. Conventional weapons such as missiles may be fired at the enemy into an unsecured area. Proximity 2 ordinates the ordinance including its classified parts, hence military personnel do not violate classification ordinance within classified parts. Ordinance, if it does not, that is not operators intent. The last decade US hacking operation, NSA jargon, are being called fires as if a weapon was being allegedly questionable. Most CIA malware is designed to live for days or even years after it has reached its target. CIA malware does not explode an impact. But rat targets device. Copies of the malware must be placed on the target's devices, giving physical possession of the malware to the target. To the CIA actions, the malware must communicate with CIA command and control C2 systems placed on internet connected servers. But such servers are typically not approved whole classified information. So CIA command control systems are also made unclassified. A successful attack is more like a series of com perhaps akin to the whole series of military maneuver against the dark forensic and antivirus. A series of standards lay out CIA malware investigation patterns which are likely to assist forensic crime scene investigations as well as Apple, Microsoft, Google, Samsung, Nokia, BlackBerry, Siemens, and antivirus companies attribute an offense against attacks. CIA rules on the CIA US government forensic review. Similar secret standards cover the use of encryption to hide CIA hackers describing target next-filtrated data as well as executing payload and persisting in the target's machines over time. CIA hackers develop successful attacks against most well-known antivirus programs. These are documented in AV defeats, personal security products, the PSPs, and PSP debugger RE avoidance. For example, Commando was defeated by CIA malware placing itself in the windows recycle bin while Commando 6.x has a capping of CIA hackers discuss what the NSA's equation group hackers did wrong and how the CIA's malware makers could avoid similar exposure. Examples, the CIA's entering development group EDG management system contains around 500 different projects, only some of which are documented by year zero, each with their own sub-project, malware and hacker tools, projects related to tools that are used. Another branch of development focuses on the development and operation of listening post-LP and command control C2 systems used to communicate with and control CIA implants. Special projects are used to target specific hardware from router to smart TVs. Some example projects are described below but see the table of contents where the full list of projects described by WikiLeaks year zero. Umbridge, the CIA's handcrafted hacking techniques pose a problem for the agency. Each technique it has created forms of fingerprint that can be used by forensic investigators to tribute multiple different attacks to the same entity. This is analogous to finding the same distinctive phone on multiple separate murder victims. The unique wounding style creates suspicions that a single murderer is responsible. As soon as one murder is set in the set is solved then the other murders also find likely attribution. The CIA's remote devices branch collects and maintains a substantial library of attack techniques stolen from malware produced in other states including the Russian Federation. With Umbridge and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution groups that the attack techniques were stolen from. Umbridge, keylogger, password persistence, privilege escalation, stealth, antivirus, PSP, avoidance and survey techniques comes with a standardized questionnaire that CIA case officers fill out. The questionnaire is used by the agency's OSP operational support branch to transform the requests of case officers into technique requirements for hacking attacks. Typically exfiltristums for specific operator allows the OSP to hit this to CIA malware of configuration staff. The OSP functions as the interface between CIA operational technical support staff. Among the less than possible targets of the collection are asset liaison asset system administrator, foreign information operations, foreign intelligence agencies and foreign government entities. Notably absent is any reference to extremist or transnational criminals. The case officer is also asked to specify the environment of the target like type of computer operating system used internet connectivity and installed antivirus utilities, PSPs, as well as a list of file types to be exfiltrated like office documents, audio, video, images or custom file types. Ask for information if recurring access to the target is possible unobserved access to the computer. This information is used by the CIA's JQ Jim provides software C below to configure a set of CIA malware suited to the specific needs of an operation improvise. GQ Jim provides is a tool set set up an execution vector selection for surveyed supporting all major operating system like customized tools before CIA malware suit its associated control software. The project provides custom customizable implants for Windows Solaris, micro tick used in internet routers and listening post LP command and control C2. Inflats are configured to communicate with this web server of utilizing these implants as a separate cover domain and the infrastructure resolves to an IP address that is located at a commercial VPS virtual private server provider. The server forwards a VPN to a pot server that handles actual requests from clients. It is set up for optional SSL client authentication. If a client sends a valid client certificate only implants can do this. The connection is forwarded to the honeycomb tool server that communicates with the implant. If a valid certificate is missing which is the case of someone if someone tries to open the cover domain website by accident the traffic is forwarded to cover server that delivers an unsuspicious looking website. The honeycomb tool server receives exfiltrated information from the implant. An operator can also task the implant to execute jobs on the target computer so the tool server acts as a C2 command and control server for the implant. Similar functionality though limited to Windows is provided by the Rick Bobby project. See the classified user developer guide for Hive. Only ask questions. Why now? WikiLeaks published as soon as its verification analysis were ready. In February the Trump administration has issued an executive order calling for cyber war reviewed. While the review increases the timelines and relevant setting the publication, the addresses and external IP addresses have been redacted in the releases. 70,875 redactions in total until further analysis is complete. Some items may have been redacted by these contractors, targets or otherwise related to the agency but are for example authors of documents for otherwise public projects that are used by the agency. Identity versus person. The redacted names are replaced by user IDs, numbers to allow readers to assign multiple pages to a single author. Given the redaction process used a single person may be represented by more than one assign and identify refers to more than one real person. Three archive attachments zip tar dot gz etc all the file names in the archive. As the archive content has assessed thousands of routable IP addresses references exclusive investigation of CIA malware affected binaries. Organizational chart. The organizational chart corresponds to the material published by WikiLeaks so far. Since the organizational structure of the CIA below the level of directors is non-public the placement of the agency is reached 2013 to 2006 and was each part of Vault 7 of 2016. He leaks obtained each part of Vault 7 sources trust WikiLeaks to not reveal positions to write