Vault 7


Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, the operating systems of most smartphones including Apple's iOS and Google's Android, and computer operating systems including Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release. The tools were developed by the Operations Support Branch of the CIA.
The Vault 7 release led the CIA to redefine WikiLeaks as a "non-state hostile intelligence service." In July 2022, former CIA software engineer Joshua Schulte was convicted of leaking the documents to WikiLeaks, and in February 2024 sentenced to 40 years' imprisonment, on espionage counts and separately to 80 months for child pornography counts.

History

In February 2017, WikiLeaks began teasing the release of "Vault 7" with a series of cryptic messages on Twitter, according to media reports. Later on in February, WikiLeaks released classified documents describing how the CIA monitored the 2012 French presidential election. The press release for the leak stated that it was published "as context for its forthcoming CIA Vault 7 series."
In March 2017, US intelligence and law enforcement officials said to the international wire agency Reuters that they had been aware of the CIA security breach which led to Vault 7 since late 2016. Two officials said they were focusing on "contractors" as the possible source of the leaks.
In 2017, federal law enforcement identified CIA software engineer Joshua Adam Schulte as a suspected source of Vault 7. Schulte pled not guilty and was convicted in July 2022 of leaking the documents to WikiLeaks.
On 13 April 2017, CIA director Mike Pompeo declared WikiLeaks to be a "hostile intelligence service." In September 2021, Yahoo! News reported that in 2017, in the wake of the Vault 7 leaks, the CIA considered kidnapping or assassinating Julian Assange, the founder of WikiLeaks. The CIA also considered spying on associates of WikiLeaks, sowing discord among its members, and stealing their electronic devices. After many months of deliberation, all proposed plans had been scrapped due to a combination of legal and moral objections. Per the 2021 Yahoo News article, a former Trump national security official stated, "We should never act out of a desire for revenge".
The Vault 7 release led the CIA to redefine WikiLeaks as a "non-state hostile intelligence service." In July 2022, former CIA software engineer Joshua Schulte was convicted of leaking the documents to WikiLeaks, and in February 2024, he was sentenced to 40 years' imprisonment.

Publications

Part 1 – "Year Zero"

The first batch of documents, named "Year Zero", was published by WikiLeaks on 7 March 2017. Purportedly from the Center for Cyber Intelligence, Year Zero consisted of 7,818 web pages with 943 attachments, more pages than former NSA contractor and leaker Edward Snowden's 2013 NSA release. WikiLeaks had placed Year Zero online in a locked archive earlier in the week, and revealed the passphrase on the 7th. The passphrase referred to a President John F. Kennedy quote, stating that he wanted “to splinter the CIA in a thousand pieces and scatter it to the winds”.
WikiLeaks did not name their source but said that the files had "circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive." According to WikiLeaks, the source "wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons" since these tools raise questions that "urgently need to be debated in public, including whether the CIA's hacking capabilities exceed its mandated powers and the problem of public oversight of the agency."
WikiLeaks attempted to redact names and other identifying information from the documents before releasing them and faced criticism for leaving some key details unredacted. WikiLeaks also attempted to allow for connections between people to be drawn via unique identifiers generated by WikiLeaks. It also said that it would postpone releasing the source code for the cyberweapons, which is reportedly several hundred million lines long, "until a consensus emerges on the technical and political nature of the C.I.A.'s program and how such 'weapons' should be analyzed, disarmed and published." WikiLeaks founder Julian Assange claimed this was only part of a larger series.
The CIA released a statement saying that "The American public should be deeply troubled by any WikiLeaks disclosure designed to damage the Intelligence Community's ability to protect America against terrorists or other adversaries. Such disclosures not only jeopardize US personnel and operations, but also equip our adversaries with tools and information to do us harm."
In a statement issued on 19 March 2017, Assange said the technology companies who had been contacted had not agreed to, disagreed with, or questioned what he termed as WikiLeaks' standard industry disclosure plan. The standard disclosure time for a vulnerability is 90 days after the company responsible for patching the software is given full details of the flaw. According to WikiLeaks, only Mozilla had been provided with information on the vulnerabilities, while "Google and some other companies" only confirmed receiving the initial notification. WikiLeaks stated that "Most of these lagging companies have conflicts of interest due to their classified work with US government agencies. In practice such associations limit industry staff with US security clearances from fixing holes based on leaked information from the CIA. Should such companies choose to not secure their users against CIA or NSA attacks users may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts".

Part 2 – "Dark Matter"

On 23 March 2017, WikiLeaks published the second release of Vault 7 material, entitled "Dark Matter". The publication included documentation for several CIA efforts to hack Apple's iPhones and Mac devices. These included the Sonic Screwdriver malware that could use the Thunderbolt interface to bypass Apple's password firmware protection.

Part 3 – "Marble"

On 31 March 2017, WikiLeaks published the third part, "Marble". It contained 676 source code files for the CIA's Marble Framework. It is used to obfuscate, or scramble, malware code in an attempt to make it so that anti-virus firms or investigators cannot understand the code or attribute its source. According to WikiLeaks, the code also included a de-obfuscator to reverse the obfuscation effects.

Part 4 – "Grasshopper"

On 7 April 2017, WikiLeaks published the fourth set, "Grasshopper". The publication contains 27 documents from the CIA's Grasshopper framework, which is used by the CIA to build customized and persistent malware payloads for the Microsoft Windows operating systems. Grasshopper focused on Personal Security Product avoidance. PSPs are antivirus software such as MS Security Essentials, Symantec Endpoint or Kaspersky IS.

Part 5 – "HIVE"

On 14 April 2017, WikiLeaks published the fifth part, "HIVE". This disclosure covers the CIA’s top-secret virus program created by its "Embedded Development Branch". The six documents published are related to the HIVE multi-platform CIA malware suite. A CIA back-end infrastructure with a public-facing HTTPS interface used by CIA to transfer information from target desktop computers and smartphones to the CIA and open those devices to receive further commands from CIA operators to execute specific tasks, all the while hiding its presence behind unsuspicious-looking public domains through a masking interface known as "Switchblade" and Command and Control ).

Part 6 – "Weeping Angel"

On 21 April 2017, WikiLeaks published the sixth part, "Weeping Angel", a hacking tool co-developed by the CIA and MI5 used to exploit a series of early smart TVs for the purpose of covert intelligence gathering. Once installed in suitable televisions with a USB stick, the hacking tool enables those televisions' built-in microphones and possibly video cameras to record their surroundings, while the televisions falsely appear to be turned off. The recorded data is then either stored locally into the television's memory or sent over the internet to the CIA. Allegedly both the CIA and MI5 agencies collaborated to develop that malware in Joint Development Workshops.

Part 7 – "Scribbles"

On 28 April 2017, WikiLeaks published the seventh part, "Scribbles". The leak includes documentation and source code of a tool intended to track documents leaked to whistleblowers and journalists by embedding web beacon tags into classified documents to trace who leaked them. The tool affects Microsoft Office documents, specifically "Microsoft Office 2013, documents from Office versions 97-2016 and documents that are not locked, encrypted, or password-protected". When a CIA watermarked document is opened, an invisible image within the document that is hosted on the agency's server is loaded, generating an HTTP request. The request is then logged on the server, giving the intelligence agency information about who is opening it and where it is being opened. However, if a watermarked document is opened in an alternative word processor the image may be visible to the viewer. The documentation also states that if the document is viewed offline or in protected view, the watermarked image will not be able to contact its home server. This is overridden only when a user enables editing.