The files provide a map of the cyber divisions and branches that have multiplied across the spy service.
On his workplace bio, he describes himself as a “malt beverage enthusiast,” a fitness buff fond of carrying a backpack full of bricks, and a “recovering World of Warcraft-aholic.”
He is also a cyberwarrior for the CIA, an experienced hacker whose résumé lists assignments at clandestine branches devoted to finding vulnerabilities in smartphones and penetrating the computer defenses of the Russian government. At the moment, according to his file, he is working for the Center for Cyber Intelligence Europe, a major hacking hub engaged in electronic espionage across that continent and others.
The hacker — whose background appears in the thousands of CIA documents posted online Tuesday by the anti-secrecy organization WikiLeaks — is part of a digital operation that has grown so rapidly in size and influence in recent years that it ranks alongside spying and analysis divisions that were created at the same time as the CIA decades ago.
The trove of documents exposed by WikiLeaks provides an unprecedented view of the scale and structure of this operation, which encompasses at least 36 distinct branches devoted to cracking the espionage potential of cellphones, communication apps and computer networks supposedly sealed off from the Internet.
But in their descriptions of elaborate exploits and sketches of specific employees, the documents also point to the CIA’s vulnerabilities. As much as it is organized to exploit the pervasive presence of digital technology abroad, the CIA’s own secrets are increasingly created, acquired or stored on computer files that can be copied in an instant.
“This is the double-edged sword of the digitization of everything,” said Daniel Prieto, who served as director of cybersecurity policy for President Barack Obama. “Think back to the James Bond movies with a guy in the backroom with a camera that looks like a cigarette lighter taking 20 pictures of a weapons design system. Nowadays, one thumb drive can contain hundreds of thousands of pages.”
U.S. officials said Wednesday that they were still in the early stages of investigating the breach that left WikiLeaks in possession of thousands of sensitive files.
The complexity and magnitude of the theft have prompted speculation that it was carried out by Russia or another foreign government with the skills, resources and determination to target the CIA.
But others said that the decision to put the files on public display, rather than exploit their value in secret, makes it more likely that a disgruntled employee or contractor was responsible. WikiLeaks said the documents, which The Washington Post could not independently verify, came from a current or former CIA employee or contractor.
If so, that would be consistent with earlier breaches: the exposure of U.S. diplomatic cables in 2010, the Edward Snowden revelations of 2013 and the discovery of a trove of classified National Security Agency files in a suburban Maryland home last year were the work of insiders.
Intelligence officials learned late last year that there was a suspected loss of sensitive CIA information, according to two U.S. officials.
The CIA declined to comment on the authenticity of the documents or the direction of any internal probe underway. In a statement, a CIA spokesman said that the agency’s mission “is to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries … It is also important to note that CIA is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and CIA does not do so.”
What WikiLeaks has released so far is not huge, amounting to about 1 gigabyte of data, experts said. And the cache does not appear to include source code for creating hacking tools.
Nonetheless, there are descriptions of tools and techniques that could be used to exploit computer systems as well as “implants” that can be deployed to collect data once inside a phone or a computer. These tools or “implants” are often used in the last stage of the “cyber kill chain” to spy on users, steal their data or monitor their activity.
The exposure of these capabilities is “hugely damaging” and probably will require the CIA to figure out a way to replace them, said Jake Williams, founder of Rendition InfoSec, a cybersecurity firm. “We’ve never seen these tools in the wild.”
The documents contain references to hundreds of hacking tools often with colorful names. One, dubbed “Brutal Kangaroo,” is used to take data from a machine without detection by anti-virus software. Another, called Hammerdrill, is designed to get data from devices that are not connected to the Internet.
Beyond describing specific weapons, the files provide a remarkably comprehensive bureaucratic map of the cyber-divisions and branches that have multiplied across the CIA’s organizational chart in recent years, as well as glimmers of the geek humor shared on internal networks.
As part of a sweeping reorganization in 2015 under then-CIA Director John Brennan, the agency consolidated much of its computer expertise under a new division, the Directorate of Digital Innovation, that reports directly to the CIA chief.
The bulk of the CIA’s offensive capability appears to reside in an entity called the Center for Cyber Intelligence, an organization that oversees dozens of subordinate branches and groups devoted to specific missions and targets, from cracking security on Apple iPhones to penetrating the communications nodes of the Islamic State.
Though the center is based at CIA headquarters in Northern Virginia, it appears to have major outposts overseas.
Among them is a large hacking station at the U.S. Consulate in Frankfurt, Germany, a group whose operations reach across Europe and the Middle East and into Africa, according to the documents.
One of the files offers traveling tips for 20-something hackers making the excursion to Frankfurt. It urges employees to fly Lufthansa: “Booze is free so enjoy (within reason)!” Clearly written for neophyte CIA officers, it cautions against using terms that would betray that “people are not ‘State Department’ employees.”
The document also suggests scripts for clearing airport screening: “Breeze through German Customs because you have your cover-for-action story down pat.”
Among those apparently assigned to the Frankfurt base is the engineer who listed World of Warcraft and malt beverages as areas of keen interest on his CIA bio.
His name, and that of other employees, was redacted from the WikiLeaks-released pages.
Some specialists believe the heist had to be from within. “I’d be almost positive this material was stolen by an insider,” Williams said.
Some of the documents were marked top secret. “To be in a position to steal this, you’d be in a position to steal so much more operational data that fits better with WikiLeaks’s narrative” discrediting the agency, Williams said. There would be data on who the CIA is targeting and the access they have — information that would be far more embarrassing to the United States and, therefore, material WikiLeaks would presumably be eager to expose.
The files also provide clues to how the CIA has assembled its digital arsenal.
The agency appears to rely heavily on open-source tools used by commercial security firms. The CIA kit also includes “public exploits” — tools posted online that are often traced to hacking groups.
One document amounts to a catalogue of “exploits” that can be used against Apple’s iOS phone operating system. The entries include descriptions of how they were obtained.
Some are listed as being “purchased by NSA” before being shared with the CIA. Others appear to have been provided by or developed in collaboration with the British intelligence service GCHQ.
Several are listed as having been purchased from independent groups or individuals, including one identified as “Baitshop,” an entity described by WikiLeaks as a cyber-arms contractor.
Some described the damage as extensive but far from permanent. Vulnerabilities in phones and other devices tend to be fleeting, lasting only until the next patch or operating system upgrade. The documents make clear that the CIA has adapted to this timetable and will probably accelerate its development and purchasing cycles to reopen any hacking windows that WikiLeaks closed.
“It’s not some huge crisis,” said Nicholas Weaver, a computer security researcher at the University of California at Berkeley. The CIA can purchase new exploits or turn to the NSA to help shore up its exposed archive. Buying its way back could be pricey, experts said. Exploits for Apple iPhones can go for $1 million or more.
Devlin Barrett and Ashkan Soltani contributed to this report.
- Trump administration inviting more than 60 countries for strategy session on countering the Islamic State
- Why Hawaii says Trump’s new travel ban is still unconstitutional
- Flynn’s swift downfall: From a phone call in the Dominican Republic to a forced resignation at the White House
- What will become of the National Security Council that Flynn was building?
- Michael Flynn resigns as national security adviser
- Justice Department warned White House that Flynn could be vulnerable to Russian blackmail, officials say
- Border the big issue as a Trump official finally set to visit Ottawa: Chris Hall
- In Rod they trust: Meet Trump's Obama-approved pick to lead the Russia probe
- Mike Pence says Turkey ties are "affirmation" of decision to fire Michael Flynn
- Michael Flynn Concealed Foreign Lobbying Work From The Justice Department
You might also like
- Robert Osborne, Turner Classic Movies host and film historian, dies at 84
- Are baby boomers too old to ski? Probably not.
- With allergy season around the corner, educate yourself now
- Butter or olive oil? Eggs or no? New nutritional review cuts through the myths.
- Every traveler’s eternal question: ‘It’s 2017, why don’t we have WiFi on all planes?’
- These activists want greater home-school monitoring. Parent groups say no way.
- Tired of people asking where you’re going to college? Here’s what to say.
- Perspective | Ask Amy: Woman reels from memories of tough childhood
- DC Theater Friday: Selections begin with ‘The Select’
- Paris gets Hadid-mania, as Saab and Mugler channel dark, 80s
- Perspective | Trump’s first D.C. dinner as president: An overcooked, $54 steak. With ketchup.
- Booker T. Jones, on the Stax Records soul sound he helped create
- Powerful South Carolina political consultant implicated in indictments of a veteran state senator
- Will Donald Trump get a second Supreme Court nomination?
- "Hazing" rituals await Supreme Court's "junior justice" Neil Gorsuch
- The hunt is on for Planet Nine. Here's how to join it
- Trump approves controversial Keystone XL oil pipeline
- Trump praises 'Fox & Friends,' renews old feuds in early morning tweets
- Rex Tillerson finally answers question from NBC News' Andrea Mitchell
- First Read's Morning Clips: The Latest in the Russia Investigation
- Spicer: 'I've let the president down'
- Russian President Vladimir Putin met with U.S. Secretary of State Rex Tillerson on Wednesday
- OMB Diriector Mick Mulvaney: Washington's 'a lot more broken' than Trump thought
- Trump attacks conservatives over failure of health care bill
- A very consequential week didn't go well for President Trump
- Health Care Showdown: Republicans look to go big or go home
- No deal on health care bill after conservatives meet with Trump
- CA gov on those supporting health bill: 'Their name is going to be mud'
- Give it to me straight, doc: Is Obamacare dying?
- First Read's Morning Clips: Waiting for CBO
- 14 People Share What's It's Really Like to Have An Ex Who Is Now Their In-Law
- The Internet Is Freaking Out About The Way This Chef Cuts Pizza
- The hunt is on for Planet Nine. Here's how to join it
- Israeli prime minister talks of a snap election amid concerns over a new public broadcaster
- U.S. condemns suspected Syrian chemical attack on civilians, but says the Assad government is a 'political reality'
- Canada's largest school board will end class trips to the U.S. due to Trump's travel restrictions
- Warplanes strike Syrian town already hit by chemical attack
- Vigilantes prowl Europe's border with a target: Muslim migrants
- A letter from Britain to the European Union will trigger the 'Brexit' process March 29
- Ukraine president suggests a Kremlin-orchestrated attack after former Russian lawmaker is shot dead in Kiev
- Russian officials say St. Petersburg subway blast killed at least 11 and injured dozens
- As death toll in hospital attack soars to 50, Afghanistan investigates whether it was an inside job
- South Korea's ousted leader moves out of palace, apologizes for 'not fulfilling my duties'
- A brazen political killing shakes Myanmar, already teetering on the path to democracy
- India's Narendra Modi leads his party to victory in a state with more than 200 million people
- A controversial Thai monk is wanted in connection with a fraud case. His followers won't give him up
- Another Dalit suicide on campus raises fears of a crisis of discrimination at Indian universities
- Syrian government insists it does not use chemical weapons; US vows serious response to attack
- Bodies of U.N. workers and interpreter found in Congo, prompting calls for investigation
- Hamas hangs 3 Palestinians in Gaza it says were collaborating with Israel
- Basque group ETA hands over weapons, ammunition and explosives to France
- Syrian ally Iran blasts U.S. missile strikes as 'dangerous, destructive and a violation of international law'