Cybercrime , Data Loss Prevention (DLP) , Fraud Management & Cybercrime
Massive CIA Hacking Tool Leak: Ex-Agency Employee Charged
Lead Suspect Joshua A. Schulte Already Detained on Child Pornography ChargesIn March 2017, one of the biggest leaks in the history of the CIA came to light when WikiLeaks began releasing thousands of agency secret documents, revealing the CIA's offensive malware tools and practices. WikiLeaks called the document dump the "Vault 7" archive.
See Also: 2024 Threat Landscape: Data Loss is a People Problem
On Monday, the U.S. Department of Justice charged a former CIA officer, Joshua Adam Schulte, 29, with stealing the attack tools in 2016 and giving them to WikiLeaks.
Schulte had already been named as a lead suspect - but not charged - in the Vault 7 leak investigation, The New York Times reported last month. He's incarcerated; after his arrest on unrelated charges on Aug. 24, 2017, a judge found that he had violated his bail conditions (see US Government Plans to Indict Alleged CIA Leaker).
On Monday, the Justice Department announced that it had expanded the list of charges against Schulte.
A superseding 13-count indictment against Schulte includes such charges as illegally gathering and transmitting both lawfully and unlawfully gathered national defense information, hacking, stealing government property, sharing harmful computer programs, obstructing justice and making false statements.
"Schulte also intentionally caused damage without authorization to a CIA computer system by granting himself unauthorized access to the system, deleting records of his activities, and denying others access to the system," the Justice Department says. "Schulte subsequently made material false statements to FBI agents concerning his conduct at the CIA."
The charges against Schulte collectively carry a maximum prison sentence of 135 years. The crimes were allegedly committed in Virginia.
"Joshua Schulte, a former employee of the CIA, allegedly used his access at the agency to transmit classified material to an outside organization," says Manhattan U.S. Attorney Geoffrey S. Berman. "During the course of this investigation, federal agents also discovered alleged child pornography in Schulte's New York City residence."
Schulte's attorney issued a statement in response to the charges.
"As the evidence is flushed out, it will become clear that Mr. Schulte is hardly the villain the government makes him out to be," Sabrina P. Shroff, his public defender, said in a statement on Monday.
The CIA declined to comment on the specifics of the case.
"We are grateful to the Department of Justice, and others throughout the government, who worked diligently to bring this indictment in connection with a grave breach of national security," a CIA spokeswoman tells Information Security Media Group. "As this is an ongoing criminal proceeding, we refer you to the Department of Justice for any additional comment."
Leaked: 8,000 CIA Documents
In March 2017, WikiLeaks began releasing the CIA documents, which, in part, revealed how the CIA had developed custom malware to target iOS and Android devices, routers and smart TVs, as well as Windows, Mac OS X and Linux operating systems. The documentation also described some of the agency's zero day vulnerability practices, including its use of those flaws to gain access to smartphones and monitor encrypted messaging apps that it might not otherwise have been able to hack.
When WikiLeaks began chronicling the attack tools via an estimated 8,000 CIA documents it had obtained, the organization said the leaker had hoped to trigger a public debate.
"In a statement to WikiLeaks, the source details policy questions that they say urgently need to be debated in public, including whether the CIA's hacking capabilities exceed its mandated powers and the problem of public oversight of the agency," WikiLeaks said. "The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons."
After the Justice Department announced on Monday that the list of charges against Schulte had been expanded to include sending classified information to WikiLeaks, WikiLeaks retweeted a series of tweets from March 2017, when it began releasing the Vault 7 tools in 25 installments.
CIA organizational chart partly re-constructed by @WikiLeaks #Vault7 https://t.co/4R2Dh4ZzGN pic.twitter.com/HvTnUAaIff
— WikiLeaks (@wikileaks) March 7, 2017
Focus: CIA's Engineering Development Group
According to Schulte's LinkedIn profile, he worked as a systems engineer specializing in high-speed passive signals intelligence for the NSA in 2009 and early 2010. From May 2010 through October 2016, he worked as a software engineer - specifically a "Directorate of Science and Technology (DS&T) Intelligence Officer" in the CIA's National Clandestine Service - where he says he "developed a multitude of Quick Reactions Capabilities (QRCs) in C/C++ for both Windows and Linux systems to support clandestine operations."
In late 2016, Schulte went to work for Bloomberg, The New York Times reported.
While this isn't listed on his LinkedIn profile, at the CIA, Buzzfeed reports Schulte worked inside the CIA's Engineering Development Group, which was named in the Vault 7 dump, and which designs malware and other hacking tools used by the CIA overseas.
Days after WikiLeaks began publishing the CIA documents last year, the Wall Street Journal reported that investigators were interviewing a team of software developers at the Engineering Development Group, to which the leak appeared to trace.
In January, one of Schulte's attorneys accused the government of overreach, saying that despite months of work, FBI agents had not found any evidence tying his client to the WikiLeaks leak.
FBI: Schulte Reused Passwords
The FBI says it recovered approximately 10,000 child pornography images and videos from a 54 GB encrypted container created using the open source VeraCrypt encryption tool by Schulte and stored on a virtual machine on his desktop PC, according to the warrant for his arrest, dated Aug. 23, 2017.
"In March 2017, members of the FBI had searched Schulte's residence in New York, New York, pursuant to a search warrant and recovered, among other things, multiple computers, servers, and other portable electronic storage devices, including Schulte's personal desktop computer (the "personal computer")," according to the Justice Department.
Despite Schulte reportedly having worked in a CIA division that developed malware designed to gain remote, stealthy and persistent access to targeted devices, as well as being charged with stealing classified information from the agency and covering his tracks, he allegedly committed some basic password security failures of his own that enabled the FBI to crack the encrypted container.
"The encrypted container with the child pornography files was identified by FBI computer scientists beneath three layers of password protection on the personal computer," according to the Justice Department. "Each layer, including the encrypted container, was unlocked using passwords previously used by Schulte on one of his cellphones."
Prosecutors say they also have extensive evidence pointing to Schulte having actively sought out child pornography, including via his Google searches. "FBI agents identified Internet chat logs in which Schulte and others discussed their receipt and distribution of child pornography," the Justice Department says. "FBI agents also identified a series of Google searches conducted by Schulte in which he searched the internet for child pornography."
Judge: Schulte Violated Bail Conditions
After his arrest last August, Schulte was released on bail the next month, subject to his not using a computer. But a judge revoked his bail on Dec. 14, 2017, after the suspect allegedly violated his bail conditions by having his cousin, with whom he was staying in New York, check his Gmail account and run online searches for him.
Jacob Kaplan, one of Schulte's attorneys, told District Judge Paul A. Crotty in a Jan. 8 hearing in Manhattan federal court that only Schulte's cousin had been using the PC, and that any violation of Schulte's bail conditions was unintentional.
But Assistant U.S. Attorney Matthew J. Laroche told the court that whoever was accessing the internet was also using the anonymizing Tor browser, which is designed to obscure someone's actions online. The government's investigation into Vault 7 has also included "analyzing whether and to what extent Tor was used in transmitting classified information," Laroche said.
"So the fact that the defendant is now, while on pretrial release, using Tor from his apartment, when he was explicitly told not to use the internet, is extremely troubling and suggests that he did willfully violate his bail conditions," Laroche told the court.
Judge Crotty ruled that Schulte's bail would continue to be revoked.
Pending: Sexual Assault Charges
Schulte may also face additional charges. After the FBI searched Schulte's cell phone, it found apparent images of a sexual assault, which it shared with police in Virginia.
During the Jan. 8 hearing, Assistant U.S. Attorney Laroche told the court that the FBI found "images on [Schulte's] phone that showed a sexual assault" and shared the images with law enforcement officials in Loudoun County, Virginia, who subsequently issued a warrant for Schulte's arrest.
"It's our understanding that they conducted their own investigation, which included interviewing the victim, the person who was on those photographs, and through interviews with that person, they were comfortable, through the development of that evidence, that Mr. Schulte was the one whose hands are on the pictures of that photograph," Laroche told the court.
Target: Julian Assange
Following the U.S. government's indictment of Schulte for allegedly giving the CIA documents to WikiLeaks, it's not clear if the Justice Department might attempt to also bring charges against Julian Assange, the founder and chief of WikiLeaks.
One year ago, U.S. Attorney General Jeff Sessions said the Justice Department was stepping up its efforts to pursue leakers, including Assange. But it's not clear if the Australian national could be charged with espionage, or whether WikiLeaks might be protected by the First Amendment, which guarantees freedom of the press.
For the moment, at least, Assange appears to be unreachable. He's been living in Ecuador's embassy in London since June 2012, when he voluntarily sought refuge there to escape extradition to Sweden to face allegations of sex crimes. Should Asssange emerge, the U.K. government has promised to arrest him immediately for violating his bail conditions (see After Outlasting Sweden, WikiLeaks Founder's Fate Murky).