Analysis 03-11-2017

ANALYSIS:

“SPECIAL REPORT”

Another Snowden?
More leaks from US Intelligence

Wikileaks has published what it claims is the largest ever release of confidential documents on the CIA. It includes more than 8,000 documents as part of ‘Vault 7’, a series of leaks on the agency, which have allegedly emerged from the CIA’s Center For Cyber Intelligence in Langley, Virginia.

The documents published so far are genuine, officials confirmed to CNN, which means that one of the biggest concerns for the federal government is if Wikileaks publishes the computer code, which would allow other hackers to copy the code and cause havoc overseas.

Although the scope of the leak is, at present unknown, those who have looked at it say it is more detailed than the information provided by Snowden and provides considerable data on how extensive America’s cyberwarfare capability is.

The time period covered in the latest leak is between the years 2013 and 2016, according to the CIA timestamps on the documents themselves. Wikileaks has said that it has not researched all the documents and is asking that journalists and activists do the investigative work.

This leak poses some troubling questions about the security of America’s intelligence community, especially the CIA.

The first question is why the CIA has a cyberwarfare office at all, given that there are cyberwarfare offices in four separate US intelligence agencies? Isn’t the NSA the key intelligence agency in Cyberwarfare? It appears that the CIA and the other agencies wanted to gain additional funding by focusing on such a high profile topic. But all it did was make US intelligence more bureaucratic and less efficient.

The next question is how such a leak came out of the CIA after Snowden? Apparently, CIA director Brennan’s decision to lower standards for CIA hires in order to diversify the agency was partially responsible. Much of this rushed hiring came as the cyberwarfare offices were being staffed.

We can also ask if many in the CIA have become concerned about the scope of the CIA’s capabilities – especially since many of the tools appear to be designed to target Americans rather than foreign intelligence sources. The source of the leak told WikiLeaks in a statement that they wish to initiate a public debate about the “security, creation, use, proliferation and democratic control of cyberweapons.”  Policy questions that should be debated in public include “whether the CIA’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency,” WikiLeaks claims the source said.

This situation is collaborated by something mentioned in Wikileaks press release, which said, “The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

Another troubling question is the intelligence community’s failure to live up to its promises to the American technology industry. In the wake of Edward Snowden’s leaks about the NSA, the US technology industry secured a commitment from the Obama administration that they would disclose on an ongoing basis – rather than hoard – serious vulnerabilities, exploits, bugs or “zero days” to Apple, Google, Microsoft, and other US-based manufacturers.

However, serious vulnerabilities were not disclosed to the manufacturers by US intelligence, which places the US population and critical infrastructure at risk to foreign intelligence or cyber criminals who independently discover or hear rumors of the vulnerability. If the CIA can discover such vulnerabilities so can others.

Finally, why did the CIA not better compartmentalize its intelligence after Snowden? There is no reason why one CIA employee should have so much intelligence data available to them.

Until these questions can be answered and addressed, it’s likely that additional leaks can be expected from American intelligence.

The Growing, influence of the CIA

Since 2001 the CIA has gained political and budgetary preeminence over the NSA. The CIA found itself building not just its now infamous drone fleet, but a substantial workforce of hackers. The agency’s hacking division freed it from having to disclose its often-controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA’s hacking capacities.

The CIA’s Engineering Development Group (EDG) management system contains around 500 different projects (only some of which are documented by Wikileaks) each with their own sub-projects, malware and hacker tools.

The majority of these projects relate to tools that are used for penetration, infestation (“implanting”), control, and exfiltration of information. Another branch of development focuses on the development and operation of Listening Posts (LP) and Command and Control (C2) systems used to communicate with and control CIA implants; special projects are used to target specific hardware from routers to smart TVs.

By the end of 2016, the CIA’s hacking division, which formally falls under the agency’s Center for Cyber Intelligence (CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other “weaponized” malware. Such is the scale of the CIA’s undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its “own NSA” with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.

In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public, including whether the CIA’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency. The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.

What These Leaks Tell Us

A total of 8,761 documents have been published as part of ‘Year Zero’, the first in a series of leaks they have dubbed ‘Vault 7.’ WikiLeaks said that ‘Year Zero’ revealed details of the CIA’s “global covert hacking program,” including “weaponized exploits” used against commercial products including “Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.”

Julian Assange, WikiLeaks editor stated that “There is an extreme proliferation risk in the development of cyber ‘weapons’. Comparisons can be drawn between the uncontrolled proliferation of such ‘weapons’, which results from the inability to contain them combined with their high market value, and the global arms trade.

Many of these disclosures which, if confirmed, will rock the technology industry and force customers to wonder if these IT companies are serving them or intelligence agencies.   The CIA had managed to bypass encryption on popular phone and messaging services such as Signal, WhatsApp and Telegram. According to the statement from WikiLeaks, government hackers have 24 “weaponized” Android apps to penetrate Android phones and collect “audio and message traffic before encryption is applied.”

Another revelation that should concern people and governments alike is that the CIA can engage in “false flag” cyberattacks which portray Russia as the assailant. Discussing the CIA’s Remote Devices Branch’s UMBRAGE group, Wikileaks’ source notes that it “collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation.

“With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the “fingerprints” of the groups that the attack techniques were stolen from. UMBRAGE components cover keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques.”

Well known computer expert Kim Dotcom notes, “CIA uses techniques to make cyber attacks look like they originated from enemy state. It turns DNC/Russia hack allegation by CIA into a joke.”

Considering the well known hostility that the intelligence community has towards Trump and the allegations that Wikileaks documents about Hillary Clinton had “Russian fingerprints on them,” there is a serious question about the source of the Clinton leaks and the purpose behind them. Was it the Russians or the US intelligence community?

Among the various techniques profiled by WikiLeaks is “Weeping Angel”, developed by the CIA’s Embedded Devices Branch (EDB), which infests smart TVs, transforming them into covert microphones. CIA malware and hacking tools are built by EDG (Engineering Development Group), a software development group within CCI (Center for Cyber Intelligence), a department belonging to the CIA’s DDI (Directorate for Digital Innovation).

After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on. In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.

As Kim Dotcom chimed in on Twitter, “CIA turns Smart TVs, iPhones, gaming consoles and many other consumer gadgets into open microphones” and added ” CIA turned every Microsoft Windows PC in the world into spyware. Can activate backdoors on demand, including via Windows update”

Kim Dotcom also added that “Obama accused Russia of cyberattacks while his CIA turned all internet enabled consumer electronics in Russia into listening devices. Wow!”

Another troubling discovery is that the CIA is looking at hacking cars in order to carry out assassinations. According to Wikileaks, “As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks. The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations.”

It appears that the CIA is also focusing on electronics that the elites use. Despite iPhone’s minority share (14.5%) of the global smart phone market in 2016, a specialized unit in the CIA’s Mobile Development Branch produces malware to infest, control and exfiltrate data from iPhones and other Apple products running iOS, such as iPads. CIA’s arsenal includes numerous local and remote “zero days” developed by CIA or obtained from GCHQ (British communications intelligence group), NSA, FBI or purchased from cyber arms contractors such as Baitshop. The disproportionate focus on iOS may be explained by the popularity of the iPhone among social, political, diplomatic and business elites.

However, Apple says that many of the iOS exploits in the Wikileaks dump have already been patched and it is working to address any new vulnerabilities.

“Apple is deeply committed to safeguarding our customers’ privacy and security. The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates,” an Apple spokesperson said in a statement to TechCrunch.

There is also a diplomatic aspect to these leaks. Germany has demanded answers from the US over claims by WikiLeaks that there is a CIA listening post in Frankfurt. In addition to its operations in Langley, Virginia the CIA also uses the U.S. consulate in Frankfurt as a covert base for its hackers covering Europe, the Middle East and Africa. CIA hackers operating out of the Frankfurt consulate ( “Center for Cyber Intelligence Europe” or CCIE) are given diplomatic (“black”) passports and State Department cover.

CIA Computer Programs

Here’s a list of CIA computer projects, mentioned by Wikileaks, that target electronics:

Umbrage: The CIA’s Remote Devices Branch’s UMBRAGE group collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation. With UMBRAGE and related projects the CIA can increase its total number of attack types and misdirect the opposition by leaving behind the “fingerprints” of the groups that the attack techniques were stolen from.

Umbrage is an ideal false flag tool because it gives the CIA the ability to strike a country’s infrastructure and then point investigators back to American enemies like China, North Korea, or Russia.

Fine Dining:  This attack method is able to penetrate high security networks that are disconnected from the internet, such as police record database. In these cases, a CIA officer, agent or allied intelligence officer acting under instructions, physically infiltrates the targeted workplace. The attacker is provided with a USB containing malware developed for the CIA for this purpose, which is inserted into the targeted computer. The attacker then infects and exfiltrates data to removable media.

The CIA attack system provides 24 decoy applications for CIA spies to use. To witnesses, the spy appears to be running a program showing videos (e.g VLC), presenting slides (Prezi), playing a computer game (Breakout2, 2048) or even running a fake virus scanner (Kaspersky, McAfee, Sophos). But while the decoy application is on the screen, the underlaying system is automatically infected and ransacked.

Fine Dining comes with a standardized questionnaire i.e menu that CIA case officers fill out. The questionnaire is used by the agency’s OSB (Operational Support Branch) to transform the requests of case officers into technical requirements for hacking attacks (typically “exfiltrating” information from computer systems) for specific operations.  Among the list of possible targets of the collection are ‘Asset’, ‘Liason Asset’, ‘System Administrator’, ‘Foreign Information Operations’, ‘Foreign Intelligence Agencies’ and ‘Foreign Government Entities’.

Notably absent is any reference to extremists or transnational criminals.

Improvise: A toolset for configuration, post-processing, payload setup and execution vector selection for survey/exfiltration tools supporting all major operating systems like Windows (Bartender), MacOS (JukeBox) and Linux (DanceFloor).

HIVE: HIVE is a multi-platform CIA malware suite and its associated control software. The project provides customizable implants for Windows, Solaris, MikroTik (used in internet routers) and Linux platforms and a Listening Post (LP)/Command and Control (C2) infrastructure to communicate with these implants. The implants are configured to communicate via HTTPS with the webserver of a cover domain; each operation utilizing these implants has a separate cover domain and the infrastructure can handle any number of cover domains.

Hammer Drill: The CIA also runs a very substantial effort to infect and control computers owned by Microsoft Windows users. This includes multiple local and remote weaponized “zero days”, air gap jumping viruses which infects software distributed on CD/DVDs, infectors for removable media such as USBs, systems and to keep its malware infestations going.

Brutal Kangaroo: A program targetingMicrosoft Windows users to hide data in images or in covert disk areas.

Assassin” and “Medusa: Infection projects by the CIA’s Automated Implant Branch (AIB), for automated infestation and control.

And, if this information seems considerably revealing, there was this Wikileaks tweet. “WikiLeaks has released less than 1% of its #Vault7 series in its part one publication yesterday ‘Year Zero’.”

Stand by for more leaks.

 

 

 

PUBLICATIONS

How President Trump Can Improve U.S. Syria Policy
By James Phillips
Heritage Foundation
March 3, 2017

The Obama Administration left the Trump Administration with few good options to mitigate the increasingly dire situation in Syria, which has generated destabilizing spillover effects that threaten U.S. national security interests and many allies, particularly Israel, Jordan, and Turkey. President Donald Trump and his Administration should work with allies to defeat ISIS, contain the civil war within Syria’s borders to minimize spillover effects that could destabilize U.S. allies, help Syria’s neighbors to shelter refugees so that they can remain close to their homes and stop migrating to Europe, and encourage Arab allies to play a more responsible role in Syria on military, diplomatic, and humanitarian fronts.

Read more

 

Strategies Underlying Iranian Soft Power
By Michael Rubin
American Enterprise Institute
March 7, 2017

Iran’s approach to soft power is sophisticated and varied. While the Islamic Republic’s religious rhetoric might dominate the Western understanding of Iran, successive governments—both before and after the 1979 Islamic Revolution—have sought to capitalize on Iran’s culture, religion, and historical legacy to extend influence and achieve aims far beyond its borders. To understand Iranian soft power therefore requires recognition of Persia’s imperial past, its religious evolution, Persian language and culture, and its history.

Read more

 

Eastern Expectations: The Changing Dynamics in Syria’s Tribal Regions
By Kheder Khaddour and Kevin Mazur
Carnegie Endowment
February 28, 2017

With all eyes on western Syria, developments in eastern Syria, which is populated mainly by tribal communities, will be just as important for the country’s future. Numerous parties involved in Syria’s conflict—including the Assad regime, radical Islamists, Turkey, and the Kurds—have sought to integrate tribal leaders into their political agendas, believing their tribes would follow. However, these leaders no longer have the authority they once did. Syria’s conflict has forced tribal communities to turn inwards, and such localization has further undermined tribal solidarities.

Read more

 

Iran’s Assad Regime
By Chris Kozak
Institute for the Study of War
March 8, 2017

Syrian President Bashar al-Assad’s regime is neither sovereign nor a viable U.S. partner against ISIS and al-Qaeda. Russia and Iran have penetrated the Syrian Arab Army’s command-and-control authorities at all levels and propped up the force by providing the bulk of its offensive combat power. The pro-regime coalition cannot secure all of Syria and primarily serves as a vehicle for Moscow and Tehran’s regional power projection. Any U.S. strategy in Syria that relies on pro-regime forces will fail to destroy Salafi-Jihadists while empowering Iran and Russia.

Read more

 

Sisi’s Domesticated Foreign Policy
By Eric Trager
Washington Institute
March 8, 2017

When then-Defense Minister Abdel Fatah al-Sisi responded to mass protests in July 2013 by ousting the country’s first elected president, Muslim Brotherhood leader Mohamed Morsi, Cairo’s Gulf allies rushed to keep Egypt afloat economically. Within months, Saudi Arabia, the United Arab Emirates, and Kuwait sent approximately $7 billion in aid, and they pledged an additional $12 billion in aid after Sisi won the barely contested May 2014 presidential elections. These Gulf states’ support reflected their concerns about the Muslim Brotherhood, which they viewed as a threat given the Brotherhood’s explicitly hegemonic aims, and they also feared that Egypt’s economic collapse would have devastating consequences on a region that was rapidly unraveling.

Read more