Earlier this month, WikiLeaks unleashed the Vault 7 papers, a revealing insight into the tools and techniques used by the CIA. Their release caused a stir among the security community, but if you’re not working on the field, their relevance might not be immediately obvious.
Above all else, Vault 7 shouldn’t put you in a panic about the CIA — not if you’ve been paying attention, anyway. The most attention-grabbing techniques described in the papers aren’t anything new. In fact, they’ve been demonstrated publicly several times over. The revelation here is not the fact the CIA and NSA spy on both American and foreign citizens, but instead the incredible insight they – and presumably other spy organizations worldwide – have into cracking protections that most people consider secure.
A History of surveillance
“I would say that 100 percent of this is stuff that has been known to the security community for a while,” said Ryan Kalember, the senior vice president of cybersecurity strategy at security firm ProofPoint, in reference to the Vault 7 documents. “The Samsung Smart TV hack was demonstrated at security conferences several years ago, the vehicular hacks were demonstrated at BlackHat by quite a few different individuals on different vehicles.”
“Most of the things that have come out are slight variations on known techniques,” agreed James Maude, senior security engineer at Avecto. “There are a few targeted workarounds for antivirus vendors that weren’t previously known about — although similar exploits have been found in the past — and there were a couple of newer techniques for bypassing User Account Control on Windows.”
You don’t have to be a security professional to have heard about the techniques outlined in the Vault 7 papers. You might be surprised that the CIA is using these techniques, but you perhaps shouldn’t be, given that the organization was established for the purposes of gathering intelligence.
In the preface to the book Spycraft: The Secret History of the CIA’s Spytechs from Communism to Al-Qaeda, former director of the agency’s Office of Technical Service, Robert Wallace, describes the groups that comprised the organization when he joined its ranks in 1995. One was apparently responsible for the design and deployment of “audio bugs, telephone taps, and visual surveillance systems.” Another is said to have “produced tracking devices and sensors” and “analyzed foreign espionage equipment.”
The CIA is an organization that was set up for the purposes of surveillance and espionage. The Vault 7 papers aren’t revelatory in terms of what the CIA is doing — they’re revelatory in terms of how the agency is doing it. The way that the organization implements technology is changing with the times, and Vault 7 lets us track its progress.
Espionage evolves
Computers have revolutionized most industries over the past few decades, and that has in turn changed how spy organizations collect data from those industries. Thirty years ago, sensitive information typically took the form of physical documents, or spoken conversations, so spycraft focused on extracting documents from a secure location, or listening to conversations in room thought to be private. Today, most data stored digitally, and can be retrieved from anywhere the internet is available. Spies are taking advantage of that.
The lines have blurred between cybercrime and spycraft
According to Kalember, it’s “absolutely to be expected” that the CIA would move with the times. “If the information that you’re looking for exists in somebody’s email account, of course your tactics are going to move to spear-phishing them,” he explained.
Tactics like phishing might seem underhanded, in the reserve of criminals, but they’re used by spies because they’re effective. “There are only so many ways that you can get something to run on a system,” explained Maude. Indeed, if the CIA were to debut an unprecedented and highly effective method of snooping, it’s almost certain that criminal entities would be able to reverse-engineer it for their own usage.
“We’re in an environment where, particularly with the revelations from the Yahoo attack, the lines have blurred between cybercriminal tradecraft and spycraft,” said Kalember. “There’s one ecosystem of tools that has a big overlap.”
Intelligence operatives and cybercriminals are using the same tools for very similar purposes, even if their targets and their end goals might be very different. The practicalities of surveillance don’t change depending on the individual’s moral or ethical alignment, so there should be little shock when it emerges that the CIA is interested in a Samsung TV’s capacity to listen to conversations. In fact, exploits like that found in Samsung TV’s are of more interest to spies than to criminals. It’s not an exploit that offers immediate financial gain, but it does provide an excellent way to listen in on private conversations.
“When we look at the CIA leaks, when we look at cybercriminal forums and the malware that I’ve looked at, the difference between a cybercriminal and an intelligence analyst is literally who pays their paycheck,” said Maude. “They all have a very similar mindset, they’re all trying to do the same thing.”
This melting pot allows operatives to disguise their actions, letting their work blend in with the similar tactics employed by criminals and other intelligence agencies. Attribution, or lack thereof, means that re-using tools developed by others doesn’t just save time — it’s a safer option all round.
Author unknown
“It’s well known within security circles that attribution looks great in reports and press conferences, but in reality, there’s very little value in attributing threats,” said Maude. “The value is in defending against them.”
The NSA has broad capabilities to gather up lots of different types of communications that are, by and large, unencrypted
Most surveillance is intended to be surreptitious, but even when an attempt is discovered, it can be very difficult to accurately trace it to its source. The CIA takes advantage of this fact by utilizing tools and techniques developed by others. By implementing someone else’s work — or better yet, a patchwork of others’ work — the agency can prompt questions about who’s responsible for its espionage.
“Attribution is something that has been a controversial subject in the private sector,” said Kalember. When security researchers are examining attacks, they can look at the tools that are used, and often where information was sent, to get an idea of who was responsible.
Delving further into the malware, it’s possible to get even great insight into its authors. The language used for text strings might provide a clue. The time of day that code was compiled might hint at their geographical location. Researchers might even look at debug paths to figure out which language pack the developer’s operating system was using.
Unfortuantely, these clues are easy to forge. “All of those things are well-known techniques that researchers can use to try and do attribution,” explained Kalember. “We’ve recently seen both cyber-criminal groups and nation state groups intentionally mess with those methods of attribution to create the classic false ‘flag type’ of scenario.”
He gave an example of the practice related to the malware known as Lazarus, which is thought to have originated in North Korea. Russian language strings were found in the code, but they didn’t make any sense to Russian speakers. It’s possible that this was a half-hearted attempt at misdirection, or perhaps even a double-bluff. The Vault 7 papers demonstrated that the CIA is actively engaging in this methodology to deceive those trying to track malware back to it.
“There was a big part of the Vault 7 leaks that focused on this program called UMBRAGE, where the CIA was pointing out the broad ecosystem of tools that were available for use,” said Kalember. “They appeared to be mostly trying to save themselves time, which a lot of people involved in this line of work do, by re-using things that were already there.”
UMBRAGE demonstrates how the CIA is monitoring trends to maintain its effectiveness in terms of espionage and surveillance. The program allows the agency to operate more quickly, and with less chance of being discovered — a huge boon to its endeavors. However, the Vault 7 papers also demonstrate how the organization has been forced to change its tactics to reassure those critical of its attitude towards privacy.
From Fishing Net to Fishing Rod
In 2013, Edward Snowden leaked a cavalcade of documents that unveiled various global surveillance initiatives being operated by the NSA and other intelligence agencies. The Vault 7 papers demonstrate how the Snowden leaks changed best practices for espionage.
“If you look at the Snowden leaks, the NSA has broad capabilities to gather up lots of different types of communications that were — by and large — unencrypted,” said Kalember. “That meant that without really being known to anybody, there was a tremendous amount of interesting information that they would have had access to, and they wouldn’t have had to take any risks to get access to any individual’s information that happened to be swept up in that.”
Put simply, the NSA was utilizing a widespread lack of encryption to cast a wide net and collect data. This low-risk strategy would pay off if and when a person of interest’s communications were intercepted, along with masses of useless chatter.
“Since the Snowden leaks we’ve really talked up the need for end-to-end encryption, and this has been rolled out on a massive scale, from chat apps to websites, SSL, all these different things that are out there,” said Maude. This makes widespread data collection far less relevant.
“What we’re seeing is that intelligence agencies are working around end-to-end encryption by going straight to the endpoint,” he added. “Because obviously that’s where the user is typing, encrypting, and decrypting the communication, so that’s where they can access them unencrypted.”
The Snowden leaks spearheaded an industry-spanning initiative to standardize end-to-end encryption. Now, surveillance requires a more precise approach, where the focus is on specific targets. That means accessing the endpoint, the device where the user is inputting or storing their communications.
Nothing digital is ever 100 percent secure
“The CIA’s Vault 7 leaks, by contrast to the Snowden leaks, describe almost entirely targeted attacks that have to be launched against specific individuals or their devices,” said Kalember. “They probably, in most cases, involve taking slightly greater risks of being caught and identified, and they’re much harder to do in purely clandestine terms, because it’s not being done upstream from where all the communications are occurring, it’s being done at the level of the individual and the device.”
This can be tracked directly to the Snowden leaks, via its status as a public service announcement regarding unencrypted communications. “The big thing that changed, that kind of precipitated this whole shift, was the rise of end-to-end encryption,” added Kalember.
What does this mean for the average person? It’s less likely that your communications are being intercepted now than it was a few years back.
The CIA and I
At the end of the day, worrying about the CIA spying on you as an individual is a waste of energy. If the agency has a reason to snoop on you, they have the tools to do so. It’s very difficult to avoid that fact, unless you plan to go entirely off the grid. Which, for most people, isn’t practical.
In a way, if you’re worried about the security of your data, the information included in the leak should be reassuring. With international espionage agencies and top cybercriminals using the same ecosystem of tools, there are fewer forms of attack to be concerned with. Practicing good security habits should protect you against the biggest threats, and some of the precautions you can take are simpler than you might expect.
A recent report on Windows vulnerabilities published by Avecto found that 94 percent of vulnerabilities could be mitigated by removing admin rights, a statistic that could help enterprise users keep their fleet of systems secure. Meanwhile, personal users can reduce their changes of being breached simply by looking out for phishing techniques.
“The thing with security is that nothing digitally is ever 100 percent secure, but you know there are measures you can take that make your security much better,” said Maude. “What the CIA leak shows us is that the measures you can take to defend yourself against cybercriminals using common ransomware tools are broadly the same measures you can take to defend against the CIA implanting something on your system.”
The Vault 7 papers aren’t a call for panic, unless you’re an individual that the CIA might already be interested in investigating. If knowing that the CIA can listen to your conversations through your TV scares you, then it probably doesn’t help to hear that career criminals who make a living through extortion and blackmail have access to the same tools.
Fortunately, the same defenses work just as well against both parties. When matters of online security hit the headlines, the takeaway is usually the same; be vigilant and be prepared, and you’ll most likely be ok.