The epic evil of the Vault 7 CIA hacking tools


“Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named “Vault 7” by WikiLeaks, it is the largest ever publication of confidential documents on the agency.”

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.” […]

“By the end of 2016, the CIA’s hacking division, which formally falls under the agency’s Center for Cyber Intelligence (CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other “weaponized” malware. Such is the scale of the CIA’s undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its “own NSA” with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.”

Analysis  (some bits and bobs)

“The EDG (Engineering Development Group) is responsible for the development, testing and operational support of all backdoors, exploits, malicious payloads, trojans, viruses and any other kind of malware used by the CIA in its covert operations world-wide.

The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell’s 1984, but “Weeping Angel”, developed by the CIA’s Embedded Devices Branch (EDB), which infests smart TVs, transforming them into covert microphones, is surely its most emblematic realization.” […]

“As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks. The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations.

The CIA’s Mobile Devices Branch (MDB) developed numerous attacks to remotely hack and control popular smart phones. Infected phones can be instructed to send the CIA the user’s geolocation, audio and text communications as well as covertly activate the phone’s camera and microphone.”

Other headings:

CIA malware targets Windows, OSx, Linux, routers

CIA ‘hoarded’ vulnerabilities (“zero days”)

‘Cyberwar’ programs are a serious proliferation risk

U.S. Consulate in Frankfurt is a covert CIA hacker base

How the CIA dramatically increased proliferation risks

“Why the CIA chose to make its cyberarsenal unclassified reveals how concepts developed for military use do not easily crossover to the ‘battlefield’ of cyber ‘war’.

To attack its targets, the CIA usually requires that its implants communicate with their control programs over the internet. If CIA implants, Command & Control and Listening Post software were classified, then CIA officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet. Consequently the CIA has secretly made most of its cyber spying/war code unclassified. The U.S. government is not able to assert copyright either, due to restrictions in the U.S. Constitution. This means that cyber ‘arms’ manufactures and computer hackers can freely “pirate” these ‘weapons’ if they are obtained. The CIA has primarily had to rely on obfuscation to protect its malware secrets.”

Evading forensics and anti-virus

“Tradecraft DO’s and DON’Ts” contains CIA rules on how its malware should be written to avoid fingerprints implicating the “CIA, US government, or its witting partner companies” in “forensic review”. Similar secret standards cover the use of encryption to hide CIA hacker and malware communication (pdf), describing targets & exfiltrated data (pdf) as well as executing payloads (pdf) and persisting (pdf) in the target’s machines over time.

CIA hackers developed successful attacks against most well known anti-virus programs.



“The CIA’s hand crafted hacking techniques pose a problem for the agency. Each technique it has created forms a “fingerprint” that can be used by forensic investigators to attribute multiple different attacks to the same entity.

This is analogous to finding the same distinctive knife wound on multiple separate murder victims. The unique wounding style creates suspicion that a single murderer is responsible. As soon one murder in the set is solved then the other murders also find likely attribution.

The CIA’s Remote Devices Branch‘s UMBRAGE group collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation.

With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the “fingerprints” of the groups that the attack techniques were stolen from.”

Fine Dining



(far beyond my to grasp its significance.)


Now Mike Pompeo was the head of Trump’s CIA from 2017 to 2018, so this was exceptionally personal to him. 
(Oscar Grenfell): “At the appeal hearings, the defence spotlighted a recently-published Yahoo News report [by Michael Isikoff], which documented plans by the Trump administration and the Central Intelligence Agency (CIA) to kidnap Assange or assassinate him when he was a political refuge in Ecuador’s London embassy in 2017.

Based on the anonymous statements of more than thirty former US officials, the article made clear the murderous plans were hatched in retaliation for Assange’s exposure of mass CIA spying and hacking operations. Officials explained that the US Justice Department cobbled together its indictment of Assange, over separate WikiLeaks publications, so that there would be a pseudo-legal cover if the CIA proceeded with its kidnap plan.”

@wikileaks had Tweeted:

‘Mike Pompeo threatens sources implicating him as chief architect in conspiracy to Murder Assange

Pompeo: Sources for Yahoo News WikiLeaks report ‘should all be prosecuted’, Michael Isikoff and Zach Dorfman, September 29, 2021

There were some who had hoped that when Biden would steer this Ship of Fools that he would save Julian Assange.  Not.So.Much.

The alleged leaker of the Vault 7 material is ‘former CIA member’ Joshua Schulte who was arrested in August 2017 and has been awaiting his trial in Manhattan’s Metropolitan Correctional Center, when he was discovered phoning and texting from his jail cell.

He has since been moved to a SAM Unit in the prison.

From Kevin Gosztola, ‘US Justice Department Tries To Stifle Alleged WikiLeaks Source’s Challenge To Cruel Confinement’

“Schulte is allegedly denied proper heating and air conditioning, and the cells in 10 South, the SAMs unit, lack insulation. This means he wears “four sets of clothing, five sets of socks, a sweatshirt and sweatpants, two blankets, three sets of socks on his hands, and still freezes when the temperature in his cell plummets below freezing and water literally freezes in his cell.”
The warden and MCC staff, the complaint argues, are “aware and indifferent to this barbaric torture.”
Schulte has not been outside in over two years because there is no outside recreation available to SAMs detainees. He cannot even see the world outside his cell because windows are blacked out.
“Despite Mr. Schulte’s congenital heart issues and ongoing cardiologist appointments, he has not seen a doctor since his trial in February 2020. Additionally, Mr. Schulte has not once seen a dentist at MCC.”

The US had indicated at one point that additional espionage charges might be added at a later date.  My guess is that they’d been hoping to flip Schulte to States Evidence.

Yes, they hope he dies in prison.  (h/t Mr. WD)

‘Julian Assange Suffered Stroke During October Court Appearance, Fiancee Reveals’, sputnik news,  Dec. 12

(apologies; I can’t afford to read it just yet.)

(cross-posted at

2 responses to “The epic evil of the Vault 7 CIA hacking tools

  1. And is hacking & publishing CIA tools now “journalism”?
    I mean, Russia must have been thrilled, but hardly your typical NYTimes appproach.

  2. And is helping Ed Snowden escape to Moscow “journalism”?

care to comment? (no registration required)

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s