An ‘elite team’, composed of hackers and security experts, worked at the CIA to develop new tools and programs to hack into targets; but their own security was so poor that they were easily hacked and stolen.
It has been three years now since the publication of the so-called ‘Vault 7‘, the largest leak of classified information in history; somehow Wikileaks had gained access to the latest ‘cyber-weapons‘ developed by the CIA to hack their enemies.
Thanks to the 8,761 documents initially leaked, the world knew how far CIA hackers had advanced in the search for exploits and vulnerabilities in programs and systems used daily by millions of people, all in secret.
When the secrets of the CIA became public
Wikileaks released this information in dribs and drabs, so that every few years we discovered something new, such as the tool used by the CIA to remotely control the malware it had developed.
It was also evident that the US agency had catalogued hundreds of vulnerabilities in iOS, Android, Windows and other operating systems, which were not yet known and therefore had not been fixed; what is known as a ‘zero day attack‘, or ‘0-day’.
As the CIA’s own researchers have acknowledged, the so-called ‘elite team’ focused so much on developing new tools for hacking that they put aside the task of securing their own systems.
The report details ‘woefully lax‘ security protocols that could have allowed virtually anyone with minimal knowledge to enter the team’s private network and find what they were looking for.
The tools and exploits developed by the team were easily accessible, and the most dangerous ones even shared space with others; and since history was kept for all users, it was easy to see what had been created, when, and where it was.
Even more shocking is that CIA employees made the big mistake of sharing passwords with a higher level of access, something basic for any company or even among private users.
Nor did the offices have protections that prevented, for example, simply plugging in a USB memory stick and copying the files you wanted, and no one would have noticed.
They didn’t even catch the culprit
In fact, the CIA did not know that its files had been stolen until they were published by WikiLeaks; that is when this report was ordered.
Apparently, the CIA was aware that more security measures were needed, given the number of attacks suffered in recent years by other US agencies; but researchers believe it was ‘too slow’ to implement them.
The report was part of the evidence against Joshhua Schulte, a former CIA employee who was accused of stealing information; he is the prime suspect after a leaked file was discovered on one of his computers.
However, the defense used the report to argue that anyone could have gained access to the stolen data. As a result, the trial was declared void, although the prosecution has promised to reopen the case.