Photo Illustration by Lyne Lucien/The Daily Beast

Though Russian hackers are not the most likely source behind Tuesday’s WikiLeaks document dump, Russia is certainly taking advantage of it—with bots spreading false memes.

By Kevin Poulsen, The Daily Beast

For the second time in a matter of months, U.S. intelligence agencies have suffered a devastating breach of their hacking secrets.

But unlike the last breach in August, an American Central Intelligence Agency worker, not Russian hackers, is the most likely source of a new tranche of documents detailing the methods and tools used by the CIA to steal secrets from foreign governments and terror groups—though some experts have seen signs that Russia is working overtime to take advantage of the disclosure.

Tuesday’s document dump, titled “Vault 7, Year Zero” by WikiLeaks, details the capabilities and culture within the CIA’s secretive Center for Cyber Intelligence in Langley, Virginia. The leak portrays a robust, if not unique, computer-intrusion capability inside the CIA, accented by a few James Bond novelties, like special snooping software intended to be carried into an adversary’s lair on a thumb drive, where a CIA asset plugs it into a USB port. Another program, code-named Weeping Angel, turns a Samsung smart TV into a covert listening device.

The leak follows an incident last August when a mysterious group or individual called the Shadow Brokers began publishing hacking tools stockpiled by the NSA’s elite Tailored Access Operations group, including dozens of backdoor programs and 10 exploits. Experts suspected the Shadow Brokers were a shot across the bow by Russia’s intelligence services.

But the CIA leak could be worse for U.S. intelligence, because it includes code from the agency’s malware development frameworks. Using that code, security experts and counterintelligence agents could sniff out a variety of CIA malware. “For the CIA this is huge loss,” said Jake Williams, founder of Rendition Infosec. “For incident responders like me, this is a treasure trove.”

The hacking files are the second WikiLeaks disclosure from a tranche of CIA documents it calls “Vault 7.” The first, in February, showed that the CIA closely monitored the 2012 French election, an unsurprising revelation that nonetheless fueled charges of American hypocrisy.

Tuesday’s data dump was similarly met with a rapid wave of social-media fury, most of it mischaracterizing the leak’s content. Perhaps significantly, the most common meme purports to clear Vladimir Putin in the 2016 U.S. election hacking. It was the CIA that actually hacked the Democratic National Committee, the story goes, using the Kremlin’s malware to frame Russia for the breach. In one version of the meme, it was all done “to justify spying on Trump”—an apparent reference to the president’s recent assertion that the Obama administration wiretapped Trump Tower.

The basis of that false claim is a leaked CIA resource called “Umbrage,” a catalog of malicious code samples captured in the wild by the government or computer-security firms. The leak shows that CIA hackers are encouraged to reuse that public malware in their own hack attacks when possible, in part to make it harder to attribute the breach.

But as described in the leak, the Umbrage library is primarily a shortcut for CIA code jockeys who don’t want to write, for example, a Windows keystroke-logging function from scratch, when there are plenty of keyloggers crawling around our crimeware-clogged Internet already. The leaked catalog isn’t organized by country of origin, and the specific malware used by the Russian DNC hackers is nowhere on the list. Needless to say, the documents say nothing about framing another nation’s intelligence service. But by the end of the day Tuesday, the alt-right news site Breitbart was promoting the false claim.

Other memes claim falsely that the leaks show all Skype conversations are stored in the CIA cloud, that President Obama used CIA hackers to spy on President Trump, and cite the CIA’s 2014 interest in hacking onboard automotive systems as a hint that the agency assassinated Rolling Stone reporter Michael Hastings, who died in a high-speed crash in 2013.

Robert M. Lee, founder of the cybersecurity firm Dragos, finds the rapidity, consistency, and overwhelming volume of the falsehoods suspicious, particularly the meme purporting to vindicate the Kremlin. He suspects that bots have been deployed to push the tall tale on Twitter. “That narrative emerged far too quickly to have been organic,” said Lee. “There is certain narrative terminology and sound-bites that are consistent among multiple accounts. That usually speaks to some sort of automation or coordination.”

“A lot of the things that were highlighted are clearly intended to drive a wedge between the president and the intelligence community,” said Lee, “which is terrible for the country.”

A similar dynamic was seen during WikiLeaks’ election leaks, when legitimate revelations about the Democratic Party were often accompanied by far juicier reports on social media—often in .gif form—falsely citing the stolen emails. U.S. intelligence later assessed that the Kremlin had legions of paid trolls circulating critical and outright false narratives on social media as part of the campaign to throw the election to Trump.

A key difference this time is that by all evidence the CIA disclosures are genuine leaks from inside the agency, not the result of a hack. Few say they think the agency was breached by Russia the way the DNC was, which means a CIA employee or contractor with a top-secret clearance is likely the source. The most recent file in the cache appears to date to February 2016, so it’s possible the leaker passed the documents to WikiLeaks before the group was known for laundering the ill-gotten gains of Vladimir Putin’s hackers.

That person’s identity will be an obsession in intelligence circles, and his or her motives a subject of endless speculation outside. WikiLeaks normally doesn’t comment on sources except to deny Russia’s involvement, but Julian Assange broke with that tradition this time to claim that the files had already leaked to former government hackers and contractors, one of whom then passed the tranche to WikiLeaks. The source wanted to spark a public debate on policy questions, Assange wrote, “including whether the CIA’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency.

“The source wishes to initiate a public debate about the security, creation, use, proliferation, and democratic control of cyberweapons,” Assange added.

Williams, a former U.S. government hacker himself, says WikiLeaks might well be telling the truth about the leaker’s motives. “It could just be someone concerned about civil liberties,” he said. But regardless of why they were leaked, the CIA documents put Trump in a tough spot. “He’s openly praised WikiLeaks previously,” said Lee. “Now he’s dealing with what’s ultimately going to be an intelligence collection disaster.”

By Kevin Poulsen, The Daily Beast