Alleged Vault 7 leaker was busted because of basic security blunders

The FBI has indicted the ex-CIA agent allegedly behind the Vault 7 mega-leak of his former employer’s cyber weapons.

The United States Department of Justice (DOJ) announced on Monday that it’s charged Joshua Adam Schulte with 13 counts in connection with the alleged theft of national defense information from the CIA; giving the huge cache to WikiLeaks; criminal copyright infringement; and receiving, possessing and transporting about 10,000 child abuse images and videos.

The FBI says that it was Schulte’s poor opsec – for one thing, he allegedly reused cellphone passwords on all three layers of password protection that were used to (feebly) lock up an incriminating, encrypted file – that got him busted.

From the FBI’s news release:

The Encrypted Container with the child pornography files was identified by FBI computer scientists beneath three layers of password protection on the Personal Computer. Each layer, including the Encrypted Container, was unlocked using passwords previously used by SCHULTE on one of his cellphones. Moreover, FBI agents identified Internet chat logs in which SCHULTE and others discussed their receipt and distribution of child pornography. FBI agents also identified a series of Google searches conducted by SCHULTE in which he searched the Internet for child pornography.

Schulte was initially arrested on 24 August, 2017, on the child abuse charges. During a March 2017 search of his home, the FBI had seized computers, servers, and other storage devices, including Schulte’s personal desktop computer.

That’s where they found the encrypted file. In September, Schulte pleaded not guilty to the charges, claiming that the images were on a server he’d maintained for years in order to share movies and other digital files. He argued that between 50 and 100 people had access to that server, and any one of them could have been responsible for the illegal content.

Schulte has also argued that his having filed reports about “incompetent management and bureaucracy” at the CIA made him out to be a disgruntled employee when he left in 2016. He’s described himself as the “only one to have recently departed [the CIA engineering group] on poor terms.”

Schulte has also claimed that a planned vacation to Mexico with his brother led the FBI to make a “snap judgment” to target him because it looked like he was guilty of the leaks and was trying to flee.

Schulte claims to have initially cooperated with the FBI’s investigation, but then, following the March 2017 search of his apartment, prosecutors waited six months to bring the child abuse charges.

WikiLeaks called the initial document dump – published on 28 February 2017 and containing 8,761 documents and files – “Year Zero”. WikiLeaks claimed that the Vault 7 series of leaks would be the largest dump of confidential CIA documents in history.

The hacking arsenal painted an intimate picture of the US’s cyber-espionage efforts.

The cyber-attack tools included malware, viruses, Trojans and weaponized zero-day exploits, including those that target a wide range of big tech companies’ most popular products: iPhones, Wi-Fi routers, Cisco switches, Android devices, Windows and even Samsung TVs, which could apparently be turned into covert microphones.

Schulte was working at the CIA’s Engineering Development Group at the time of the code theft, prosecutors said.

The DOJ’s announcement included this statement from Manhattan US Attorney Geoffrey S. Berman:

Joshua Schulte, a former employee of the CIA, allegedly used his access at the agency to transmit classified material to an outside organization.

During the course of this investigation, federal agents also discovered alleged child pornography in Schulte’s New York City residence. We and our law enforcement partners are committed to protecting national security information and ensuring that those trusted to handle it honor their important responsibilities. Unlawful disclosure of classified intelligence can pose a grave threat to our national security, potentially endangering the safety of Americans.

In May, Ars Technica cited a statement from a defense attorney at a January 2018 hearing who said that more than 8,000 CIA documents had at that point been published in the Vault 7 series: a “major embarrassment” to US intelligence.

As it was, when the Vault 7 breach happened, intelligence officials were still smarting from the hurt put on them by the Shadow Brokers: a mysterious group who implied that they’d hacked about $500m worth of National Security Agency (NSA) cyberweapons in August 2016.

In November 2017, an opinion piece in The Hill questioned the lack of arrests in the cases of the Shadow Brokers, Vault 7 and Vault 8 (a subsequent WikiLeaks dump that came in mid-November and contained, for the first time, source code for CIA spying tools).

Investigators’ inability to figure out who the Shadow Brokers are – Russians? North Koreans? A trusted insider? All three? – “should keep us up at night,” according to the opinion contributor, Eric O’Neill.

Well, if the charges against Joshua Schulte stick, investigators are likely going to be able to hold their heads up a bit higher. Of course, that won’t undo the fact that their pockets were turned inside out by the Vault 7 leak, the contents displayed for all to see.