A Manhattan federal judge on Monday declared a mistrial in the case against ex-CIA employee Joshua Adam Schulte, who was accused of stealing a huge cache of classified hacking tools – dubbed Vault 7 – from the US Central Intelligence Agency and leaking it to WikiLeaks.
WikiLeaks called the initial document dump – published on 28 February 2017 and containing 8,761 documents and files – “Year Zero”. It included documents and files from an isolated, high-security network inside CIA headquarters in Langley, Virginia.
Year Zero painted an intimate picture of the US’s cyber-espionage efforts: Vault 7 included cyberattack tools including malware, viruses, Trojans and weaponized zero-day exploits, including those that target a wide range of big tech companies’ most popular products: iPhones, Wi-Fi routers, Android devices, and IoT gadgets. In fact, the dump made one thing clear: the CIA can use the Internet of Things (IoT) to hack anything, anywhere.
Schulte was working at the CIA’s Engineering Development Group at the time of the code theft. He was charged with 13 counts in connection with the alleged theft of national defense information from the CIA; giving the huge cache to WikiLeaks; criminal copyright infringement; and receiving, possessing and transporting about 10,000 child abuse images and videos.
The FBI claimed to have found an “encrypted container” with child abuse imagery files tucked beneath three layers of password protection on Schulte’s PC. The FBI accused Schulte of maintaining lousy security, saying that each layer was unlocked using passwords Schulte previously used on one of his cellphones. FBI agents also claimed to have identified internet chat logs in which Schulte and others discussed distributing child abuse imagery as well as a series of Google searches for such imagery that Schulte allegedly conducted.
Schulte pleaded not guilty to the charges, claiming that the images were on a server he’d maintained for years in order to share movies and other digital files. He argued that between 50 and 100 people had access to that server, and any one of them could have been responsible for the illegal content.
The jury found Schulte guilty of lying to the FBI and of contempt of court. But when it came to the far more serious charges of turning over the spy tools to WikiLeaks, the jury couldn’t reach consensus. Schulte, 31, still faces up to five years on the lesser counts.
On Monday, after US District Judge Paul Crotty declared a mistrial, he ordered both sides back to court on 26 March 2020, when the government is expected to push for a new trial.
The mistrial is embarrassing: prosecutors spent years pulling the case together, and they devoted four weeks of testimony in an effort to portray Schulte as a vindictive and disgruntled employee who put US security at risk by leaking information on how the CIA spied on foreign adversaries.
Prosecutors portrayed the Vault 7 leak as a well-planned theft orchestrated by Schulte, whom they claim gave hackers access to the CIA’s top-secret hacking tools.
According to The Register, the CIA has had a rough time proving that it was Schulte who stole the tools from a secure server in the heart of CIA headquarters. The agency has come up with a convoluted explanation for how he might have pulled off the heist by saving a backup to a thumb drive and then reverting the system to a previous state to cover his tracks, but in the end, all it has is circumstantial evidence. The government hasn’t been able to show any direct proof that Schulte sent the files to WikiLeaks.
The CIA has tried to fill in the gaps by pointing to how Schulte has acted before and after the confidential documents were stolen, including that he downloaded Wikileaks’ cover-your-tracks software. Also, while in prison, Schulte had a contraband phone with which he opened a Twitter account – named @freejasonbourne, referring to the fictional CIA operative played by the actor Matt Damon – so that he could, as the prosecutors put it, launch an “information war” against the US.
Schulte’s defense lawyers have argued that the CIA’s computer network not only had crappy passwords – 123ABCdef and mysweetsummer among the main ones – but that those weak passwords were also published on the department’s intranet. The defense also argued that the network had widely known security vulnerabilities, the New York Times reports. Thus, it’s possible that other CIA employees, or foreign adversaries, could have breached the system.
On Monday, the jurors deadlocked on eight counts, including illegal gathering and transmission of national defense information. It’s no wonder they’ve been unable to reach agreement on Schulte’s guilt or innocence – the “there’s more here than meets the eye” is strong with this one.
The Times’ description of the “scramble” inside CIA headquarters following the discovery of the leak includes this scene:
Sean Roche, a top CIA official at the time, said he got a call from another CIA director who was out of breath. ‘It was the equivalent of a digital Pearl Harbor,’ he testified.
Schulte’s defense called their client an easy scapegoat: somebody who, having filed complaints about prank-playing, Nerf gun shooting colleagues, just didn’t quite fit in. “He had antagonized virtually all of his co-workers at the CIA,” the Times succinctly puts it.
The Register has yet more details about another suspicious character: one of Schulte’s colleagues, identified only as “Michael,” who was found to have a screen capture of “the very server the Vault 7 tools were stolen from at the time that they were allegedly being stolen.”
Hmm… that’s unusual, the government has admitted. Michael didn’t say he was actively monitoring the server at the time, and the screengrab only showed up months later in a forensic deep dive by the Feds, the Register reports.
When asked about it, Michael refused to cooperate, and the next day the CIA suspended him.
No wonder the jury was hung. This case is murky, which is most particularly dismaying given the high stakes involved.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.