Documents included in yesterday's WikiLeaks Vault 7 dump reveal the CIA used code from public malware samples to advance its technical capabilities.
A special operational group existed in the CIA named Umbrage, which was tasked with reviewing public malware and embedding selected features into custom CIA hacking tools. According to one document, the Umbrage team and its purpose were described as follows:
The Vault 7 dump, which WikiLeaks claims it received from government contractors and hackers, did not include any actual malware samples, but only the internal CIA documentation.
The Umbrage documentation hints the CIA may have reused malware code from multiple malware families. Most entries are attributed using a generic "Known Malware" tag, but for some, the malware's name is included. According to leaked documents, the CIA "borrowed" code from:
According to another Umbrage file, the CIA had also explored the idea of using code from the Hacking Team, an Italian spyware maker that sold malware to government agencies, which was hacked in 2015 and its malware dumped online.
The dumped document reveals the CIA collected the Hacking Team data and in August 2015, two months after the hack, explored the idea of running tests and mapping its capabilities.
The CIA must have found something interesting, because the redacted document reveals that by September 2015, the Agency decided to expand its search to all the Hacking Team files, including emails and internal docs, not just the malware and exploit samples.
While the leaked files hint the CIA reused some of this code to cut costs, WikiLeaks proposes another theory.
According to the organization, the CIA reused code from public malware samples to "misdirect attribution by leaving behind the 'fingerprints' of the groups that the attack techniques were stolen from."
WikiLeaks also said the Umbrage group reused code from malware stolen from other states, including the Russian Federation, information which many publications are now using to question the US' attribution of last year's DNC hacks to Russia.