Alleged Vault 7 leaker trial finale: Want to know the CIA's password for its top-secret hacking tools? 123ABCdef
Tales of terrible security, poor compartmentalization, and more, emerge from the Schulte hearings
Analysis The fate of the man accused of leaking top-secret CIA hacking tools – software that gave the American spy agency access to targets' phones and computer across the world – is now in the hands of a jury. And, friend, do they have their work cut out for them.
Joshua Schulte stands accused of stealing the highly valuable materials directly from the CIA’s innermost sanctum and slipping them to WikiLeaks to share with the rest of the planet. Federal prosecutors have spent the past four weeks explaining exactly why they believe that to be the case. And Uncle Sam's lawyers have developed a compelling case to send Schulte away for virtually the rest of his life.
But Schulte’s lawyer, Sabrina Shroff, has picked away at that seemingly watertight case, and pointed out, countless times, that the evidence against her client is dangerously thin. Schulte is the fall guy, she argues; the victim of an agency that decided he was responsible, and then used its extraordinary analytical focus to nail him regardless of his innocence.
The CIA may have wished the trial never happened, because, in the course of events, the picture of what actually happens in the darkest corners of what may be the most powerful institution on Earth is not one of the highest caliber of professionals working in their nation’s best interests. Instead, the leak of the world’s most dangerous hacking tools, code-named Vault 7, may have stemmed from a rubber-band fight that got out of hand.
We reported earlier that Schulte’s lawyer started her defense of him by stressing how much of an asshole he is. Just as incredibly, she closed her argument for his innocence in the same way: “I told you that Mr Schulte was a difficult man. He was a difficult employee, and I told you that there was no doubt about that. I told you that the evidence would show that, and that's what the government showed you. For four weeks, that's what they showed you.”
She’s not lying. Schulte came across as an impossible, arrogant, and vindictive co-worker. When he ended up in a dispute with another employee, Amol, Schulte lodged a formal complaint saying Amol had threatened to kill him, knowing that would put Amol in a very difficult position. It did, though a CIA probe concluded Amol hadn’t done any such thing. But such was the value of these two difficult but brilliant men to the agency that they kept them both, simply moving them to different departments and floors.
Employee after employee, all the way up to Schulte’s boss’s boss’s boss, testified Josh was a royal pain in the ASCII. But let’s let his own lawyer Shroff tell you in literally her closing words: “They proved to you that, yes, you can properly call him Voldemort or Vault Asshole or Asshole or Jason Bourne or John Galt. They have given you evidence of all of that. But one thing that you cannot call him, after four full weeks, because the evidence isn't there, you cannot call him guilty. Please acquit.”
Those names, incidentally, were chosen by Schulte himself for various aliases he used. One that Shroff didn’t mention but the government’s lawyer did was also telling: King Josh.
“Josh Schulte is no patriot. Far from it. He's vengeful and he's full of rage, and he's committed crimes that have been devastating to our national security,” prosecutor Matthew Laroche told the federal district court, in New York City, in his closing arguments [PDF]. “King Josh. That's what the defendant thinks of himself. Well, King Josh got caught. And all of his lies, all of his deceptions have come crashing down in this case.”
To be fair, it wasn’t King Josh, it was “KingJosh3000” – one of many names he used in his job as a CIA sysadmin. The handle KingJosh3000 proved critical in the case because it was the one username the government found that, allegedly, connected Schulte to the theft of the hacking tools. He had, according to the prosecution, carefully and methodically deleted all the logs that showed his removal of gigabytes of data from the CIA’s server. But KingJosh3000’s session was missed from the data wipe, and it was that ID that he used to access a backdoor into the system after he had been officially booted off, we were told.
Sysadmin and out
The fact Schulte had been actively blocked and had his admin rights revoked on several servers was used by both the prosecution and defense as evidence of their arguments. The prosecution noted Schulte had previously been kicked off systems as an admin and in response, both out of spite and in order to demonstrate his superiority, he found his way back in and set up new accounts.
Schulte was formally warned that in the aftermath of Edward Snowden's disclosures, this type of behavior was viewed extremely poorly, and he was made to sign a statement apologizing and promising not to do it again. But in that very same interview, his superior told the court, Schulte made it plain that he could, and would, do it again.
That behavior painted a big red target on Schulte's back: one that led the CIA to believe it was definitely him who stole the files when they were publicly distributed one year later by WikiLeaks, long after he had left the agency. But his defense argued that same red target caused the CIA and FBI to decide he was the guilty party and then build a case around proving it, rather than looking at all the evidence and figuring out who the real culprit was.
All this raises a question, though: just how bad is the CIA’s security that it wasn’t able to keep Schulte out, even accounting for the fact that he is a hacking and computer specialist? And the answer is: absolutely terrible.
The password for the Confluence virtual machine that held all the hacking tools that were stolen and leaked? That’ll be
123ABCdef. And the root login for the main DevLAN server?
It actually gets worse than that. Those passwords were shared by the entire team and posted on the group’s intranet. IRC chats published during the trial even revealed team members talking about how terrible their infosec practices were, and joked that CIA internal security would go nuts if they knew. Their justification? The intranet was restricted to members of the Operational Support Branch (OSB): the elite programming unit that makes the CIA’s hacking tools.
Not well liked
The truth is that the sort of person who can write exploit code to infiltrate devices that many thousands of other engineers go to enormous lengths to make as secure as possible is not going to be your average federal staffer. But even within this group of difficult people, Schulte stood out as especially hard to deal with.
His feud with Amol was extraordinarily petty. It started with flicking rubber bands and, later, firing Nerf guns at his nemesis. He was furious when Amol was given a desk with a window and he wasn’t. In fact Schulte had a long stream of perceived slights that he stewed on, and which led him to behave appallingly to his colleagues. We know this because the FBI found reams of notes written by Schulte outlining his anger and his plans for retaliation against Karen, Jeremy, Matt, Dave, Tim… in fact just about anyone he ever worked with.
Some of those notes went back years. And the Feds found them when it went through his new apartment that was still full of unpacked boxes in the days immediately after the CIA files were put online by WikiLeaks. It didn’t find the notes in the boxes, however: Schulte had unpacked them and kept them in the headboard of his bed. Yes, he’s that guy.
And it is Schulte’s habit of writing down his darkest thoughts that may end up sending him to jail for the rest of his life. Because the truth is that despite a forensic study of every device he touched at the CIA and in his home, the US government was not able to find a piece of irrefutable proof that linked Schulte to the theft and disclosure of the hacking tools.
It has lots of logins and logouts, and plenty of circumstantial evidence of him being in the building when unusual things to backups happened but – assuming he did actually do it – Schulte is simply too good at his job to be caught accessing computer networks. It was why the CIA hired him in the first place, and why it continued to put up with his antics when anyone else would have fired the cranky techie long before.
He did not apply the same degree of information hygiene to written documents, however. So when the FBI raided his jail cell on a tip-off he was using a secret phone to send classified information and conduct an “information war,” they found a notebook [PDF] filled with his plans, in his handwriting, that included things like “ask WikiLeaks for my code,” angry rants about his family failing to publish articles he had written, and his willingness to cause severe embarrassment to the US government unless his case is dropped.
The prosecution made a big play of these notes and of scheduled tweets it found on his contraband Samsung phone (which, interestingly, he had obtained in exchange for an iPhone in prison because the Samsung let him download and install the apps he wanted to use.)
In the notebook, he wrote clear instructions to himself on how to get information out of jail without it being traced back to him: "Create new ProtonMail firstname.lastname@example.org; Migrate WordPress to ProtonMail; Clean up apps; Reset factory phone; Set up WhatsApp app, Signal, Telegram, all with different numbers; Research Gmail; delete deleted email."
And it may be this activity that leads the jury to decide, beyond a reasonable doubt, that Schulte is ultimately guilty of stealing and leaking the CIA hacking materials: he doesn’t exactly come across as an innocent man.
“The defendant did this because he was angry. The defendant did this because he wanted to punish the CIA. The defendant did this because he always has to win, no matter the cost,” the prosecution argued to explain his motivation. It made the same point later on: “We are here today because he is an angry and vindictive man. The evidence has shown in this case that the defendant is someone who thinks the rules do not apply to him. He thinks CIA's access rules don't apply to him. He thinks classification rules do not apply to him. He thinks prison rules do not apply to him. He even thinks that this court's own orders don't apply to him.”
As for Schulte’s lawyer, she argued that while his behavior was reprehensible, it is still far from proof that he actually stole and leaked the tools in question. “Compare his prison writings to the way he writes at the CIA, and you can see he's falling apart,” she argued. “But what does the government want you to believe about these writings? The government wants you to believe this is some kind of planned army-like information war against the United States.”
Later: “Look, I'm not going to stand here and tell you that using a cell phone in a prison is right. It's not. It's against the rules. It's not in keeping with the prison rules. Did he use a cell phone? Yes, he used a cell phone, but that's not what he's charged with. If he was charged with using a cell phone, sure, find him guilty of that. But that is not what he's charged with… They want you to focus on [that] conduct because that is the only way they can get you to think that he did the other crime.”
So who did do it?
Which leads to the question: OK, if it wasn’t Schulte, how did these top-secret exploits find their way out of the CIA and onto WikiLeaks?
His lawyer has two answers to this question. First is the frankly astonishingly lax security around the CIA’s system – something the CIA’s own internal reports acknowledge. Listing the various CIA witnesses who had been called in, Shroff noted: “Each one of them told you that DevLAN was wide open. There were no controls, there were no user controls, users shared passwords, passwords were weak, passwords were stored openly. There were no audit logs. There was no login activity checks. Anyone could connect the DevLAN workstation computer to the internet just by taking the Ethernet cable from one computer and plugging it into the other.”
She goes on: “These are not the defense's words. These are words out of the CIA. ‘Day-to-day security practice had become woefully lax. Most of our sensitive cyber weapons were not compartmented, the CIA admits users shared system administrator level passwords, there were no effective removable media controls, and historical data was available to users indefinitely.’ This is all in the exhibit. It goes on to tell you, ‘The stolen data resided on a mission system that lacked user activity monitoring, it lacked a robust server audit capability,’ and then it says ‘The CIA did not realize the loss had occurred until a year later, when WikiLeaks publicly announced it in March of 2017. Had the data been stolen for the benefit of a state adversary and not published, we would still be unaware of the loss.’”
Whichever way you cut it, that is a pretty damning assessment – from the CIA itself – of its own security standards. How can a jury convict a man based on evidence that doesn’t exist?
And then, just to add the exact kind of twist that you would expect in a story about the CIA and clandestine shenanigans, there is the case of “Michael.”
Michael was a co-worker of Schulte’s, and they were, reportedly, friends insofar as any of them were friends with one another.
While Schulte was allegedly stealing the documents – which the CIA says he did by creating a backup of the machine holding the tools, saving that backup to a portable storage device, and then reverting the system back to before the backup, deleting all the logs on the way – he was also chatting over IRC with Michael. It was April 20, 2016, around 5.30pm.
Joshua Schulte asked Michael if he was going to the gym. Michael said he was. Josh arranged to meet him there. But when he didn’t turn up, Michael asked Josh what was going on, and Josh explained that one of their co-workers had kept him talking over some matter for 30 minutes.
He’s a pain in the ASCII to everybody. Now please acquit my sysadmin client over these CIA Vault 7 leaking chargesREAD MORE
It is possible Schulte was trying to keep Michael away from his screen while he stole the CIA’s most valuable hacking tools. And it seems that Michael was suspicious. Because in the reams of electronic documents the FBI went through during its investigation, it found a screenshot Michael had taken, on his computer, that showed him monitoring the exact server the tools were stolen from while they were apparently being stolen.
Michael never mentioned the screenshot. And when quizzed about it, he admitted he had taken it but refused to discuss it any further. And he wasn’t obliged to either: any interview of a CIA agent by the FBI is voluntary.
However, one day after Michael refused to explain why he had a screenshot of the server while its contents were being drained, the CIA put him on administrative leave, noting that it “views Michael's lack of cooperation as a significant and untenable risk to the security of the operations on which he now works and any new tools he deploys."
It also explained that Michael was being suspended for “his unexplained activities on the computer system from which the ... data was stolen, known as the DevLAN, and raises significant concern about his truthfulness, trustworthiness, and willingness to cooperate with both routine reinvestigation processes and the criminal investigation into the theft from his office.”
Michael testified against Schulte at his trial. But he never mentioned being put on leave, and the government only supplied the suspension to the defense after he started testifying, removing any real opportunity Shroff had to dig into what had happened [PDF] and why.
She still doesn’t know. Nor do the jurors. They now have to decide whether Joshua Schulte – King Josh, the Vault Asshole – is guilty of selling out the CIA, and put him away for most of the rest of his life, or whether he was just a difficult man in an extraordinary job who has been setup, knowingly or not, by a spy agency intensely embarrassed by the loss of some of its most valuable weapons. ®