Vault 7: the published collection of hacking tools CIA

Press release


7 March 2017, Wikileaks began publishing a new series of secret documents of the Central intelligence Agency of the United States. This collection of documents received from Wikileaks the name “Vault 7” (“box No. 7”), is the largest series of confidential documents about the CIA.

The first part of the collection — “Year Zero” — contains 8761 file from isolated network with a high degree of protection, which is in the Center kiberrazvedki of the CIA in Langley, Virginia. A continuation of those leaks, which were published in February and which related to the operations of the CIA against the French political parties and candidates in the run-up to presidential elections in France 2012.

Recently, the CIA lost control over the main part of his Arsenal of hacking, including malware, viruses, Trojans, weaponized 0day exploits (“zero day exploit”), a system of remote control of malware and corresponding documentation. This incredible leaked, which includes several hundred million lines of code, gives the owner full hacker the Arsenal of the CIA. This archive, apparently, was distributed in an unauthorized manner among the former hackers of the U.S. government and its contractors, one of which gave WikiLeaks a part of this archive.

Year Zero demonstrates the true magnitude and the direction of the global hacking secret CIA program, its Arsenal of malicious programs and dozens of 0day exploits that have been used against a wide range of American and European devices and products, including Apple’s iPhone, Google’s Android, Microsoft’s Windows and even TVs of the company Samsung, which turned into microphones to record conversations.

Since 2001 the CIA has the political and fiscal advantage over the national security Agency of the United States. It became known that the CIA created its infamous fleet of drones, but of the secret forces of world coverage is quite different: private a numerous army of hackers. Hacker division of the CIA freed the Agency from having to report on their often controversial operations of the NSA (his chief bureaucratic rival) to use the hacking potential of the NSA.

By the end of 2016 hacker division of the CIA, which is formally a part of the Center kiberrazvedki this Agency had more than 5 thousand registered users and has managed to create over a thousand hacking systems, Trojans, viruses and other malware, weaponized. The scale of operations of this Department the CIA was so large that by 2016 the total size of their malicious programs exceeded the code size, managing Facebook. Thus, the CIA created its own “NSA”, which is not reported to almost anyone, and the Agency was not required to publicly answer the question about how to justify the huge expenditure on the maintenance of a competing structure.

In its statement sent to WikiLeaks, the source writes about the issues that urgently need to be put to public discussion, including the question of whether the hacker does not exceed the capacity of the CIA the authority to which he is endowed, and the problem of public control of the Agency. The source wants to initiate public debate on the issues of security, creation, use, distribution, and democratic control of cyberweapons.

In the event that the Agency loses control of one or another liberorum, it will spread around the world within seconds and can be used by States adversaries, the cyber-mafia and even the hackers are teenagers.

Editor of WikiLeaks Julian Assange (Julian Assange) said: “There is a big risk of proliferation in the development of cyber weapons. The uncontrolled spread of such a “weapon” arising from the impossibility to restrain him and his high market value, can be compared with the international arms trade. However, the value of Year Zero goes far beyond the choice between cybervalley and cyberworld. These leaks are of paramount importance from a political, legal and expert points of view.”

Wikileaks has carefully analyzed the Year Zero and published a substantial part of the documentation of the CIA, while preventing the spread of “combat” cyber weapons before the emergence of a consensus on the technical and political nature of the CIA program and the techniques of how such “weapons” should be analyzed, collected and published.

Wikileaks also decided to edit and depersonalize identifying information in Year Zero for detailed analysis. Among the data that were dipped, were data about tens of thousands of attacker and defender systems in Latin America, Europe and the United States. Although we are aware of nebezopasnosti of the results of any approach, we remain committed to our publishing model and note that the number of published pages the first part of “Vault 7” (Year Zero) already exceeds the total number of pages of NSA documents passed to Wikileaks by Edward Snowden and published for the first three years.


Malware attack CIA iPhone, Android and Smart TVs

Hacking programs and tools, the CIA created the so-called Group engineering (Engineering Development Group, EDG), working in the Center kiberrazvedki subordinate to the Directorate of digital innovation (Directorate of Digital Innovation, DDI). DDI is one of the five main directorates of the modern CIA.

EDG is responsible for the development, testing and operational support of all backdoors, exploits, Trojans, viruses and other types of malicious software used by the CIA in its covert operations around the world.

The increasing complexity of the surveillance technologies it brings to mind the image of 1984 by George Orwell, but “Weeping Angel” (“the Weeping angel”), which was developed by the Department of integrated devices (Embedded Devices Branch (EDB)) and that infect Smart TVs, turning them into hidden microphones, is their most vivid realization.

The attack on “smart” TVs from Samsung have been conducted in cooperation with MI5/BTSS of the United Kingdom. After infection of the TV, “Weeping Angel” introduces him into a state of apparent disconnection to his owner considered him off, although in reality the TV is turned on. In this mode, the TV performs the function of the listening device, recording the conversations in the room and sending them over the Internet to a secure server of the CIA.

In October 2014, the CIA tried to find ways to infect with malware control systems of modern cars and trucks. The goal of establishing such control are not yet clear, but it may have allowed the CIA to carry out assassinations, which are impossible to uncover.

Department of mobile devices (Mobile Devices Branch, MDB) has developed numerous programs to hack into and control over popular smartphones, opening up access to data, geolocation, audio and text messages to the user and covertly activating their camera and microphone.

Despite the fact that the share of iPhone in the global smartphone market is not so high (14.5%), and a specialized unit in the MDB creates malicious programs to infect, control and steal data from iPhones and other Apple products, iOS such as the iPad.

In the Arsenal of the CIA included many “zero-day vulnerabilities”, developed by the CIA, borrowed from GCHQ, the NSA and the FBI or purchased from such developers of cyber weapons like Baitshop. Such attention to iOS, perhaps due to the popularity of iPhone among the representatives of social, political, diplomatic and business elite.

There is another unit that specializiruetsya on Android OS by Google installed in most smartphone manufacturers, including Samsung, HTC and Sony. In the past year the world has sold 1.15 billion smartphones based on Android operating system. Year Zero documents show that, in 2016, the CIA already had 24 “paramilitary” 0day exploit that it developed independently or acquired from GCHQ, the NSA or the contractors.

These technologies allow at the system level to circumvent the protection that the popular “protected” instant messengers such as Telegram, WhatsApp, Signal, Wiebo, Confide and Cloackman, hacking phones and stealing audio and text messages before they were encrypted.

Malware the CIA attack Windows, OSx, Linux, routers

The CIA also puts a lot of effort in order to infect your with malware and control users systems Microsoft Windows. Among the needed tools can be called multiple local and remote “paramilitary” 0day-exploits, viruses, like Hammer Drill, which infect data stored on CD/DVD, virus scan for USB drives, software for masking data in image files and in hidden areas of the hard disks (Brutal Kangaroo), and to further infection.

Most of these tasks the Department performs automated implants (Implant Automated Branch AIB), which has developed multiple attacking systems for automatic intrusion and control, such as the Assassin (“Assassin”), and Medusa.

Attacks on the infrastructure of the Internet and web servers the Department for network devices (Network Devices Branch, NDB.

The CIA has developed an automated multi-platform system for intrusion and control Windows, Mac OS X, Solaris, Linux, and so on, such as HIVE and associated Cutthroat (“Cutthroat”) and Swindle (“Schemer”), as described below.

“Accumulated” the vulnerability of the CIA (“zero day exploit”)

After the revelations of Edward Snowden regarding the activities of the NSA, American technology industry has taken the Obama administration’s promise to report promptly to manufacturers, such as Apple, Google and Microsoft, all discovered serious vulnerabilities, exploits, bugs, or “zero day exploits”.

A serious security vulnerability that was reported to the manufacturers, is subjected to a great many citizens, and close to key infrastructure at risk of becoming victims of foreign intelligence or cyber criminals, who themselves will discover these vulnerabilities or hear about them from others. If the CIA can detect these vulnerabilities, the same can do the rest.

Introduced by the administration of U.S. President Barack Obama’s obligations under the disclosure device manufacturers key vulnerabilities (Vulnerabilities Equities Process) were the result of powerful lobbying campaigns American technology companies, which risk losing their share in the world market because of real and perceived vulnerabilities. The government has promised to report all discovered since 2010 vulnerabilities in an expeditious manner.

Year Zero documents show that the CIA broke a promise the Obama administration. Many of the vulnerabilities that are in the Arsenal of the CIA, are widespread and could be detected by intelligence agencies of other countries or criminals.

For example, one of malware, the CIA referred to in the Year Zero, is able to penetrate, infect and monitor and phones based on Android OS and iPhone software, with which are conducted or was conducted presidential Twitter accounts. The CIA is attacking these systems due to vulnerabilities (zero-day), which the CIA reported to the manufacturers. But if the CIA can hack into these phones, the same can be done by one who somehow finds the vulnerability. While the CIA hide the vulnerabilities from Google and Apple that produce smartphones, they cannot be eliminated, and these smartphones will be able to hack further.

These risks relate to the General population, including members of the US administration, Congress, heads of leading corporations, system administrators, security experts and engineers. Hiding vulnerabilities from manufacturers such as Apple and Google, the CIA ensures the ability to hack anyone, at the same time exposing all of the dangers to be hacked.

Program “cyberwar” carry a serious risk of the proliferation of cyber weapons

Cyber weapons cannot be kept under effective control.

While the proliferation of nuclear weapons is impossible to restrain by the enormous costs and due to the large-scale infrastructure, cyber weapons, once it has been created, it is extremely difficult to control.

Cyber weapons is only a computer program that can steal. Since they consist entirely of data, you can copy them, without spending any effort.

To keep this “weapon” is especially difficult, because the people who develop and apply, have all the necessary skills in order to copy it, leaving no traces — sometimes using the same “cyber weapons” against the organizations that provide it. The high price of such programs is a powerful incentive for government hackers and consultants as there is a global “market vulnerability”, where a copy of the cyberweapon can pay from a few hundred dollars to several million. Contractors and companies that receive such weapons sometimes use it for their own purposes, gaining advantages over their competitors in the sale of “hacking” services.

In the last three years of the intelligence sector of the United States consisting of such governmental agencies as the CIA and NSA and their contractors such as Booz Allan Hamilton, the victim of an unprecedented number of leaks which stood for their own employees.

Several representatives of the intelligence community, whose names were not disclosed, was arrested or subjected to criminal prosecution.

The most notable case was the verdict of Harold Martin (Harold T. Martin), who was found guilty on 20 counts related to the disclosure of information with limited access. The DOJ reported that he was able to catch Harold Martin 50 gigabytes of information, to which he had access in the course of working on secret programs of the NSA and the CIA, including the source code for many of the hacking tools.

As soon as one “cybererotica” out of control, it can spread worldwide within a few seconds, and they can use other States, and even cyber mafia hackers-teenagers.


The U.S. Consulate in Frankfurt is a secret hacking CIA database

In addition to its activities in Langley, Virginia, the CIA also uses U.S. Consulate in Frankfurt-on-main as a secret base for hackers, which objects are Europe, middle East and Africa.

Hackers of the CIA, working with the Consulate in Frankfurt (“European center of cyber intelligence” or CCIE) are issued diplomatic (black) passports, and provided cover for the US state Department. Judging by the text instructions for hackers-beginners, the actions of the German counterintelligence may seem insignificant: “Knowing the legend by heart, you go through German customs quickly, and the only thing they do is put a stamp in your passport”.

Your legend (on this trip)

Question: what purpose are you here?

Answer: Participate in technical consultations for the Consulate.

In the two previous WikiLeaks publications offers a more detailed description of the methods used by the CIA during the passage of customs control and re-inspection.

Arriving in Frankfurt, hackers, the CIA can travel without additional checks at the border in 25 European countries within the Schengen area, which abolished passport and immigration controls at their common borders — including in France, Italy and Switzerland.

Some methods of electronic attack used by the CIA, designed to work in conditions close to the object. These methods allow attacks to penetrate the network with a high level of protection against unauthorized access, disconnected from the Internet — for example, databases of the police on convictions and drives. In these cases, employee or agent of the CIA, or the intelligence officer for NATO, acting in accordance with the instructions, in the physical sense, penetrating interest in the computer system in the workplace. The attacker is in possession of a USB drive containing malicious software, developed for this purpose by the CIA, which is of interest computer. Then, the attacker infects and immediately downloads the data onto removable media. For example, used the Central intelligence Agency system of Fine Dining allows the CIA to use 24 apps that serve as a camouflage to distract the audience witnesses. The witnesses think that the agent launches the program to view video (e.g. VLC) that shows the slides (Prezi), playing a computer game (Breakout2, 2048) or even runs anti-virus software (Kaspersky, McAfee, Sophos). But while “distraction” app is displayed on the screen, automatically infecting a computer system, viewing and retrieving information.


How the CIA have sharply increased the danger of the proliferation of cyber weapons

To achieve their goals, which are certainly among the most exciting in living memory, the CIA organized a secret mode so that, in General, in terms of market value of the project “Vault 7” — malicious software that is used by Management as a tool to achieve these goals (sub-programs vulnerabilities “zero day”), the posts of interception (LP), as well as system management and control (C2) — special legal mechanisms (legal reason) the CIA doesn’t have.

Why the CIA decided not to classify your cyberarena, suggests that the concepts developed for military use, it is difficult to use on the “battlefield” in the framework of cyber “war”.

To attack their targets, the CIA, as a rule, it is necessary that its embedded codes reported with their management programs via the Internet. If all programs used by the CIA — built-in codes, C2 and positions of interception of information was classified, then the CIA could be prosecuted or fired for violating rules prohibiting the occupancy of sensitive information on the Internet. Therefore, the CIA secretly decided not to classify the majority of its programs used to conduct cyber espionage/cyber warfare. The US government cannot make them the subject of his copyright due to the limitations of the U.S. Constitution. This means that the creators of cyber weapons and computer hackers gaining access to this “weapon” will be able “to pirate” illegally copying it. To protect their secret malicious programs, the CIA first had to resort to disguise data.

Conventional weapons such as missiles, you can start to strike at the enemy (that is, run on an unprotected area). Close to the location of the target contact with or create the conditions for detonation and explosion of the ammunition — including his secret parts. Consequently, the military did not violate the demands of secrecy, firing ammunition containing secret items. The ammunition is likely to explode. If not, then it will not be the fault of the gunner, and against his wishes.

In the last decade, cyber-attacks, the United States, camouflage, using military jargon in order to access streams of funding directed to the needs of the Ministry of defence. For example, taken “the injection of malicious programs” (commercial jargon) or “bookmark program” (jargon NSA) called “firing” — as if carried out the firing of guns or launching missiles. However this analogy is highly questionable.

Unlike bullets, bombs or rockets, the majority of malicious programs, the CIA intended to “continue to live” in a few days or even years after reaching my “goal”. Malware the CIA did not “explode” hitting the target, but rather to constantly infect. In order to infect the device, it is necessary to introduce into this device several copies of the malware to it in the physical sense is entirely depending on this malicious program. In order for a malicious program could retrieve the data and send them to the CIA or to remain waiting for further instructions, she needs to have a connection with the system management and control, hosted on servers of the CIA, connected to the Internet. But such servers are usually secret information stored is not allowed, so the system of management and control of the CIA not to classify.

A successful “attack” on interest computer system similar not so much on shooting, using weapons systems as a series of complex maneuvers with assets in the attempt of raider capture or careful about spreading rumors in order to gain control over the management of the organization. If you can make the comparison with the military actions, the defeat the purpose, perhaps, akin to the execution of a series of military manoeuvres near the site — including surveillance, penetration, occupation, and exploitation.

Evasion of examination and action to bypass security utilities

In a number of standards, developed by the CIA, identifies the schema of a malware infection that could help forensic investigators and specialists Apple, Microsoft, Google, Samsung, Nokia, Blackberry, Siemens, and software companies antivirus software to describe hacker attacks and to protect against them.

Instructions about the methods of special events (Tradecraft DO’s and DON’ts), the CIA presents the rules of writing malware, allowing not to leave identification tags that give reason to speak about the involvement of “CIA, the U.S. government, or knowingly operating partners” in conducting “forensic”. Secret similar standards prescribed for such activities as the use of encryption to hide traces of the hacker, the CIA and the fact that the spread of malware, the description of the objects of attacks and extracted data, and work with useful data and the presence of the object systems over an extended period.

Hackers from the CIA have designed and carried out a successful attack to bypass most of the most famous antivirus programs. They are documented in files AV defeats, Personal Security Products, Detecting and defeating PSPs and PSP/Debugger/RE Avoidance. For example, antivirus software Comodo have been overcome by the introduction of malware, the CIA to the recycle Bin in Windows is because Comodo 6.x there’s a hole (a Gaping Hole of DOOM).

The hackers of the CIA discussed the mistake you’ve made, the hackers group Equation Group of the NSA, and how I could avoid similar mistakes malware authors of the CIA.



In the control system of the Department of technical development of the CIA (EDG) contains about 500 different projects (only some of them are marked “year Zero”), each of them have their own sub-projects, hacking and tools.

Most of these projects relate to the tools used for hacking, infection (“implementation”), control and retrieval.

Another line of development focused on the development and activities of the listening Posts (LP) and systems of command and control (C2) used for communication and control implants; special projects are used in order to attack special equipment from routers to smart TVs.

Some examples of such projects are given below. The complete list is described WikiLeaks as “Zero year” projects can be found in the table of contents.



Inept hacking techniques of the CIA to present the Agency problem. Each created their reception forms a kind of “fingerprint” that can be used by forensic investigators to establish a single source of a variety of attacks.

This is similar to the finding of traces of the same special knife on the body of different not related to each other victims. A unique way of injury creates a suspicion that the killings involved a single killer. Once reveals one of the murders in the chain, other murders most likely also be disclosed.

Department of remote devices CIA group UMBRAGE collects and stores an impressive library technician attack, “stolen” with hacking equipment manufactured in other countries, including in the Russian Federation.

With UMBRAGE and related CIA projects can not only increase the total number of types of attacks, but also to get the scent, leaving “fingerprints” of those groups, whose equipment was stolen.

Among the components UMBRAGE has keyloggers, collection of passwords, information with Webcams, deleted data, long-term storage, all privileges, maintenance of stealth, avoiding detection by antivirus programs (PSP) and techniques of observations.

Fine Dining

Fine Dining has a standard form, that is, a menu that is filled with CIA operatives. The questionnaire used by the Department of technical support Agency (OSB) in order to transform the queries operatives in the technical requirements for hacking (usually by “withdrawal” of information from computer systems) required for specific operations. The questionnaire allows the OSB to determine how to improve existing instruments for surgery, and to transmit this information to personnel responsible for the configuration of the hack software of the CIA. OSB functions as a connection between the CIA operatives and the relevant staff of the technical support Department.

In the list of possible targets in the collection specified “Employee” (“Asset”), “Messenger” (“Liason Asset”), System administrator (“System Administrator”), “Operations on foreign information” (“Foreign Operations Information”), “Foreign intelligence Agency” (“Foreign Intelligence Agencies”) and “Foreign government agencies” (“Foreign Government Entities”). It is worth noting the absence of any information about extremists or international criminals. “Operations officer” should also clarify the characteristics of the target, e.g., type of computer, used computer system, Internet connection, installed anti-virus utility (PSP), as well as a list of file types subject to confiscation, for example, Office documents, audio, video, image or types of user files. In the “menu” also requires information on whether repeated access to the target and how long can be supported by access to a computer until it is discovered. This information uses the software “JQJIMPROVISE” (see below) for series configuration of the hacking of the CIA programs appropriate to the particular needs of the operation.


“Improvise” is a set of tools for configuration, post-processing, configuration, payload and range of vector designs for research tools/extraction support for all major operating systems such as Windows (Bartender, “bartender”), MacOS (JukeBox, “jukebox”) and Linux (DanceFloor, “dance floor”). Its configuration utility, for example, Margarita, allows NOC (operations center network) to personalize the instruments according to the requirements profiles “Fine Dining”.



HIVE is a complex multi-platform hacking software CIA and the associated controlling software. The project provides customized implants for Windows, Solaris, MikroTik (used in Internet routers), as well as the technical base for Linux platforms, and listening Post (LP)/command and control (C2) for communication with these implants.

The implants are configured to communicate via HTTPS with the server of the protective domain; each operation with the use of these implants has separate protection domain and technical base can withstand any number of protective domains.

Each domain is IP address commercial provider VPS (virtual private server). Public server sends all traffic through the VPN to the server “Blot”, which controls real connection requests from clients. This is the procedure for additional SSL client authentication: if he sends a valid client certificate (and it can only do the implants), the communication is transmitted to toolserver “Honeycomb” that communicates with the implant; if a valid certificate is not available (this happens if somebody accidentally tries to open a website with a protection domain), the traffic is sent to the security server that sends on inconspicuous website.

The Honeycomb is withdrawn telserver receives information from the implant; the operator can also give the implant an assignment to perform work at a predetermined as the target computer, thus, telserver performs the server function C2 (command and control) to the implant.

Similar functionality (albeit a limited Windows) provides project RickBobby. Cm. secret instructions of the user and the developer for HIVE.


Frequently asked questions

Why now?

WikiLeaks has published information as soon as it was tested and analyzed.

In February, the administration trump has issued a presidential decree calling for the preparation of the report on “cyber warfare” in the 30-day period.

Despite the fact that the report is delayed and sharpens the importance of the publication, it did not affect the appointment date of the release.


Names, email addresses and external IP addresses have been changed in the published pages (entire 70875 changes) until the analysis is complete.

1. Other amendments: the wording has been some information not concerning employees, actors, targets and other ties with the Agency; for example, it concerned the authors of the documentation for other community projects engaged by the Agency.

2. Personality vs. man: fixed names replaced with a user ID (numbers), to give readers the ability to link large amounts of pages with one author. Given the applied procedure of correction, one person may be represented by more than one identifier, but the identifier cannot be mapped to more than one person.

3. Application archive (zip, tar.gz,…) replaced with a PDF, which lists all the file names in the archive. As soon as the content of the archive is verified, it can be available; until that time, the archive will be edited.

4. Application with other two-level content is replaced by the hexadecimal dump of the content to prevent accidental activation of the routes that could be infected by hacker software of the CIA. Once the content is verified, it may become available; until then the content will be edited.

5. Tens of thousands of links to routable addresses (including more than 22 thousand in the U.S.) that correspond to possible targets hidden servers wiretapping, CIA, mediation and test systems are edited for further exclusive investigation.

6. Duplex files of non-public origin is only available as dumps to prevent accidental activation infected by hacker software of the CIA files.

Organizational structure

Organizational structure correspond to the material which is now published by WikiLeaks.

Since the organizational structure of the CIA below the level of the directorates is not publicly available, the location of the EDG and its departments in the Agency is restored from the information contained in the documents that have been published to date. It can serve as a rough outline of the internal organization; please keep in mind that the reconstructed organizational structure are presented not completely, but internal reorganization occur frequently.


“Year Zero” contains 7818 web pages from the internal development group software. The software used for these purposes, is called Confluence and Atlassian. The web pages in this system (as in Wikipedia) a version history, which give an interesting opportunity to look at the evolution of the document over time; 7818 documents include the history of these pages 1136 latest versions.

The order named pages at each level is determined by date (first is the earliest). The content of the page is missing if it was originally dynamically created software Confluence (as stated on the reconstructed page).

What time period is covered?

From 2013 to 2016. The sort order of pages within each level is determined by date (first is the most remote).

WikiLeaks has received creation date/last update CIA each page, but for technical reasons this information is not displayed. Usually you can set the date or approximately identify of content and page order. If you extremely important to know the exact time/date to contact WikiLeaks.

What is “Vault 7”?

“Vault 7” is a large collection of material about CIA activities, obtained by WikiLeaks.


When was a given part of the “Vault 7”?

The first part was just received and for 2016. Details about the other parts will be available at the time of publication.

If each part of the “Vault 7” from a separate source?

Details about the other parts will be available at the time of publication.

What is the total amount of “Vault 7”?

This series is the most extensive publication about the spy Agency’s history.

How WikiLeaks got every part of “Vault 7”?

Sources prefer to WikiLeaks did not disclose information that may facilitate their identification.

Not worried whether WikiLeaks that the CIA would take action against his employees, to stop publishing this series?

No. It will be extremely counterproductive.

WikiLeaks has already collected all the best stories?

No. WikiLeaks deliberately inflated the value of hundreds of high-profile stories, encouraging other people finding them and asking, so the expert bar for the following publications in the series. Here they are. Take a look. Readers who demonstrate excellent journalistic skills, can get earlier access to future parts.

Don’t get ahead of me by other journalists in search of the best stories?

Unlikely. There are a lot more stories than journalists and academics, are able to write about them.