Vault 7 — CIA Hacking Tools Exposed by WikiLeaks

Overview

On March 7, 2017, WikiLeaks published the first installment of what it called “Vault 7” — and the world learned that the CIA had been treating consumer electronics like an all-you-can-hack buffet.

Your iPhone? The CIA had tools to bypass its encryption. Your Android phone? Same. Your Samsung smart TV? The CIA could turn it into a microphone that recorded your living room conversations even when the TV appeared to be off. Your car’s computerized control system? The CIA was researching ways to remotely seize control of it. Your Windows laptop, your Linux server, your WhatsApp messages, your Signal chats — the CIA had tools designed to compromise all of them.

The 8,761 documents from the CIA’s Center for Cyber Intelligence represented the largest unauthorized disclosure of classified CIA material in the agency’s history — bigger than the Aldrich Ames case, bigger than the Edward Snowden leaks (which were from the NSA, not the CIA). They revealed that the CIA had built, in the words of Julian Assange, “its own NSA” — a massive cyber operations division with more than 5,000 registered users who had collectively produced more than a thousand hacking systems, trojans, viruses, and other malware.

The documents were real. The capabilities they described were real. And the implication — that the intelligence agency tasked with foreign espionage had developed tools that could be used against anyone’s phone, TV, or computer — was deeply unsettling.

What the Documents Revealed

The Cyber Arsenal

The CIA’s Center for Cyber Intelligence, housed in Langley, Virginia, had developed an astonishing array of hacking tools, each with a whimsical codename that belied its invasive capability:

Weeping Angel: Developed in cooperation with Britain’s MI5, this tool targeted Samsung F-Series smart TVs. Once installed, Weeping Angel put the TV into a “fake off” mode — the screen went dark, and the TV appeared to be powered down, but the microphone remained active, recording conversations and storing them until they could be transmitted to a CIA server. The name came from Doctor Who’s stone-angel monsters that move when you’re not looking at them.

Year Zero: The CIA’s collection of exploits and techniques for penetrating Apple’s iOS (iPhones and iPads) and Google’s Android. The documents showed the CIA had accumulated a library of zero-day exploits — previously unknown software vulnerabilities — that could be used to gain full access to mobile devices, bypassing the encryption that Apple and Google marketed as protecting user privacy.

Hive: A multi-platform malware system that allowed the CIA to control infected devices through a covert communications infrastructure. Hive used fake SSL certificates from real-looking domains to disguise its command-and-control traffic as normal web browsing.

Marble: A tool designed to obscure the origin of CIA malware by inserting false code snippets in foreign languages — Chinese, Russian, Korean, Arabic, Farsi. If a target discovered the malware and analyzed it, the foreign-language fragments could mislead investigators into attributing the attack to another country’s intelligence service.

Athena: A Windows-targeting implant developed in cooperation with a private cybersecurity company called Siege Technologies. It could intercept and modify Windows communications, exfiltrate data, and install additional malware.

Dark Matter: A collection of tools targeting Apple Mac computers and iPhones, including firmware-level implants that could survive operating system reinstallation — meaning you couldn’t remove the CIA’s surveillance by wiping and reinstalling your device.

The Vehicle Research

Among the most alarming revelations was the CIA’s interest in hacking vehicle computer systems. The Vault 7 documents referenced the CIA’s Embedded Development Branch investigating methods to penetrate the computer systems of modern cars and trucks.

The documents didn’t reveal a fully operational vehicle-hacking capability, but they showed the CIA was actively researching the possibility. Given that modern vehicles are controlled by dozens of networked computers managing everything from entertainment to braking, the implication — that the CIA could potentially cause a vehicle malfunction remotely — raised immediate questions about the 2013 death of journalist Michael Hastings, whose car accelerated into a tree at high speed in circumstances his family and friends found suspicious.

WikiLeaks explicitly drew this connection. Whether the CIA actually had the capability to hack Hastings’ car in 2013 remains unproven.

The Encryption Problem

Perhaps the most significant revelation was the CIA’s approach to encrypted messaging. Apps like Signal and WhatsApp use end-to-end encryption, meaning messages are encrypted on the sender’s device and decrypted only on the recipient’s device — in theory, no one in between (including the app developer) can read them.

The CIA’s solution was elegant and terrifying: don’t break the encryption. Hack the phone. If you control the operating system of the device running Signal, you can read messages before they’re encrypted or after they’re decrypted. End-to-end encryption protects messages in transit; it doesn’t protect messages on a compromised device.

This revelation didn’t mean encryption was useless — it meant that encryption was necessary but not sufficient. The CIA had found the weakest link in the security chain: the device itself.

UMBRAGE: The False Flag Library

The UMBRAGE group within the CIA maintained a library of hacking techniques stolen from malware produced by other nations — Russia, China, and others. The purpose was dual: to accelerate the CIA’s own tool development (why write code from scratch when you can steal it?), and to potentially disguise CIA operations as the work of other actors.

This capability fueled conspiracy theories about attribution. If the CIA could make its hacks look Russian, could the “Russian hacking” of the 2016 election actually have been a CIA operation? There is no evidence this happened, and the FBI’s attribution of the DNC hack to Russian intelligence was based on much more than code analysis. But the existence of UMBRAGE created a permanent cloud of doubt around cyber attribution.

The Source

Joshua Schulte

The Vault 7 leak was traced to Joshua Adam Schulte, a former CIA software engineer who had worked in the Center for Cyber Intelligence. Schulte had access to the tools because he helped build them.

Unlike Chelsea Manning or Edward Snowden, Schulte’s motivations appeared personal rather than ideological. He had been involved in workplace disputes with colleagues and management, including a physical altercation, and had been transferred to a different position before leaving the CIA in 2016.

Schulte was first arrested in August 2017 — initially on child pornography charges discovered during the investigation of the leak. He was later charged with theft of classified information and espionage. His first trial in 2020 ended in a hung jury on the most serious charges. A second trial in 2022 resulted in conviction on all counts.

In February 2024, Schulte was sentenced to 40 years in federal prison — one of the longest sentences ever imposed for an intelligence leak.

The Security Failure

The Vault 7 leak exposed catastrophic security failures at the CIA. The Center for Cyber Intelligence’s development network — where the agency’s most sensitive hacking tools were built and stored — had inadequate access controls, minimal logging of who accessed what, and no effective monitoring for unauthorized data transfers.

An internal CIA investigation, portions of which were later declassified, found that the CCI had prioritized building tools over protecting them. The development network was designed for collaboration among programmers, not for security against insiders. As a result, the CIA couldn’t initially even determine what had been taken or when.

CIA Response

Mike Pompeo’s Speech

CIA Director Mike Pompeo, in his first public address after the Vault 7 release (April 2017), called WikiLeaks “a non-state hostile intelligence service often abetted by state actors like Russia.” This was the first time a CIA director had publicly designated WikiLeaks as a hostile intelligence entity rather than a media organization.

Pompeo’s characterization marked a decisive shift in how the U.S. government framed WikiLeaks — from a press freedom challenge to a national security threat. The designation also laid the groundwork for the Espionage Act prosecution of Assange.

The Tech Industry Response

The Vault 7 revelations forced technology companies to confront an uncomfortable truth: the CIA was exploiting vulnerabilities in their products, and rather than disclosing those vulnerabilities so they could be patched (as the U.S. government’s Vulnerabilities Equities Process was supposed to ensure), the CIA was stockpiling them for offensive use.

Apple, Google, Samsung, and Microsoft all issued statements and patches after the Vault 7 release. The forced disclosure of CIA tools actually improved consumer security — by burning the exploits, WikiLeaks compelled the CIA to lose capabilities and compelled tech companies to fix flaws.

This created a paradox: the largest CIA leak in history may have made Americans’ personal devices more secure.

Timeline

Sources & Further Reading

• WikiLeaks. “Vault 7: CIA Hacking Tools Revealed.” March 7, 2017.
• Shane, Scott, Matthew Rosenberg, and Andrew W. Lehren. “WikiLeaks Releases Trove of Alleged C.I.A. Hacking Documents.” New York Times, March 7, 2017.
• Pompeo, Mike. “Director Pompeo Delivers Remarks at CSIS.” April 13, 2017.
• United States v. Schulte, S.D.N.Y., Case No. 17-cr-548 (2022).
• CIA Inspector General. “WikiLeaks Task Force Final Report” (partially declassified), 2017.

Related Theories

• WikiLeaks — The organization behind the release
• NSA Mass Surveillance — The parallel surveillance capabilities exposed by Snowden
• Internet Privacy Conspiracy — Broader concerns about digital surveillance
• Michael Hastings Assassination — The journalist whose death raised vehicle-hacking questions