US authorities investigating the source of WikiLeaks' latest disclosures regarding CIA hacking tools and techniques have reportedly narrowed down their focus to a small unit of CIA contractors as possibly those responsible for handing over classified information to the whistleblowing platform. A handful of contractors, who may have harboured discontentment over recent job losses, may reportedly have been WikiLeaks' source.
According to unspecified sources familiar with the matter, several CIA contractors working in at least two locations in Virginia have been questioned, the Wall Street Journal reported. The investigation is reportedly 'rapidly unfolding' although no arrests have been made yet.
Sources claim that a digital trail has led authorities to a team of software developers working with the CIA's Engineering Development Group (EDG), which is allegedly responsible for creating exploits that can hack into smartphones, computers and smart TVs, according to documents recently published by WikiLeaks. Over 8,000 pages of documents leaked by WikiLeaks reportedly appear to have originated from a server used by EDG, which "only a few contractors would have access to".
It remains unclear as to which of the contractors working with the dozens of companies that work with the CIA on cyber operations have been questioned. There has recently been talk of "bad blood" within the small community of CIA contractors. One group of contractors who had worked with the spy agency overseas and were expecting to receive new jobs stateside were allegedly terminated from their positions, according to one individual.
"There were definitely disgruntled people internally," this person said, adding that he believes these people may have been among those questioned by investigators.
According to a source familiar with the investigation, those who have been questioned by investigators so far have all held top-level security clearances and recently passed polygraph tests.
Brian Vecci, Technical Evangelist at Varonis told IBTimes UK: "Disaffected insider. Contractors. Server outside the control of the CIA. While a lot of this is speculation, from the beginning this leak has all the hallmarks of an insider. A federal employee or contractor with access to this data decided to grab what he or she could and get it out into the world. This wasn't a random smash and grab but a targeted and organised capture of data that someone knew would be explosive if released.
"The problem isn't that users have access to data — they need to in order to do their jobs. The problem is an authorisation one; insiders with more access than they should because nobody is reviewing who should and shouldn't have access."
He continued: "Did this insider need access to all 8,761 files to do their job? Just because they technically could, doesn't mean they had a real need. Even if this insider was supposed to have access, how did they walk off with so much highly sensitive data without anyone noticing the flurry of activity?"
The CIA is yet to comment on the validity of the documents disclosed by WikiLeaks.
The whistleblowing platform has previously claimed that the documents published by WikiLeaks are "less than 1%" of the total release, indicating the more disclosures may be in the offing.
Vecci added: "If the trove of documents released so far is only a small fraction of what's coming, would it have been normal for this amount of data to be accessed and potentially moved or copied? That's a break down in accountability – just because someone has access, doesn't mean they're playing by the rules. Without consistent and usable activity monitoring, it's often impossible to know, and especially to catch those breaking the rules.
"If you think of data as money, then this notion of monitoring who has access to the data hits closer to home. It would be silly for a bank to only monitor their front door, yet leave the vault wide open with the cameras turned off, or possibly not even installed."