Data Loss Prevention (DLP) , Governance & Risk Management , Incident & Breach Response
US Government Plans to Indict Alleged CIA Leaker'Vault 7' Leak Suspect Already Detained on Child Pornography Charges
A former CIA software engineer who is facing child pornography charges has been identified as a possible suspect in the largest-ever leak of classified information from the spy agency.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Joshua A. Schulte, 29, of New York was arrested about a week after WikiLeaks on March 7, 2017, began releasing portions of the CIA information, which it dubbed Vault 7.
The collection of 8,000 documents contained detailed information about network intrusion tools used by the CIA to gain intelligence (see 7 Facts: 'Vault 7' CIA Hacking Tool Dump by WikiLeaks).
The breach marked one of the worst national security leaks since former National Security Agency contractor Edward Snowden provided batches of sensitive documents from the agency to the news media in 2013.
The New York Times reported on Tuesday that Schulte is a suspect in the leak, according to public court documents. Prosecutors, the Times also reports, plan to file a new indictment against Schulte that pertains to the leak within 45 days.
FBI Seizes Equipment
Schulte, according to his LinkedIn profile, worked as a systems engineer specializing in high-speed passive signals intelligence for the NSA in 2010. Later that year, he joined the CIA as a software engineer supporting clandestine operations, staying there through 2016.
The FBI executed a search warrant at Schulte's New York residence on March 13, 2017, seizing computers and servers containing at least 10 terabytes of data, some of which was encrypted.
But prosecutors have not yet charged Schulte with leaking any national security information. Court documents show that his lawyers have requested updates on the potential national security angle to his case.
Instead, Schulte was charged last August with three counts of receipt, possession and transportation of child pornography. According to an FBI affidavit, investigators obtained passwords from Schulte's phone and decrypted a 54 GB file stored on a virtual machine that allegedly contained 10,000 offensive images and videos.
In court documents, Schulte's attorney argued that numerous other people had access to the server and passwords for accessing it. The server was set up by Schulte in 2009 with an encrypted VeraCrypt volume, allegedly to host gaming and other applications.
But the FBI cited IRC chats between Schulte and others in which he allegedly indicated that he knew about the types of illegal material that were being stored on his server.
Schulte was released on bail last September, contingent on his not using a computer. In December 2017, however, he was again detained after allegedly violating his bail conditions.
"The fact that the defendant is ... using Tor from his apartment, when he was explicitly told not to use the internet, is extremely troubling."
At a Jan. 8 hearing, Schulte's attorneys argued that they did not contest his detention, based on their understanding that Schulte would be sent to Virginia, pursuant to a warrant.
"None of that happened," said Jacob Kaplan, one of Schulte's attorneys, according to a court transcript. "Virginia never came to get him. Virginia just didn't do anything in this case."
Schulte Violates His Bail Conditions
It's unclear why Schulte has yet to be charged in relation to his alleged involvement in the leaked Vault 7 material. Within 45 days, however, prosecutors plan to file a new indictment, the Times reports. Early court documents filed in Schulte's case referred to documents found on his computer that may have included classified information.
But at Schulte's January detention hearing, Kaplan signaled his and his client's frustration with the investigation. "In April or May of 2017, the government had full access to his computers and his phone, and they found the child pornography in this case, but what they didn't find was any connection to the WikiLeaks investigation," Kaplan said.
At the same hearing, prosecutors argued that Schulte should be returned to custody because federal monitoring showed his Gmail account had been accessed. Kaplan argued that Schulte's roommate was actually accessing the account, but the government argued that such a course of action was still forbidden. Kaplan had been living with his cousin in New York.
Assistant U.S. Attorney Matthew J. Laroche contended that either Schulte or his cousin were also using Tor, the anonymizing browser that offers more privacy when browsing the internet, conducting online chats or transferring data.
Part of the Vault 7 investigation includes "analyzing whether and to what extent Tor was used in transmitting classified information," Laroche said. "So the fact that the defendant is now, while on pretrial release, using Tor from his apartment, when he was explicitly told not to use the internet, is extremely troubling and suggests that he did willfully violate his bail conditions."
Tor, which is short for The Onion Router, routes data through a network of random proxies around the world, making the origin of data traffic difficult to trace. Many media companies have set up systems that use Tor to enable people to more safely send tips or share information without being traced.
Schulte's January court hearing also revealed that he may face felony state charges in Loudoun County, Virginia, for sexual assault. Photos of the assault - some of which included Schulte's hands - were allegedly found on Schulte's phone, Laroche said at the hearing.
A Wednesday online search of Loudoun County Circuit Court records did not turn up any active case, at least yet, that names Schulte.