He’s a pain in the ASCII to everybody. Now please acquit my sysadmin client over these CIA Vault 7 leaking charges

Trial of Joshua Schulte gets off to an unusual start amid claims of hidden backdoors, backups, and more

Typically, your lawyer is on your side. Which is why it was a little unusual that on the first day of the trial of ex-CIA sysadmin Joshua Schulte – accused of leaking classified information to WikiLeaks – that his attorney, Sabrina Shroff, went out of her way to explain what an asshole he is.

“When he worked for the CIA, he antagonized almost every single person there,” Shroff told jurors [PDF] in New York on Tuesday. “He antagonized his colleagues. He antagonized management. He was a difficult employee. He really was a difficult employee.”

A few minutes later she was back at it: “He was also a pain in the ass to everybody at the CIA, and by the middle of 2016, Mr Schulte became very dissatisfied with his job and his colleagues and his management at the CIA. He had disputes with his colleagues. He didn't like the disputes. He didn't like the colleague. He complained to management.”

What makes this character attack that much more peculiar is that it is the same line of argument pushed by the prosecution to explain why Schulte suddenly decided – after a lifetime working for the US intelligence services, including the NSA and later the CIA – to throw the agency under the bus and release gigabytes of highly classified hacking tools, dubbed Vault 7, to the world.

But before we get to his lawyer’s logic, Shroff put in one more kick: “Now, I've said this before and I'll say it again. Mr Schulte is a difficult man.”

Nothing about this case is normal. Joshua Schulte was a sysadmin at the CIA’s super-secretive hacking unit, and had superuser access to its innermost software secrets, which comprised more than 20 different tools and exploits to break into electronic systems.

He left the CIA following an internal dispute in which he accused a co-worker of plotting to kill him, and made a formal complaint. The complaint was investigated and management sided with the other employee.

Boom

Schulte quit in November 2016. And four months later, WikiLeaks started publishing, week-by-week, no less than 26 highly classified resources, with code-names like Weeping Angel, Scribbles, Archimedes, After Midnight, Assassin, Athena... it was a complete rundown of the spy agency's hacking tools that allowed its agents to install malware on pretty much every modern electronic device.

The CIA admits it had no idea that its security had been compromised until the files started appearing online, and the FBI’s CD-6 counter-intelligence unit immediately opened a probe to find out how the information got out. Within a week, Schulte’s home was repeatedly raided and electronic devices taken away but it wasn’t until August, five months later, that he was arrested.

Notably he wasn’t collared for the leak of the hacking tools but for child sex abuse images the FBI claimed it had found on a server he ran. It wasn’t until May 2018, another nine months after that arrest, that it can became clear the Feds had identified him as the prime suspect in the leak, and the next month he was charged with the theft of classified national defense information. He has been held at a federal facility ever since.

It’s important to know that it took more than a year after the leaks for Schulte to be arrested because his entire trial will hinge on whether the US government can persuade the jury “beyond a reasonable doubt” that he was the man who secretly copied and then uploaded the files to WikiLeaks. Schulte denies he had anything to do with the leak.

Messing with the wrong guy

The very thing that made Schulte so good at his job is what has made it so difficult to pin the crime on him, the government prosecutor argued at the opening of the trial. He is, after all, an expert on computer security and forensics.

According to the prosecution, Schulte swiped a copy of the hacking tools “on the evening of April 20, 2016,” after somehow restoring a system backup that reinstated his superuser access. He then, according to the prosecution, painstakingly went through log files and removed all signs of that activity: exactly the sort of clean-up you'd expect agents do when hacking other systems to avoid detection.

This was the explanation given in court: “He used a backup copy to take the system back in time to before the CIA tried to lock down the system. Back to a time when Schulte had total administrative control.

"For over an hour, from the computer sitting at his desk at CIA, Schulte was in that system secretly restoring his super access, giving himself back all the control he had before it was taken away. Restoring his access to the backups that stored copies of the entire system.”

It goes on: “After stealing the backup, Schulte tried to cover his tracks. During that hour on April 20, when he took the system back in time, Schulte started carefully deleting every log file that kept track of what he had done while he was in the system. After destroying that evidence, he unwound the reversion. Schulte restored the system to how it had been just before he hacked in, erasing that hour of time as if it hadn't existed. Trying to cover his tracks, that proved how he stole our nation's secrets.”

Readers will note the reference to “before the CIA tried to lock down the system” – and this is where things get even murkier. Part of the reason the CIA suspects Schulte is because it says it caught him giving himself admin access to projects he wasn’t supposed to be on and censured him. “They told him they knew he had abused his access, and he admitted it,” the prosecutor told the court. He even signed a memo agreeing not to do it again. And then the CIA locked him out.

Proving the unprovable

So if he was locked out of the systems, how could he possibly not only get back in and reinstate his superuser privileges, but also download files and then escape unnoticed? The truth is that the CIA doesn’t know. And so it alleges that if it was Schulte who stole the information, he must have retained a backdoor into the system.

“On the evening of April 20, Schulte used that backdoor, access he knew he wasn't supposed to have, to do something called a reversion. Kind of like restoring a phone. The evidence will prove that Schulte sent that stolen classified backup, a copy of all the sensitive projects of the CIA's programming group, to WikiLeaks.”

How exactly is the prosecution going to prove that a man who had been locked out of a system somehow got back in and left no electronic fingerprints while doing so? According to the lead prosecutor, there were digital footprints, despite his best efforts to delete the logs.

“Even though Schulte tried to delete any trace of his theft of sensitive, classified information, his footprints were left behind. The FBI's experts found them in the recesses of the computer memory of Schulte's own desktop at the CIA, in spaces where bits of data stayed behind even when Schulte tried to erase them.”

Recesses of memory, huh? But wait, there’s more.

“You'll see the log files from Schulte's own computer showing him sending the commands to take their classified system back in time to get his access back, to delete evidence of what he had done, to undo his reversion to make it seem like it never happened.”

We are willing to bet that this log file is going to have to do a lot of heavy lifting. Considering Schulte’s day job, he most likely carries out such commands all the time on the CIA systems. They may well have a log file that shows that he rolled back the system to an earlier backup.

But as the judge made plain at the start of the trial: “Mr Schulte does not bear any burden of proof. He does not have to prove to you that he's innocent. It is the government's burden to prove to you, beyond all reasonable doubt, that he is guilty.” A backup command ain’t gonna cut it.

Peculiarities

That’s why the case has taken so long to be prosecuted, because the forensics aren’t enough. It’s also why there are a number of other peculiarities in the trial.

Back in April, we reported on the intense frustration of Schulte’s lawyer Shroff, who complained to the court that everything her client sent her was being vetted through the CIA first. This meant that not only did the process take an unnecessarily long time but that she didn’t trust the intelligence officers vetting it to not share all that information with those prosecuting her client.

Shroff also complained that she couldn’t be sure that her client-attorney conversations weren’t being recorded. Which may seem paranoid, but it turns out she had good reason to be worried.

Because, as well as the child sex abuse images charge against Schulte, he is also charged with “one count of unlawful disclosure and attempted disclosure of national defense information while he was in the Metropolitan Correction Center, or MCC, a federal detention center.”

That’s right: the US government claims it has evidence that Schulte was sending highly confidential information from within his jail cell. How on Earth was that possible? Well, he got hold of a phone inside and, according to the prosecution, used it to communicate with a journalist.

His lawyer doesn’t deny it, in large part because the prosecution has video footage of Schulte in his cell using the phone. Yes, that’s right, if you piss off the CIA, you can be sure that they are watching your every move, 24/7.

Some of the evidence from that incident doesn’t look good. “I will look to break up diplomatic relationships,” Schulte apparently texted from his cell. “Top secret? Fuck your top secret!”

Convinced but not convicted

So here’s what we can safely assume: the CIA is convinced Schulte was responsible for the theft, in large part because of his internal disputes at the super-snoop agency. It has been desperately trying to find the necessary evidence to get him sent down for life.

But that doesn’t mean he’s guilty. The history of the intelligence services is littered with double-agents that weren’t discovered until years later, and probes into people that they convinced themselves were responsible for someone else’s crimes.

And that is why Schulte’s own lawyer tried to get ahead of the game in her opening statement, painting her client in what would normally be seen as an extremely damaging light: because she knows that is what the prosecution may rely on to sway the jury.

listening

Client-attorney privilege? Not when you're accused of leaking Vault 7 CIA code

READ MORE

It looks likely that the prosecution doesn’t have a smoking gun but rather lots of small pieces of evidence that it has to draw a complex picture around. It’s going to help if it can make Schulte an unlikeable person in the jury’s minds.

Shroff’s defense is that even if he was a “pain in the ass” that “being a difficult employee does not make you a criminal. A difficult employee does not translate to being a traitor. A difficult employee does not translate to somebody who would sell out their country.”

She will argue there is no evidence that he ever communicated with WikiLeaks. And as for his behavior in the jail – which, incidentally, is the focus of another strange series of motions that implies Schulte’s previous federal lawyers gave him knowingly bad advice – she argued he “was desperate, desperate to prove that he was innocent. He wanted the world to know he wasn't this person, he was not the man who stole the information, he was not the man who released the information to WikiLeaks, he had nothing to do with that theft.”

As for the actual CIA IT system – known as the DEVLAN system – from where the hacking tools were stolen, the prosecution claims it was a digital Fort Knox: impenetrable to all but a very few special people. Schulte’s lawyer says the whole thing was left wide open to any one of thousands of CIA employees and contractors.

We’ll be intrigued to hear details around that as the trial progresses. It is expected to last several weeks. ®

Sponsored: Detecting cyber attacks as a small to medium business

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020