A cohort of technology firms that were named in leaked CIA documents published by WikiLeaks more than two weeks ago are still waiting to receive important information from the transparency organization concerning software vulnerabilities that were targeted by the spy agency.
WikiLeaks co-founder Julian Assange said earlier this month that the controversial organization would work with affected technology companies by privately providing them with executable code and other technical details that had been purposely redacted from the document dump. The idea is that affected companies will access some of this hidden material from WikiLeaks to effectively “develop fixes.” More than 15 different technology companies are mentioned in the CIA document dump.
Spokespeople for G DATA, Comodo, BitDefender, TrendMicro, Avira and Avast all said that WikiLeaks had yet to contact their companies.
Avira, Comodo and BitDefender’s products are discussed in the leaked CIA documents under a section labelled “AV defeated,” which contains information about how to bypass different anti-virus protections used by a target.
Though Wikileaks reportedly reached out to some of the more high-profile brands mentioned in the leaks, including Microsoft, Google, and Apple, according to Motherboard, CyberScoop has found that a significant number of lesser-known companies have yet to be contacted.
“Our company hasn’t received any letter from Wikileaks,” said Thorsten Urbanski, head of corporate communications and government affairs at G DATA, a German software company.
“Our research department sent weeks ago more than one time an e-mail to WikiLeaks but without any response. As one of the vendors which are mentioned on the website, we are of course interesting about the document,” Urbanski said, “I think it would be necessary to share this information with the mentioned vendors. But WikiLeaks didn’t share it with our company.”
A technical assessment of G DATA’s internet security product line is briefly mentioned in the CIA documents but a related explanation appears entirely redacted.
Like G DATA, anti-virus software maker Bitdefender says it would be willing to work with WikiLeaks but have had no luck reaching Assange’s organization.
“We have not been contacted by WikiLeaks. At this point in time, we are still open to collaborate with them and any other organization or researcher that can help us improve our products. We proactively reached out to WikiLeaks in order to indicate methods to safely connect with us if there is relevant information regarding Bitdefender,” company spokesman Marius Buterchi wrote in an email to CyberScoop.
Vice’s MotherBoard reported last week that Assange sent emails to “Apple, Google, Microsoft and all the companies mentioned in the documents. But instead of reporting the bugs or exploits found in the leaked CIA documents it has in its possession, WikiLeaks made demands, according to multiple sources familiar with the matter who spoke on condition of anonymity.”
Microsoft’s initial contact with WikiLeaks was independently confirmed by CyberScoop but Apple, Google and Samsung did not respond to multiple requests for comment.
In a statement published on March 17, WikiLeaks stated: “Google and other companies have yet to respond other than to confirm receipt of our initial approach. They have not agreed, disagreed or questioned our industry standard responsible disclosure plan. Most of these lagging companies have conflicts of interest due to their classified work or U.S. government agencies. In practice such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA.”
WikiLeaks, according to Motherboard, sent a document in these emails requesting that companies agree to a series of conditions before receiving any material additional material, beyond what is publicly available.
Some of the technology firms named in the leaked CIA library say that they already patched many of the apparent vulnerabilities exposed in the CIA documents. An Intel spokesperson, for example, told CyberScoop, “the issue in question was fixed some time ago. There was no need for communication.”
Symantec previously declined to answer questions regarding potential contact with Wikileaks, but sent CyberScoop the following statement:
“Based on the information contained in the Vault 7 release, to date we see no evidence of the ability to bypass or exploit vulnerabilities in Symantec products and services. In addition, we are carefully reviewing the documents and data released to identify areas where Symantec’s solutions that span the endpoint, data protection, cloud and network may be able to protect our customers and help mitigate the variety of risks included in the WikiLeaks release.”
The CIA has yet to comment on the authenticity of the purported intelligence documents but said in a rare statement, “Julian Assange is not exactly a bastion of truth and integrity … the CIA continues to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries.”
WikiLeaks claims that the stolen files came from a disgruntled defense contractor.
Information revealed by the whistleblowing website suggests that the spy agency is capable of breaking into older versions of several prominent software products, including a series of Apple iPhone operating systems and popular commercial firewalls. A former U.S. intelligence officer previously told CyberScoop that some of the code names and descriptions in the data dump for the CIA’s hacking tools appear authentic.