Anatomy of a Breach

Anatomy of a Breach: Vault 7 — WikiLeaks Publishes the CIA's Cyber Arsenal

> series: anatomy_of_a_breach —— part: 099 —— source: cia_center_for_cyber_intelligence —— documents: 8,761 —— tools: ios_android_windows_smart_tvs<span class="cursor-blink">_</span>_

Hedgehog Security 31 March 2017 13 min read
vault-7 cia wikileaks cyber-weapons intelligence exploit-leak nation-state series
Breach #099

The CIA's entire hacking capacity. Published on WikiLeaks.

On 7 March 2017, WikiLeaks began publishing 'Vault 7' — 8,761 documents and files from the CIA's Center for Cyber Intelligence (CCI), representing what WikiLeaks called the largest ever publication of confidential CIA documents. The materials described the agency's tools and techniques for hacking iPhones, Android devices, Windows and macOS computers, Linux systems, Samsung smart TVs (which could be turned into covert listening devices even when apparently turned off), and vehicle computer systems.

Vault 7 came just seven months after the Shadow Brokers' theft of NSA tools — confirming that both of the US government's primary signals intelligence agencies had lost control of their offensive cyber capabilities. The source was later identified as Joshua Schulte, a former CIA programmer who was convicted and sentenced to 40 years in prison. The leak raised the same proliferation concerns as the Shadow Brokers: once published, nation-state tools become available to every criminal and hostile actor worldwide.

The Arsenal
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Every device. Every operating system. Even your smart TV.

Mobile Device Exploitation
The CIA maintained exploit libraries for both iOS and Android — enabling remote compromise of smartphones used by intelligence targets worldwide. While the specific exploits would be patched once disclosed, the techniques and approaches documented in Vault 7 informed both defensive security and criminal attack development. <a href="/penetration-testing/mobile-application">Our mobile application testing</a> assesses mobile security against current threat techniques.
Smart TV Surveillance ('Weeping Angel')
Project 'Weeping Angel' could put Samsung smart TVs into a fake-off mode — appearing to be turned off while secretly recording conversations through the built-in microphone. This demonstrated that IoT devices in sensitive environments are potential surveillance tools. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> includes IoT device security assessment.
Vehicle Systems Research
Vault 7 documented CIA interest in exploiting vehicle computer systems — raising the spectre of remotely compromised vehicles. While the documents indicated research rather than deployed capabilities, the implication for automotive cybersecurity was significant.
Second Major Agency Leak
After the <a href="/blog/anatomy-of-a-breach-shadow-brokers">Shadow Brokers</a> (NSA) and now Vault 7 (CIA), both major US intelligence agencies had lost control of their cyber tools. For UK organisations, the message was clear: nation-state exploitation tools are now effectively public. <a href="/cyber-essentials">Cyber Essentials</a> provides baseline defence, and <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for exploitation attempts using known techniques.
Lessons

Nation-state tools are public. Defend accordingly.

Vault 7, combined with the Shadow Brokers leak, established that nation-state cyber weapons are now effectively public knowledge. The techniques, approaches, and in some cases the actual tools used by the world's most capable intelligence agencies are available to every attacker. For UK organisations, this means the threat model must assume that adversaries have access to sophisticated exploitation techniques — and that defence requires not just basic controls but tested, monitored, continuously validated security.

Red team engagements simulate advanced adversary techniques. Cyber Essentials establishes baseline controls. SOC in a Box monitors for exploitation attempts. And UK Cyber Defence's threat intelligence tracks the evolution of publicly available nation-state tools into criminal toolkits.

Advanced Threat Defence

The CIA's and NSA's tools are public. Your threat model must assume sophisticated adversaries.

<a href="/penetration-testing/red-team">Red team testing</a> simulates advanced techniques. <a href="/cyber-essentials">Cyber Essentials</a> provides the baseline. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects exploitation.

Commission a Red Team Test Next: EternalBlue Released
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 August 2016

Anatomy of a Breach: The Shadow Brokers — When the NSA's Own Cyber Weapons Were Stolen and Auctioned

Breach #092. In August 2016, a previously unknown group calling itself 'The Shadow Brokers' announced that it had stolen cyber weapons from the Equation Group — widely understood to be the NSA's Tailored Access Operations (TAO) unit. The group published a sample of the stolen tools and auctioned the remainder for one million Bitcoin. The leaked tools included sophisticated exploits for network equipment from Cisco, Juniper, and Fortinet. The full implications would not become clear until April 2017, when the Shadow Brokers released EternalBlue — the exploit that would power WannaCry and NotPetya.

shadow-brokers nsa
13 min read
Anatomy of a Breach 31 July 2025

Anatomy of a Breach: Microsoft SharePoint — Zero-Day Exploited by Three Chinese Groups, 400+ Organisations Compromised Including NNSA

Breach #199. In July 2025, it was revealed that a zero-day vulnerability in Microsoft SharePoint had been exploited by three Chinese state-linked hacking groups to compromise over 400 organisations worldwide — including the US National Nuclear Security Administration (NNSA), the federal agency responsible for maintaining the US nuclear weapons stockpile. The vulnerability enabled remote code execution against self-hosted SharePoint servers. Thousands of vulnerable servers remained online even after the vulnerability was disclosed. The breach demonstrated the extraordinary risk of centralising sensitive data in a single collaboration platform — especially when that platform is targeted by nation-state adversaries.

microsoft-sharepoint zero-day
14 min read
Anatomy of a Breach 28 February 2022

Anatomy of a Breach: Russia-Ukraine — Cyber Warfare as a Component of Kinetic War

Breach #158. On 24 February 2022, Russia invaded Ukraine — and the invasion was accompanied by a sustained cyber offensive that had begun weeks earlier. Hours before the first missiles struck, a cyber attack on Viasat's KA-SAT satellite network disrupted communications across Ukraine and knocked out thousands of wind turbines in Germany. Wiper malware variants — HermeticWiper, IsaacWiper, CaddyWiper — were deployed against Ukrainian government agencies and organisations. The conflict represented the first large-scale integration of cyber operations into conventional warfare, confirming every theoretical scenario about cyber war that security professionals had warned about since Stuxnet.

russia ukraine
15 min read
All Posts Get in Touch