When CIA files began spilling online, the FBI rushed to nail its prime suspect for the leaks—while trying to remain ‘covert for as long as possible.’
On a Monday afternoon in March 2017, a team of FBI agents and a computer forensics specialist covertly entered the Manhattan apartment of former-CIA coder Josh Schulte.
Six days earlier, WikiLeaks began dumping a trove of 8,000 CIA files on the Internet under the rubric “Vault 7,” and the FBI had begun a feverish hunt for the leaker. Schulte was the prime suspect from the start, but the FBI didn’t want him to know that. A federal judge approved a warrant letting them gain access to his apartment, make secret copies of his hard drives and slip away without a trace.
Such so-called “sneak-and-peek” warrants are rare, but FBI counterintelligence agent Jeff Donaldson argued it was vital the investigation remain “covert for as long as possible.” WikiLeaks implied it was holding the identities of CIA operatives—the most sensitive of agency secrets—as well as actual working code for the agency’s hacking tools, Dolandson wrote in the search warrant affidavit. If anyone knew the FBI was investigating Schulte, it could “cause additional information to be hastily released.”“The secret mission quickly went bust. The agents weren’t prepared for the sheer volume of computer storage waiting for them.”
The secret mission quickly went bust. The agents weren’t prepared for the sheer volume of computer storage waiting for them in Schulte’s one bedroom apartment, including a desktop computer, five external hard drives, an assortment of thumb drives, DVDs, floppy disks, cell phones, gaming systems, tablets, and e-readers, as well as a digital camera, an MP3 player and a datacenter-style server rack with at least one server installed. The team weighed their options and decided against hanging around inside Schulte’s apartment long enough to copy 12 terabytes of data.
The next day, on March 14, 2017, the FBI abandoned all subterfuge and returned with a new warrant authorizing them to cart away all Schulte’s electronics. More warrants followed. One let the FBI plumb Schulte’s Google search history going back over a decade—not just search queries, but also the full URL for every search result he clicked on.
Another warrant targeted his Github repositories, and one targeted an anonymous Reddit user who the bureau believed was Schulte based on a post about Vault 7. In all, nine search warrants were sought and granted in about two months.
Those warrants produced evidence that the government wants to use at Schulte’s upcoming trial for espionage, hacking, lying to the FBI and possession of child pornography.
On Wednesday, Schulte’s lawyers moved to throw out all that evidence on the grounds that the bureau obtained the warrants deceptively, “submitting sworn warrant applications that were knowingly or recklessly false and misleading in material respects, or that failed to establish probable cause altogether.”
Schulte worked at the CIA from 2010 to 2016 in the agency’s Operational Support Branch, creating some of the hacking tools used by the CIA’s intrusion teams when conducting foreign surveillance. One tool he worked on directly was called “Brutal Kangaroo.” It was designed, according to the WikiLeaks dump, to exfiltrate data from an air-gapped computer by hiding it on a USB drive.
The government hasn’t yet filed a response to the new motion. But in a letter to the defense, prosecutors acknowledged that some information in the FBI’s probable cause affidavits was inaccurate, even as they denied any deliberate deception by the bureau.
One discrepancy involves the supposedly narrow window in which the leaked files could have been stolen from the CIA.
The FBI claimed that the Vault 7 files were most likely stolen on March 7 or March 8, 2016, based on the timestamps of the most recent files in the WikiLeaks release. On those days, the FBI noted, most of Schulte’s co-workers were at a CIA offsite, leaving Schulte alone to make copies of the files unobserved.
Prosecutors have since admitted that the most recent timestamps in the Vault 7 files was actually March 2, not March 7. In any event, the timestamps proved to be a poor way to determine the date of the theft. The government now believes the files were stolen on April 20, 2016, more than a month after the offsite that supposedly provided Schulte with his opportunity.
The bureau also undercounted the number of employees with access to the files at CIA, and claimed that Schulte’s CIA account name was the only one purged from the Vault 7 release, while his colleagues’ names were left in. That was true when the FBI wrote it, but WikiLeaks exposed Schulte’s account name in a subsequent tranche of Vault 7 secrets.