The U.S. government has identified a suspect in the leak last year of a large portion of the CIA’s computer hacking arsenal, the cyber-tools the agency had used to conduct espionage operations overseas, according to interviews and public documents.
Joshua Adam Schulte, who worked for a CIA group that designs computer code to spy on foreign adversaries, is believed to have provided the agency’s top-secret information to WikiLeaks, federal prosecutors acknowledged in a hearing in January. The anti-secrecy group published the code under the label “Vault 7” in March 2017.
It was one of the most significant leaks in the CIA’s history, exposing secret cyberweapons and spying techniques that might be used against the United States, according to current and former intelligence officials. Some argued that the Vault 7 disclosures could cause more damage to American intelligence efforts than those by former National Security Agency contractor Edward Snowden. He revealed extraordinary details about the capabilities of the United States to spy on computers and phones around the world, but the Vault 7 leaks showed how such spying is actually done, the current and former officials argued.
Schulte’s connection to the leak investigation has not been previously reported.
Federal authorities searched Schulte’s apartment in New York last year and obtained personal computer equipment, notebooks and handwritten notes, according to a copy of the search warrant reviewed by The Washington Post. But that failed to provide the evidence that prosecutors needed to indict Schulte with illegally giving the information to WikiLeaks.
A government prosecutor disagreed with what he called the “characterization” by Schulte’s attorney that “those search warrants haven’t yielded anything that is consistent with [Schulte’s] involvement in that disclosure.” But the prosecutor, Matthew Laroche, an assistant U.S. attorney in the Southern District of New York, said that the government has not brought an indictment, that the investigation “is ongoing” and that Schulte “remains a target of that investigation,” according to a court transcript of the Jan. 8 hearing that escaped public notice at the time.
Part of that investigation, Laroche said, was analyzing whether a technology known as Tor, which allows Internet users to hide their location, “was used in transmitting classified information.”
In other hearings in Schulte’s case, prosecutors have alleged that he used Tor at his New York apartment, but they have provided no evidence that he did so to disclose classified information. Schulte’s attorneys have said that Tor is used for all kinds of communications and have maintained that he played no role in the Vault 7 leaks.
Schulte is in a Manhattan jail on charges of possessing, receiving and transporting child pornography, according to an indictment filed in September. He has pleaded not guilty.
A former federal prosecutor who is not connected to the case said that it is not unusual to hold a suspect in one crime on unrelated charges and that the months Schulte has spent in jail do not necessarily mean the government’s case has hit a wall. The former prosecutor, who spoke on the condition of anonymity to discuss an open investigation, also said that if government lawyers acknowledged in a public hearing that Schulte was a target, they probably suspect he acted alone.
In documents, prosecutors allege that they found a large cache of child pornography on a server that was maintained by Schulte. But he has argued that anywhere from 50 to 100 people had access to that server, which Schulte, now 29, designed several years ago to share movies and other digital files.
Schulte worked in the CIA’s Engineering Development Group, which produced the computer code, according to people with knowledge of his employment history as well as the group’s role in developing cyberweapons.
At the time of the leak, people who had worked with that group said that suspicion had mainly focused on contractors, not full-time CIA employees such as Schulte. It is not clear whether the government is pursuing contractors as part of the leak investigation, but prosecutors have not mentioned anyone other than Schulte in court proceedings.
Schulte, who also worked for the NSA before joining the CIA, left the intelligence community in 2016 and took a job in the private sector, according to a lengthy statement he wrote that was reviewed by The Post.
The CIA declined to comment.
Schulte said in the statement that he joined the intelligence community to fulfill what he saw as a patriotic duty to respond to the attacks of Sept. 11, 2001.
Schulte also claimed that he reported “incompetent management and bureaucracy” at the CIA to that agency’s inspector general as well as a congressional oversight committee. That painted him as a disgruntled employee, he said, and when he left the CIA in 2016, suspicion fell upon him as “the only one to have recently departed [the CIA engineering group] on poor terms,” Schulte wrote.
Schulte said he had also been planning a vacation with his brother to Cancun, Mexico, which may have given the appearance that he was trying to flee the country.
“Due to these unfortunate coincidences the FBI ultimately made the snap judgment that I was guilty of the leaks and targeted me,” Schulte said.
Schulte, who has launched a Web page to raise money for his defense and post articles critical of the criminal-justice system, claims that he initially provided assistance to the FBI’s investigation. Following the search of his apartment in March 2017, prosecutors waited six months to bring the child pornography charges.
Ellen Nakashima contributed to this report.
Clarification: An earlier version of this report quoted Laroche as saying that “those search warrants haven’t yielded anything that is consistent with [Schulte’s] involvement in that disclosure.” Laroche was actually describing a “characterization” by Schulte’s attorneys and expressing disagreement.