WikiLeaks' practice of delivering raw, unfiltered information to its readers appears to have backfired after a researcher discovered that its collection of leaked Turkish government emails contained 323 active links to malware files hosted on the controversial site. Further analysis of spam and duplicate emails found an additional 3,277 malicious links.
The affected database contains hundreds of thousands of emails lifted from a server used by the AKP, Turkey's ruling Justice and Development Party. WikiLeaks obtained them a week before Turkey's failed July 15 coup and released them in batches on July 19 and Aug. 5.
The malware's discovery is credited to Dr. Vesselin Bontchev, assistant professor at the National Laboratory of Computer Virology, part of the Bulgarian Academy of Sciences. Bontchev posted on GitHub an itemized list of malicious emails, as well as WikiLeaks URLs where the malicious attachments were hosted.
In an email interview with SCMagazine.com, Bontchev confirmed that WikiLeaks has since neutralized the original 323 links by pointing them to harmless text files. However, his list of malicious emails was far from comprehensive and there are likely more booby-trapped electronic files hosted on WikiLeaks that haven't been analyzed yet. Also, when Bontchev stated on Twitter that WikiLeaks should also fix the 3,277 new links he found, WikiLeaks tweeted back, "We do not contaminate evidence."
Many of the dubious emails read like prototypical spam, with subject lines and content that fraudulently reference invoices and account statements. Readers who clicked on these emails' links and opened their attachments could have infected themselves with malware programs including droppers, downloaders and ransomware. According to Bontchev, a “large percentage” of the malware he found was ransomware, including variants of CTB-Locker and Locky.
Bontchev told SCMagazine.com that he decided to scrutinize the cache of AKP emails after WikiLeaks fell under criticism for exposing the personal information of many ordinary citizens. “While this is bad all by itself, my field of expertise is malware, and this influences my way of thinking,” said Bontchev. “So I immediately thought, hey, if that's just a raw e-mail dump of a normal e-mail server, it's probably full of spam and malware too.”
To narrow down the investigation, Bontchev performed a WikiLeaks search for emails containing attachments with suspicious formats, including .exe, .docm and .xlsm. Bontchev then used Python scripts to further parse and inspect questionable files.
Interestingly, Bontchev also searched WikiLeaks' database of leaked Democratic National Committee documents, but “I did not find even a single obviously dangerous attachment there,” he said. “It does seem that the DNC e-mail admin was doing a much better job than the AKP admins.”
WikiLeaks' journalistic reputation has already taken some lumps recently, with critics admonishing the website for its role in leaking electronics documents stolen from the DNC and Hillary Clinton, as well as indiscriminately publishing the personal information of female Turkish voters when posting the AKP documents. Now, this latest controversy raises certain ethical questions around the consequences of exposing documents en masse without first vetting or curating them.
“Wikileaks does not appear to operate within any particular principles with regard to information dumps. The ad hoc nature of their leaks means that they are often acting irresponsibly and amorally, within an ethic that simply declares that secrets are, by definition, suspicious. Thus, WikiLeaks would likely take the position that the second question is not their problem,” said Dave Levine, an associate professor of law at the Elon University School of Law and an affiliate scholar at the Center of Internet and Society at Stanford Law School, in an email interview with SCMagazine.com.
“A simple dumping of the data cache is irresponsible and dangerous. Putting politics and ethics aside for a moment, the group at least should have examined the trove for malware and removed it from their public archive as a matter of good cybersecurity practice,” stated Richard Forno, assistant director of University of Maryland, Baltimore County's Center for Cybersecurity, in a separate email interview with SCMagazine.com.
“I think the malware distribution is the latest in a series of questionable [and] controversial practices that have come up with WikiLeaks recently," Forno continued. "I think their reputation as a source of primary materials has taken somewhat of a hit. But will the group change its practices, or will readers/journalists suddenly stop downloading what they put out? No. The group seems to do what it does on its own terms, and the potential for juicy sensitive, proprietary, secret tidbits is simply too enticing for journalists and the public to ignore.”
Bontchev said he has “great respect” for WikiLeaks' founding principles, but “making malware publicly available, exposing personal data, endangering people – this is a big no-no. A good investigative journalist finds the facts, verifies them, synthesizes the story and presents it with proof to the reader. A good investigative journalist does not dump a load of raw and dangerous material on the readers. Sadly, it seems that Wikileaks' concept of ‘journalism' is finding an interesting document in a trash can and dumping the entire contents of the trash can at the front door of their readers.”
Furthermore, Bontchev worries that in the future, a rogue nation-state could use WikiLeaks as a pawn, intentionally leaking malicious documents to the website so they can infect readers once they are published.
UPDATE 8/23: This story was updated to reference an additional 3,277 malicious links that Bontchev discovered.