WikiLeaks Has Morphed from Journalism Hotshot to Malware Hub

It’s alarmingly easy to visit WikiLeaks’ email database from Turkish political party AKP and come away infected with malicious code.

Follow-Up Friday is our attempt to put the news into context. We call out a recent headline, provide an update, and explain why it matters. This week we reflect on the sentencing of Chelsea Manning three years ago.

Here’s a question on the minds of many Julian Assange watchers in the last few months: What the hell happened to WikiLeaks?

What was once an inspiring effort at transparency enabled by new technologies now seems driven by personal grudge and reckless releases of information. Its uncompromising claim to radical transparency is endangering the lives of potentially millions of private individuals caught up in the leaks, and now — with the recent discovery that it is disseminating malware — even harming the people seeking WikiLeaks’ insights.

Founded in 2006, WikiLeaks rocketed to global renown in 2010 when it began publishing a trove of diplomatic cables leaked by Chelsea Manning, known as Cablegate. WikiLeaks partnered with several news organizations, most notably The Guardian, Der Spiegel, and The New York Times, to vet the information, redact sensitive details, and produce high-profile articles on the geopolitical significance of the leaks. For Assange, the arrangement maximized his impact. With a strong technological backbone, undisclosed funders, and the power of the internet behind it, WikiLeaks appeared resistant to traditional legal or economic forms of accountability.

Credit: Ben Stansall / Getty Images

The U.S. government pursued a case against Manning, a hero to many WikiLeaks supporters for having shared evidence suggestive of war crimes, among other mega-revelations. When Manning was sentenced to 35 years’ imprisonment on August 21, 2013, the message was clear: the U.S. would prosecute whistleblowers harshly.

“It was a watershed moment, it speaks to the extent that the U.S. government wants to shut down whistleblowers,” says journalism professor Christian Christensen of Stockholm University. “If anyone says Assange is paranoid, or WikiLeaks is paranoid, they can point to Manning going to jail.”

In spite of his newfound fame, in the years that followed Cablegate, Assange’s world contracted. His partnerships with the Guardian and the Times had soured when Assange took issue with their handling of the leaks, often demanding more transparency. “He is quite careless about his own position. He’s not there for the money, he’s on a mission,” says Charlie Beckett, a media professor at the London School of Economics and co-author of a book on WikiLeaks. At risk of extradition to Sweden on sex assault charges, and deeply distrustful of the media, financial institutions and governments, Assange continued to alienate potential allies from his unlikely perch in the Ecuadorian Embassy in London.

The New WikiLeaks

More recently, WikiLeaks’ tenor has changed. On July 19, it released an unredacted database of emails from the Turkish party AKP, which also included the addresses and other personal details of millions of Turkish women, as reported by scholar and journalist Zeynep Tufekci. Three days later, in its leak of 19,252 emails from the Democratic National Committee, WikiLeaks once again included the social security and credit card numbers of donors, amidst other sensitive information.

WikiLeaks’ social media strategy has also evolved. It no longer solicits help on Twitter with vetting specific leaks, instead focusing more on lambasting journalists, notes Lisa Lynch, a media professor at Drew University who has written extensively about the organization. So when it came time to publish the DNC and AKP leaks, WikiLeaks struck out on its own. “The obvious fact is that WikiLeaks doesn’t have huge resources. They’re trying to be much more targeted, and to do down Hilary,” says Beckett. “The danger is — especially in the Turkish case — if they’re really not competent to judge the content, then that is seriously problematic.”

To many WikiLeaks supporters, these failures to redact were a breach of public trust. “For a man with human rights pretensions, Julian Assange is not in the right job,” says Tom Sorell, a University of Warwick professor of politics and philosophy who has analyzed WikiLeaks’ actions from a human rights perspective. Perhaps the most startling apostate was Edward Snowden, whose whistleblowing has historically been linked with Assange’s activities. For Wikileaks, losing Snowden is like Lyndon Johnson losing Cronkite on Vietnam.

Enter Malware

Wikileaks’ transgressions have not been limited to the wanton release of personal data. It has now entered an even darker realm of information mismanagement. As the world absorbed the gigantic trove of private emails released last month, Bulgarian security expert Vesselin Bontchev decided to examine the dump for malware. He figured that the average email database is likely to contain some harmful attachments, and that casual WikiLeaks visitors might now be endangered. His hunch was right, and he quickly uncovered a collection of malware in the AKP database.

Some of the code represented downloaders, which do nothing more than download a second stage of malignant code later. Also in the cache was ransomware, which would encrypt a user’s files until a payment is made. Other programs install a bot that allows a remote attacker to take over your computer. Bontchev, who is an assistant professor at the National Laboratory of Computer Virology in the Bulgarian Academy of Sciences, wrote up a report, which he posted on Github, including links to AKP emails that contained malicious attachments.

When I first spoke with Bontchev, earlier this week, he was outraged that WikiLeaks had not done or said anything to address the malware issue, which he had first raised weeks earlier on Twitter.

I set out to examine the files myself, to better understand how WikiLeaks might be reacting to the malware revelations. When I started exploring (carefully, with the help of another expert to ensure I didn’t accidentally infect myself), I couldn’t find any malware on the emails in his list. I wrote to Bontchev describing the steps I had taken, which appeared to show that WikiLeaks had in fact stripped the harmful code from those emails. “Ah! This is new. It is also excellent news!” he wrote back. “It means that Wikileaks have finally taken the necessary steps to protect their readers and have removed the known malicious files. Finally some responsible behavior from them. I am surprised that they haven’t announced it, though — it deserves to be widely known.”

He was right to be surprised.

Bontchev kept digging, and soon found that plenty more malware remained. In fact, it was extremely easy to stumble across them. When I tried myself with a dead simple search — of the .exe extension, which is the reddest possible flag that an email might be infected—ten results turned up. Many of those ten listings were included in Bontchev’s report, and the ones he identified have since been cleaned up by WikiLeaks. But not all ten files.

It appears that WikiLeaks removed the malware linked in Bontchev’s report, without performing even the most rudimentary analysis of its own. For example, the email labeled ‘12’ was marked as containing malware by Bontchev, and the attachment subsequently disabled. However, email #33 is the exact same message, sent at the same time by the same sender, but to a different person at the AKP. It would have been trivial for WikiLeaks to identify those duplicate files and scrub them, but the organization chose not to.

Even a casual perusal puts database explorers in grave peril. On the first page of leaks emails, listed in order by document ID number, there are at least three emails with active malware links. Consider the suspicious-looking email #107, which caught my eye because it did not have a Turkish subject line, with just ‘Re: ___’ instead.

The text of email #107. You can see the rest of it here, but DO NOT download the attachment!

Sure enough, when I tried to download the attached zip file, Chrome and Firefox blocked it, flagging it as malicious. But other browsers do not protect WikiLeaks explorers — including the ubiquitous Safari. Safari goes so far as to unzip the file for you, unprompted. The code found inside the zip file looks like this:

Suspicious-looking javascript code from AKP email #107. Enjoy the words in green, which look like gibberish but are mostly English words spelled backwards. Presumably this was an attempt to evade detection by malware scanners.

Though the email above may not hoodwink the technologically savvy, a less sophisticated layperson or journalist could easily find themselves infected with a total of two clicks: one to download the attachment, and another to open and execute the attached code, opening up a victim’s computer to hijacking or further attack.

I share this all to demonstrate that coming across malicious files in the WikiLeaks database is so easy that any journalist or public citizen hoping to divine truth in the organization’s files runs a major risk of emerging infected. Instead of a shining example of transparency, Wikileaks has degraded into a malware snakepit.

The malicious attachments housed in WikiLeaks are a direct consequence of its stance on so-called accuracy. WikiLeaks, in general, resists redacting leaks. In 2010, after the release of its trove of war documents, human rights organizations criticized the group for not removing the names of Afghans who assisted the U.S. military, putting their lives in imminent danger. The inclusion of private individuals’ contact information in both the DNC and AKP leaks this summer is just the most recent instance. The organization’s dangerously cavalier behavior around malware is an extreme manifestation of its habit of sharing records exactly as they are.

A response to another reporter’s query about why WikiLeaks had released information of little news value — and also the closest thing I could find to a recent WikiLeaks redaction policy.

This cavalier attitude is also a sign that WikiLeaks is likely underpowered for the scale of work it is doing — and that it does not care. Where it had earlier recognized the need for collaboration, tapping experts and journalists across the world to investigate the files in its possession and occasionally redact them, it now abdicates responsibility for the contents of its documents. The result is a growing disenchantment with its brand of radical, adversarial journalism.

Assange has intimated that more damning dumps are upcoming in its “Hillary Leaks” series. He may indeed have ambitions of swaying the upcoming U.S. presidential election. But the organization’s recent missteps do not inspire faith in its operational or even philosophical prowess. A media organization that endangers the lives of ordinary citizens is not challenging authority but reinforcing it. A media organization that lures people to its site, only to blatantly and knowingly expose them to malware, is not an institution that cares for its readers. As Alex Howard, senior analyst at the Sunlight Foundation put it, “That’s not journalistic. That’s not whistleblowing. That’s creating a honeypot for unaware parts of the public looking for the dump.”

Sure, WikiLeaks can still make a dogmatic, narrow-minded claim to accuracy — but it is a claim laced with hypocrisy. If you were an idealistic leaker, would you still go to WikiLeaks? My guess is no.