{ "id": "2f7ea42c-0200-46b7-9670-e756dda938e2", "created_at": "2026-04-06T00:09:07.240376Z", "updated_at": "2026-04-10T03:33:07.044796Z", "deleted_at": null, "sha1_hash": "fad92747d7e5ed090035db39c42f28c57fc22a3e", "title": "Report: CIA received more offensive hacking powers in 2018", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2369345, "plain_text": "Report: CIA received more offensive hacking powers in 2018\r\nBy Written by Catalin Cimpanu, ContributorContributor July 15, 2020 at 6:07 a.m. PT\r\nArchived: 2026-04-05 16:07:17 UTC\r\nCIA headquarters in Langley, VA. (Image: file photo)\r\nBRENDAN SMIALOWSKI/AFP/Getty Images\r\nSpecial feature\r\nUS President Donald Trump gave broad powers to the Central Intelligence Agency (CIA) in 2018 to carry out\r\noffensive cyber operations across the globe.\r\nIn an exclusive today, Yahoo News reported that the agency used its newly acquired powers to orchestrate \"at least\r\na dozen operations\" across the world.\r\nThe CIA was already authorized to conduct silent surveillance and data collection, but the new powers allow it to\r\ngo even further.\r\n\"This has been a combination of destructive things - stuff is on fire and exploding - and also public dissemination\r\nof data: leaking or things that look like leaking,\" a former US government official told Yahoo News.\r\nhttps://www.zdnet.com/article/report-cia-most-likely-behind-apt34-and-fsb-hacks-and-data-dumps/\r\nPage 1 of 3\n\nWhile the former official didn't go into the specifics of each operation, Yahoo News reporters believe the CIA's\r\nnew powers and modus operandi link it to a series of hack-and-dump incidents that took place primarily in 2019,\r\nsuch as:\r\nPublishing hacking tools (malware) from APT34, an Iranian government hacking unit, on Telegram.\r\nDoxing Islamic Revolutionary Guard Corps (IRGC) intelligence agents on Telegram by revealing their full\r\nnames, home addresses, phone numbers, and social media profiles.\r\nDumping details about 15 million payment cards from three Iranian banks linked to Iran's IRGC.\r\nHacking two contractors that provide cyber-weapons and surveillance solutions for Russia's FSB\r\nintelligence agency and sharing the data online via a hacktivist group called Digital Revolution.\r\nCiting former US officials, Yahoo News claims that such operations would have never been approved in the\r\nprevious administrations, who have always been very cautious when attacking foreign adversaries, fearing\r\nblowback.\r\nHowever, in 2018, President Trump departed from the White House's classic stance on the matter and signed a\r\ndocument called a presidential finding, granting the CIA the ability to plan and execute covert offensive cyber\r\noperations under its judgment, rather than under the oversight of the National Security Council.\r\nThe document effectively took the decision making and approval process from the White House and the National\r\nSecurity Council and placed it with CIA leadership in an attempt to expedite foreign hacking operations.\r\nYahoo News reports that President Trump's decision split top US intelligence officials.\r\nSome officials feared repercussions from foreign adversaries, while some feared the lack of NSC oversight. NSC\r\noversight previously kept US intelligence agencies like the CIA in check when it came to orchestrating and\r\napproving cyber operations on foreign ground, making sure agencies like the NSA and CIA went through a due\r\nprocess that would sometime take years from the planning to the execution phase.\r\nHowever, Yahoo News sources said that some intelligence officials were ecstatic at Trump's decision, calling it \"a\r\nneeded reform\" in order to make the CIA more agile and speed up response times to foreign attacks.\r\nThe locations of these foreign CIA cyber operations are currently classified, along with operational details, but\r\nformer US officials who have seen the presidential finding said the document listed Russia, China, Iran, and North\r\nKorea as targets, but also left the door open for the CIA to carry out operations in other countries at its discretion.\r\nArticle title updated to reflect the original report better.\r\nThe world's most famous and dangerous APT (state-developed) malware\r\nSecurity\r\nhttps://www.zdnet.com/article/report-cia-most-likely-behind-apt34-and-fsb-hacks-and-data-dumps/\r\nPage 2 of 3\n\nEditorial standards\r\nSource: https://www.zdnet.com/article/report-cia-most-likely-behind-apt34-and-fsb-hacks-and-data-dumps/\r\nhttps://www.zdnet.com/article/report-cia-most-likely-behind-apt34-and-fsb-hacks-and-data-dumps/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.zdnet.com/article/report-cia-most-likely-behind-apt34-and-fsb-hacks-and-data-dumps/" ], "report_names": [ "report-cia-most-likely-behind-apt34-and-fsb-hacks-and-data-dumps" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "c91e335e-42be-48d9-96b5-ba56749a723b", "created_at": "2022-10-25T16:07:23.458346Z", "updated_at": "2026-04-10T02:00:04.616481Z", "deleted_at": null, "main_name": "CIA", "aliases": [ "Central Intelligence Agency" ], "source_name": "ETDA:CIA", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434147, "ts_updated_at": 1775791987, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fad92747d7e5ed090035db39c42f28c57fc22a3e.pdf", "text": "https://archive.orkl.eu/fad92747d7e5ed090035db39c42f28c57fc22a3e.txt", "img": "https://archive.orkl.eu/fad92747d7e5ed090035db39c42f28c57fc22a3e.jpg" } }