A 25-year-old federal contractor has been arrested and charged with leaking a top-secret National Security Agency document that describes Russian efforts to compromise the U.S. election. The arrest was announced just hours after The Intercept published a report based on the classified material.
Reality Leigh Winner, of Augusta, Georgia, was arrested at her home on Friday, according to the Justice Department. Winner, a contractor who started working with Pluribus International Corp. in February, appeared in federal court in the same city on Monday.
During an FBI interview, Winner allegedly admitted to printing a classified intelligence report and mailing it to a news outlet, which is not identified, according to an affidavit from an FBI special agent. Winner reportedly is a former U.S. Air Force linguist.
"Winner further acknowledged that she was aware of the contents of the intelligence reporting and that she knew the contents of the reporting could be used to the injury of the United States and to the advantage of a foreign nation," writes Justin C. Garrick, the FBI special agent, in the affidavit.
Although the affidavit does not identify The Intercept, the publication ran a news item Tuesday about a top-secret NSA document. It describes a spear-phishing campaign by Russia's military intelligence agency, the GRU, aimed at hacking U.S. election officials and a U.S. voting software supplier. The five-page document is dated May 5.
The operation's aim was "evidently to obtain information on elections-related software and hardware solutions."
Although the document does contain some new detail on suspected Russian efforts, it's not a bombshell, writes Matt Thait, CEO and founder of Capital Alpha Security and a former GCHQ security specialist. "Bit sad for Winner," he writes on Twitter. "Going to spend a long time to spend in jail to provide nearly no new details on a [Washington Post] story from nearly a year ago."
The U.S. intelligence community believes Russia waged a months-long disinformation and hacking campaign that sought to disrupt the U.S. election. The Democratic Party saw emails from party officials and documents leaked by mysterious actors on independent websites and via WikiLeaks (see How Should US React to Alleged Hacks by Russia?).
In an interview with NBC News, Russian President Vladimir Putin aggressively dismissed involvement. But private security companies, based on technical indicators, say they have compelling information that links the hacking to long-known groups strongly believed to be affiliated with Russia.
Winner's arrest comes as the U.S. federal government has seen unprecedented leaks of classified material from the NSA and CIA, which President Donald Trump's administration has vowed to stop. Over the past four years, intelligence community contractors, including Edward Snowden and Harold T. Martin III, are alleged to have taken classified material.
The FBI affidavit describes how investigators zeroed in on Winner. The FBI was notified on June 1 by another government agency that a news outlet had reached out regarding an upcoming story. The publication supplied a copy of the top-secret document, it says.
The document had been either folded or creased, which suggested it "had been printed or hand-carried out of a secured space." Winner was one of six people who had allegedly printed out the report, the affidavit says.
"A further audit of the six individuals' desk computers revealed that Winner had e-mail contact with the news outlet," it says.
The document itself adds new details to suspicions that Russia may have mounted deeper efforts to compromise U.S. election infrastructure. Following the presidential election in which Donald Trump defied pollsters, U.S. officials found no evidence of actual tampering with voting machines.
One of the companies targeted is simply referred to as "U.S. Company 1." In August 2016, it was targeted by a spear-phishing campaign, which seeks to get potential victims to open malicious documents or links.
"The campaign appeared to be designed to obtain the end users' email credentials by enticing the victims to click on an embedded link with a spoofed Google Alert email, which would then redirect a user to a malicious domain," according to the document.
The attackers were probably trying to obtain information associated with election-related hardware and software applications, the document states. The NSA believes at least one account was compromised.
The information obtained from the U.S. company may have then been used to "launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations," according to the document. It appeared the attackers created an email address that sought to impersonate the company and then was used to send emails to local government organizations.
The emails contained one of two rigged Microsoft Word documents designed to infect computers with malware. Both documents purported to be set-up guides for EViD, a system from Florida-based VR Systems for verifying voters' identities.
The two attachments seen by analysts contained a malicious Visual Basic script, which then launches Microsoft's PowerShell scripting utility.
Around August 2016, the FBI issued a flash alert that foreign hackers had penetrated two states' election databases. In June and July, separate news stories reported that Illinois State Board of Elections' online voter registration system had been shut down after an attack. Arizona saw a similar intrusion caused by the compromise of a set of user credentials for that state's voter registration system.