nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Cuffed: Govt contractor 'used work PC to leak' evidence of Russia's US election hacking

No, REALITY WINNER isn't an NSA exploit – it's her real name

By Iain Thomson, 6 Jun 2017

A 25-year-old contractor has been charged with leaking NSA files that claim Russian intelligence hacked at least one maker of voting software used in 2016's US elections.

Reality Leigh Winner, who held a top-secret clearance and worked at government tech provider Pluribus International, is accused of passing classified information to journalists. She was collared by the FBI on Saturday, June 3, at her home in Georgia, US, after which she apparently confessed everything to Uncle Sam's agents. She was charged on Monday with espionage.

"Exceptional law enforcement efforts allowed us quickly to identify and arrest the defendant," said Deputy Attorney General Rod Rosenstein earlier today.

"Releasing classified material without authorization threatens our nation's security and undermines public faith in government. People who are trusted with classified information and pledge to protect it must be held accountable when they violate that obligation."

According to an application [PDF] for her arrest warrant, on May 9, Winner, who had been with Pluribus for just three months, printed out a top-secret report dated May 5 from her work PC, and posted the dossier to an unnamed news organization. She also emailed the publication asking for a podcast transcript from her workstation using her personal Gmail account.

Three weeks later the scribes gave US officials scans of the files they had received, and asked for comment. Meanwhile, according to the Feds, one of the reporters contacted a US intelligence source to separately confirm the veracity of the disclosed information, texting photos of the documents and the location of the facility they were obtained from. This source alerted his higher-ups that a reporter had been in touch about stolen information, further tipping off investigators.

Folds and creases visible in copies of the dossier supplied by the hacks to the government suggested the material had been printed off and carried out of a secure room by hand. Metadata hidden in microdots on the leaked document confirmed the date and time of the print job as well as the printer's serial number, we note.

Investigators thus queried their systems' audit logs, and found that six people had printed out that particular document: their work computers were searched, and only Winner's had evidence she had been in contact with a news website.

That was, we're told, enough to raise suspicion. After she returned from a short trip to Belize at the end of May, she was arrested at her home, her computers and devices were seized, and she was quizzed by g-men.

Strong-armed ... Winner shows off her gains on Instagram

FBI special agent Justin Garrick told a federal court that Winner – a cross-fit fan who graduated high school in 2011 and was in the US Air Force apparently as a linguist – confessed to reading and printing out the document, despite having no permission to do so. She also, we're told, confessed to mailing the document to journalists at the organization from Atlanta, knowing that she was transmitting classified data.

Judging from Winner's Facebook and Twitter page, she was not a particular fan of Donald Trump, and followed NSA whistleblower Edward Snowden as well as WikiLeaks online. "On a positive note, this Tuesday when we become the United States of the Russian Federation, Olympic lifting will be the national sport," the blue-eyed Texas-born blonde joked days before November's presidential election. Her Instagram is filled with pics of her at the gym and her travels.

Winner faces up to 10 years behind bars if she's convicted. Her last post on Facebook reads: "You are what you love, not who loves you."

So what's the fuss all about?

While the contents of the document, and the news organization it went to, were not specified in Winner's court paperwork, by a curious coincidence The Intercept published on Monday a leaked report, dated May 5, into Russian election hacking.

That's the same date on the classified files apparently passed by Winner to reporters. Within the past few hours, US officials confirmed to Reuters that The Intercept's document is genuine, and that Winner is the alleged source of the file.

The top-secret report, compiled by the NSA, suggests Russian military intelligence carried out a targeted attack against at least one developer of voting software used during the 2016 elections – specifically in these states: California, Florida, Illinois, Indiana, New York, North Carolina, Virginia, and West Virginia.

The dossier claims that on August 24, 2016, elements from the Russian General Staff Main Intelligence Directorate (GRU) began a spear-phishing attack against companies that supply US election systems. The emails came with a Word document attached containing a Visual Basic script that would run a PowerShell script to slurp information from the victim's Windows PC.

Using contact records stolen from one or more suppliers, the hackers emailed 122 US election officials from vr.elections@gmail.com between October 31 and November 1 with more malware-laden Word documents. Although not named in the NSA file, there is a firm called VR Systems which makes software used in voter registration but not for counting the actual votes cast. It is believed VR was hacked, and its records used to phish officials.

"Phishing and spear-phishing are not uncommon in our industry," VR's COO Ben Martin told The Intercept.

"We regularly participate in cyber alliances with state officials and members of the law enforcement community in an effort to address these types of threats. We have policies and procedures in effect to protect our customers and our company."

At least one other election supply firm was also targeted, as well as election officials in American Samoa. None of the attacks appear to have been successful in terms of altering vote tallies and ballots.

According to the pilfered document, the NSA compiled its report from evidence it gathered in April this year. The details will no doubt play a part in the ongoing investigation into Russian interference in the US elections, but may not be much help.

"The problem we have is that voting security doesn't matter until something happens, and then after something happens, there's a group of people who don't want the security, because whatever happened, happened in their favor," said Bruce Schneier, a cybersecurity lecturer at Harvard's Berkman Center who has written frequently about the security vulnerabilities of US election systems.

"That makes it a very hard security problem." ®

The Register - Independent news and views for the tech community. Part of Situation Publishing