The FBI arrested a 25-year-old NSA contractor on Saturday (3rd June) for leaking classified information to an online news outlet which published its report yesterday (5th June) — meaning the arrest was made two days before the actual disclosure went online.
Reality Leigh Winner, who held a top-secret security clearance and worked as a government contractor in Georgia with Pluribus International, was arrested from her home in Augusta on charges involving the leak of top-secret NSA files to 'The Intercept,' an online publication that has been publishing NSA documents leaked by Edward Snowden since 2014.
The Intercept published a report on Monday, 5th June, based upon a classified document it received anonymously, which claims in August 2016, Russia's military intelligence agency "executed a cyber attack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 100 local election officials days before [the] election."
The NSA document (dated May 5, 2017) argues that hackers, believed to be associated with the Russian General Main Staff Intelligence Directorate (GRU), had attempted to break into VR Systems, a Florida company that sells voting registration equipment used in the 2016 US presidential election.
This is what the NSA document alleges about the Russian hacking into U.S. voting systems:
"Russian General Staff Main Intelligence Directorate actors … executed cyber espionage operations against a named U.S. company in August 2016, evidently to obtain information on elections-related software and hardware solutions. … The actors likely used data obtained from that operation to … launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations."
How FBI Caught the NSA Leaker, Reality Winner?
So, how the federal authorities identified that Winner was the one behind the leak?
The federal officials began their investigation after The Intercept contacted the NSA on May 30 and turned over a copy of the report to verify the authenticity of that document while asking for comment before publishing its report.
Winner did not mail the actual document (pdf) directly to The Intercept; instead, she took prints of the document and then emailed a scanned copy of it to the publication.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
But, unfortunately, it seems like Winner was not aware of the fact "that most new printers print nearly invisibly yellow dots that track down exactly when and where documents, any document, is printed," Robert Graham of Errata Security said, explaining how the agency identified the leaker.
Graham explains step-by-step that how anyone can analyze the scanned copy of any printed document to retrieve secretly stored information, which in this case revealed:
"The document leaked by the Intercept was from a printer with model number 54, serial number 29535218. The document was printed on May 9, 2017, at 6:20. The NSA almost certainly has a record of who used the printer at that time."Since the NSA logs all printing jobs on its printers, the NSA determined that only six employees had access to that document and that Winner was the person who printed and removed the document from a secure facility.
Winner also allegedly "acknowledged that she was aware of the contents of the intelligence reporting and that she knew the contents of the reporting could be used to the injury of the United States and the advantage of a foreign nation," read criminal complaint [PDF] released by the DoJ on Monday.
"Exceptional law enforcement efforts allowed us quickly to identify and arrest the defendant," said Deputy Attorney Gen. Rod J. Rosenstein. "Releasing classified material without authorization threatens our nation's security and undermines public faith in government. People who are trusted with classified information and pledge to protect it must be held accountable when they violate that obligation."Winner is facing a count of "gathering, transmitting or losing defence information," and up to 10 years behind bars if she is convicted.