A former National Security Agency employee who worked at Tailored Access Operations has pleaded guilty to willful retention of national defense information, the same charge Harold T. Martin III faces:
A former National Security Agency employee admitted on Friday that he had illegally taken from the agency classified documents believed to have subsequently been stolen from his home computer by hackers working for Russian intelligence.
Nghia H. Pho, 67, of Ellicott City, Md., pleaded guilty to one count of willful retention of national defense information, an offense that carries a possible 10-year sentence. Prosecutors agreed not to seek more than eight years, however, and Mr. Pho's attorney, Robert C. Bonsib, will be free to ask for a more lenient sentence. He remains free while awaiting sentencing on April 6.
Mr. Pho had been charged in secret, though some news reports had given a limited description of the case. Officials unsealed the charges on Friday, resolving the long-running mystery of the defendant's identity.
Mr. Pho, who worked as a software developer for the N.S.A., was born in Vietnam but is a naturalized United States citizen. Prosecutors withheld from the public many details of his government work and of the criminal case against him, which is linked to a continuing investigation of Russian hacking.
Related: "The Shadow Brokers" Claim to Have Hacked NSA
The Shadow Brokers Identify Hundreds of Targets Allegedly Hacked by the NSA
Former NSA Contractor May Have Stolen 75% of TAO's Elite Hacking Tools
NSA Had NFI About Opsec: 2016 Audit Found Laughably Bad Security
Reality Winner NSA Leak Details Revealed by Court Transcript
Related Stories
A group is claiming that they hacked the NSA and obtained advanced malware and hacking tools (such as Stuxnet):
A mysterious hacker or hackers going by the name "The Shadow Brokers" claims to have hacked a group linked to the NSA and dumped a bunch of its hacking tools. In a bizarre twist, the hackers are also asking for 1 million bitcoin (around $568 million) in an auction to release more files.
"Attention government sponsors of cyber warfare and those who profit from it!!!!" the hackers wrote in a manifesto posted on Pastebin, on GitHub, and on a dedicated Tumblr. "How much you pay for enemies cyber weapons? [...] We find cyber weapons made by creators of stuxnet, duqu, flame."
The hackers referred to their victims as the Equation Group, a codename for a government hacking group widely believed to be the NSA.
Also at Computerworld:
The whole episode screams elaborate SCAM, but maybe it is legit as Twitter chatter by some security experts seem to lean toward believing it. On the flipside, it doesn't appear as if many trust it enough yet to have coughed up bitcoins. Other hackers are suggesting the auction is made up of really old vulnerabilities; this is partially based on the "free" files being offered by Shadow Broker as proof of hacking the Equation Group. Or it could be a mix, old and new, to keep everyone off-balance. Another oddity, pointed out in a Pwn All The Things tweet, is that the "free sample" file size is actually larger than the auction file size.
Yet security pro Matt Suiche dived into the free files offered by Shadow Broker, then took to Medium to say, "Most of the code appears to be batch scripts and poorly coded Python scripts. Nonetheless, this appears to be legitimate code." Suiche said the main targets in the dump he reviewed "appeared to be Fortigate, TopSec, Cisco and Juniper firewalls." He described some of the codenamed-exploits such as Eligible Bachelor, Extra Bacon and Banana Glee. The latter, he pointed out, is "particularly interesting because it allows references to the JETPLOW explanation from the 2014 NSA's Tailored Access Operations (TAO) catalog."
The Shadow Brokers are back, and they have a treat for you:
"TheShadowBrokers is having special trick or treat for Amerikanskis tonight," said the Monday morning post, which was signed by the same encryption key used in the August posts. "Many missions into your networks is/was coming from these ip addresses." Monday's leak came as former NSA contractor Harold Thomas Martin III remains in federal custody on charges that he hoarded an astounding 50 terabytes of data in his suburban Maryland home. Much of the data included highly classified information such as the names of US intelligence officers and highly sensitive methods behind intelligence operations. Martin came to the attention of investigators looking into the Shadow Brokers' August leak. Anonymous people with knowledge of the investigation say they don't know what connection, if any, Martin has to the group or the leaks.
[...] According to analyses from researchers here and here, Monday's dump contains 352 distinct IP addresses and 306 domain names that purportedly have been hacked by the NSA. The timestamps included in the leak indicate that the servers were targeted between August 22, 2000 and August 18, 2010. The addresses include 32 .edu domains and nine .gov domains. In all, the targets were located in 49 countries, with the top 10 being China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy, and Russia. Vitali Kremez, a senior intelligence analyst at security firm Flashpoint, also provides useful analysis here. [...] Other purported NSA tools discussed in Monday's dump have names including DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK, AND STOCSURGEON. Little is immediately known about the tools, but the specter that they may be implants or exploits belonging to the NSA is understandably generating intrigue in both security and intelligence circles.
Previously:
"The Shadow Brokers" Claim to Have Hacked NSA
NSA 'Shadow Brokers' Hack Shows SpyWar With Kremlin is Turning Hot
Cisco Begins Patching an NSA Exploit Released by the Shadow Brokers
Probe of Leaked U.S. NSA Hacking Tools Examines Operative's 'Mistake'
NSA Contractor Harold Martin III Arrested
NSA Contractor Accused of "Stealing" Terabytes of Information, Charged Under Espionage Act
On Monday, The Washington Post reported one of the most stunning breaches of security ever. A former NSA contractor, the paper said, stole more than 50 terabytes of highly sensitive data. According to one source, that includes more than 75 percent of the hacking tools belonging to the Tailored Access Operations. TAO is an elite hacking unit that develops and deploys some of the world's most sophisticated software exploits.
Attorneys representing Harold T. Martin III have previously portrayed the former NSA contractor as a patriot who took NSA materials home so that he could become better at his job. Meanwhile, investigators who have combed through his home in Glen Burnie, Maryland, remain concerned that he passed the weaponized hacking tools to enemies. The theft came to light during the investigation of a series of NSA-developed exploits that were mysteriously published online by a group calling itself Shadow Brokers.
[...] An unnamed US official told the paper that Martin allegedly hoarded more than 75 percent of the TAO's library of hacking tools. It's hard to envision a scenario under which a theft of that much classified material by a single individual would be possible.
Source:
Days after the Washington Post reported on the hoarding of Tailored Access Operations tools by Harold T. Martin III, a federal grand jury has indicted the former NSA contractor:
A federal grand jury has indicted a former National Security Agency contractor on 20 counts of willful retention of national defense information.
According to prosecutors, Harold "Hal" Martin took a slew of highly classified documents out of secure facilities and kept them at his home and in his car. Earlier this week, the Washington Post reported that among those materials, Martin is alleged to have taken 75 percent of the hacking tools that were part of the Tailored Access Operations, an elite hacking unit within NSA.
The indictment outlines 20 specific documents that he is accused of having taken, including "a March 2014 NSA leadership briefing outlining the development and future plans for a specific NSA organization."
Previously: NSA Contractor Harold Martin III Arrested
NSA Contractor Accused of "Stealing" Terabytes of Information, Charged Under Espionage Act
The Shadow Brokers Identify Hundreds of Targets Allegedly Hacked by the NSA
Second-rate opsec remained pervasive at the United States' National Security Agency, according to an August 2016 review now released under Freedom of Information laws.
It's almost surprising that the agency was able to cuff Reality Winner, let alone prevent a wholesale Snowden-style leak. The Department of Defense Inspector General report, first obtained by the New York Times, finds everything from unsecured servers to a lack of two-factor authentication.
The formerly-classified review (PDF) was instigated after Snowden exfiltrated his million-and-a-half files from August 2012 to May 2013.
"NSA did not have guidance concerning key management and did not consistently secure server racks and other sensitive equipment in the data centers and machine rooms" under its "Secure-the-net" initiative, the report says.
Data centre access is supposed to be governed by two-person access controls, the report notes, and the rollout of 2FA to "all high-risk users" was incomplete at the time of writing.
The agency had too many users with admin privileges, the report continues, they're insufficiently monitored, and the NSA had not cut the number of agents authorised to carry out data transfers.
Giving the NSA more funding could probably fix it.
Reality Winner, a former NSA contractor accused of leaking a document to The Intercept, has had her interrogation by the FBI detailed in a transcript filed by federal prosecutors:
A National Security Agency contractor accused of leaking a classified report on Russian hacking aimed at the 2016 election told FBI agents she smuggled the document out of a high security intelligence facility in her pantyhose. That and other details appear in a transcript federal prosecutors filed in court Wednesday detailing the interrogation of 25-year-old linguist Reality Winner by the FBI as they carried out a search warrant at her home in June.
[...] Winner appears to say she believed the contents of the report — which described Russian spearfishing cyberattacks aimed at U.S. voter registration databases — should be in the public debate. "I saw the article and was like, I don't understand why this isn't a thing," she said. "It made me very mad ... I guess I just didn't care about myself at that point. ... Yeah, I screwed up royally."
[...] The transcript hints at possible political motivations for the leak. Winner says she objected to her workplace tuning the TV to Fox News. She also had a signed photo of CNN Anchor Anderson Cooper, although she said the signature was fake. "I wasn't trying to be a Snowden or anything," Winner said, referring to NSA leaker Edward Snowden and his massive disclosures of details on U.S. government surveillance. "I guess it's just been hard at work because ... I've filed formal complaint about them having Fox News on, you know? Uh, at least, for God's sake, put Al Jazeera on, or a slideshow with people's pets. I've tried anything to get that changed." Despite Winner's statement to the FBI agents, prosecutors say that in a Facebook chat in March with her sister, Winner said she was on the "side" of both Snowden and WikiLeaks founder Julian Assange.
On pages 4-5 of the transcript, the FBI agents discuss letting Reality Winner (RW) put groceries in her fridge and leash up her dog. Do they teach them that technique at the Academy?
Previously: Feds Arrest NSA Contractor in Leak of Top Secret Russia Document
NSA employee who brought hacking tools home sentenced to 66 months in prison
Nghia Hoang Pho, a 68-year-old former National Security Agency employee who worked in the NSA's Tailored Access Operations (TAO) division, was sentenced today to 66 months in prison for willful, unauthorized removal and retention of classified documents and material from his workplace—material that included hacking tools that were likely part of the code dumped by the individual or group known as Shadowbrokers in the summer of 2016.
Pho, a naturalized US citizen from Vietnam and a resident of Ellicott City, Maryland, had pleaded guilty to bringing home materials after being caught in a sweep by the NSA following the Shadowbrokers leaks. He will face three years of supervised release after serving his sentence. His attorney had requested home detention.
In a letter sent to the court in March, former NSA Director Admiral Mike Rogers told Judge George Russell that the materials removed from the NSA by Pho "had significant negative impacts on the NSA mission, the NSA workforce, and the Intelligence Community as a whole." The materials Pho removed, Rogers wrote, included:
[S]ome of NSA's most sophisticated, hard-to-achieve, and important techniques of collecting [signals intelligence] from sophisticated targets of the NSA, including collection that is crucial to decision makers when answering some of the Nation's highest-priority questions... Techniques of the kind Mr. Pho was entrusted to protect, yet removed from secure space, are force multipliers, allowing for intelligence collection in a multitude of environments around the globe and spanning a wide range of security topics. Compromise of one technique can place many opportunities for intelligence collection and national security insight at risk.
Previously: Former NSA Employee Nghia Pho Pleads Guilty to Willful Retention of National Defense Information
Related: "The Shadow Brokers" Claim to Have Hacked NSA
The Shadow Brokers Identify Hundreds of Targets Allegedly Hacked by the NSA
Former NSA Contractor May Have Stolen 75% of TAO's Elite Hacking Tools
Former NSA Contractor Harold Martin Indicted
(Score: 4, Insightful) by Anonymous Coward on Tuesday December 05 2017, @09:57AM (5 children)
Who really believes that "Russian Hackers" exploited the Kaspersky software to steal the documents?
Seems more likely that the AV software worked as designed, detected potential malware and submitted various archives containing malware and documents[1]. Other AV software have similar features - submit samples to "Cloud".
Conclusion: if you want to detect NSA zero-day malware you might consider adding Kaspersky software to your arsenal. And the NSA et all aren't happy with that so they'd prefer if less people use Kaspersky due to evil "Russian Hackers"...
[1] https://betanews.com/2017/10/26/kaspersky-nsa-files/ [betanews.com]
(Score: 5, Interesting) by jcross on Tuesday December 05 2017, @02:04PM
Sounds somewhat plausible. Another possible narrative I thought of (leaning in the other direction) is that the guy was compromised somehow and then instructed to install Kaspersky and take the documents home. I mean it's a great cover story if/when the leak gets found out. Maybe instead of arranging sophisticated dead drops, the spies of the future will always have their documents "stolen" from them, since unlike in the old days you'll never be expected to notice when someone copies a file and exfiltrates it over the internet.
(Score: 2) by DeathMonkey on Tuesday December 05 2017, @06:58PM (3 children)
Who really believes that "Russian Hackers" exploited the Kaspersky software to steal the documents?
Israel's intelligence officers watched them do it. [nytimes.com]
(Score: 2, Insightful) by Anonymous Coward on Tuesday December 05 2017, @08:04PM (1 child)
Who believes Israeli intelligence officers?
(Score: 0) by Anonymous Coward on Wednesday December 06 2017, @12:49AM
Ummm.... jews?
(Score: 0) by Anonymous Coward on Wednesday December 06 2017, @10:08AM
That's like believing the Mossad when they claim the Russians robbed your house because they were there watching the whole thing when it happened.
(Score: 3, Funny) by Bot on Tuesday December 05 2017, @02:38PM (2 children)
- so, mr. Pho, you were not born here?
- nyet... er... no, I am vietnamese by birth.
(the NSA head hunter turns his notebook to a page named "Countries we have been at war with" and begins to scan the list)
- "Yemen, Afghanistan, Pakistan, Libya, ISIS, North Korea, Iraq, Serbia, Kosovo, Bosnia, Haiti, Somalia, Panama... OK, looks clean. Welcome aboard, mr Pho."
Account abandoned.
(Score: 3, Informative) by PinkyGigglebrain on Tuesday December 05 2017, @06:33PM (1 child)
Some of us are old enough to remember that the USA was at war* with Vietnam back in the 1960's.
*the US Congress never actually made a formal declaration of war as required under the US Constitution so the conflict was technically a "military action", just like every "war" the US has engaged in since.
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 3, Funny) by bob_super on Tuesday December 05 2017, @07:14PM
The US is one of the most peaceful countries in the world, according to the US Senate. The last time they declared war was on Hungary, Rumania and Bulgaria, 75 and a half years ago.
https://www.senate.gov/pagelayout/history/h_multi_sections_and_teasers/WarDeclarationsbyCongress.htm [senate.gov]
(Score: -1, Offtopic) by Anonymous Coward on Tuesday December 05 2017, @06:18PM (1 child)
Did HRC retain "national defense information"? You'd think with such an juicy target, prosecutors would bound over themselves to file charges (haha).
(Score: 2) by arslan on Wednesday December 06 2017, @12:52AM
She wasn't using Kaspersky AV?