By Chris Perez
Photo: Reality WinnerA 25-year-old Federal contractor was charged Monday with leaking a top secret NSA report — detailing how Russian military hackers targeted US voting systems just days before the election.
The highly classified intelligence document, published Monday by The Intercept, describes how Russia managed to infiltrate America’s voting infrastructure using a spear-phishing email scheme that targeted local government officials and employees.
It claims the calculated cyberattack may have even been more far-reaching and devious than previously thought.
The report is believed to be the most detailed US government account of Russia’s interference to date.
It was allegedly provided to the Intercept by 25-year-old Reality Leigh Winner, of Augusta, who appeared in court Monday after being arrested at her home over the weekend.
She was charged with removing and mailing classified materials to a news outlet, DOJ officials said.
“Releasing classified material without authorization threatens our nation’s security and undermines public faith in government,” Deputy Attorney General Rod J. Rosenstein explained in a statement. “People who are trusted with classified information and pledge to protect it must be held accountable when they violate that obligation.”
Winner, who works as contractor at Pluribus International Corporation, allegedly leaked the report in early May. A federal official told NBC News that she had, in fact, given it to the Intercept.
According to the document, it was the Russian military intelligence that conducted the cyber attacks last year.
Specifically, operatives from the Russian General Staff Main Intelligence Directorate, or GRU, are said to have targeted employees at a US election software company last August and then again in October.
While the name of the company is unclear, the report refers to an undisclosed product made by VR Systems — an electronic voting services and equipment vendor in Florida that has contracts in eight states, including New York.
The hackers were given a “cyber espionage mandate specifically directed at U.S. and foreign elections,” the report says.
On August 24, 2016, the group sent the employees fake emails, which were disguised as messages from Google. At least one of the workers was believed to be compromised.
In late October, the group established an “operational” Gmail account and posed as an employee from VR Systems — using previously obtained documents to launch another spear-phishing attack “targeting US local government organizations,” the report says.
According to the NSA, the hackers struck on either October 31 or November 1, sending spear-fishing emails to at least 122 different email addresses “associated with named local government organizations.”
They were also likely sent to officials “involved in the management of voter registration systems,” the report says.
The emails were said to have contained weaponized Microsoft Word attachments, which were set up to appear as unharmful documentation for the VR Systems’ EViD voter database — but were actually embedded with automated software commands that are secretly turned on as soon as the user opens the document.
The hack ultimately gave the Russians a back door and the ability to deliver any sort of malware or malicious software they wanted, the report says.
In addition, the NSA document also describes two other incidents of Russian meddling prior to the election.
In one, the hackers posed as a different voting company, referred to as “US company 2,” from which they sent phony test emails — offering “election-related products and services.”
The other operation was said to be conducted by the same group of operatives, and involved sending emails to addresses at the American Samoa Election Office, in the attempt to uncover more existing accounts before striking again.
It is ultimately unclear what came of the cyberattack, but the NSA report firmly states that the Russians had been intent on “mimicking a legitimate absentee ballot-related service provider.”
“It is unknown, whether the aforementioned spear-phishing deployment successfully compromised the intended victims, and what potential data could have been accessed by the cyber actor,” the NSA states of the result of the hacking.
While the government employees were only hit with simple login-stealing tactics, experts told the Intercept that such operations could prove even more dangerous than malware attacks in some instances.
VR Systems doesn’t sell voting machines, but holds contracts in New York, California, Florida, Illinois, Indiana, North Carolina, Virginia, and West Virginia — making it a prime target for those who want to disrupt the vote and cause chaos come election day.
“If someone has access to a state voter database, they can take malicious action by modifying or removing information,” Pamela Smith, president of election integrity watchdog Verified Voting, told the Intercept.
“This could affect whether someone has the ability to cast a regular ballot, or be required to cast a ‘provisional’ ballot — which would mean it has to be checked for their eligibility before it is included in the vote,” she said. “And it may mean the voter has to jump through certain hoops such as proving their information to the election official before their eligibility is affirmed.”
At least one US intelligence official admitted to the Intercept that the Russian hackers described in the NSA report could have disrupted the voting process on November 8, by specifically targeting locations where VR Systems’ products were in use. They cited the simple possibility of compromising an election poll book system, which could cause widespread damage in certain places.
“You could even do that preferentially in areas for voters that are likely to vote for a certain candidate and thereby have a partisan effect,” explained Alex Halderman, director of the University of Michigan Center for Computer Security and Society.
In response to the report, VR Systems’ Chief Operating Officer Ben Martin told the Intercept: “Phishing and spear-phishing are not uncommon in our industry. We regularly participate in cyber alliances with state officials and members of the law enforcement community in an effort to address these types of threats. We have policies and procedures in effect to protect our customers and our company.”
Who is Reality Winner? Accused leaker wanted to ‘resist’ TrumpBy Brooke Singman
Photo: Reality Winner
Reality Winner, a 25-year-old Air Force veteran, is a contractor with Pluribus International Corporation assigned to a federal facility in Georgia, where she allegedly leaked a classified intelligence report containing “Top Secret Level” information. The report, according to the Department of Justice, contained classified defense information from an intelligence community agency.
While the DOJ did not say which site published the information, the charges were announced just as The Intercept published details of a National Security Agency report on Russian hacking efforts during the 2016 presidential election.
According to the Justice Department, Winner admitted to printing a classified intelligence document despite not having a “need to know,” and with knowledge the report was classified. Winner further admitted removing the report from her office space and mailing it to the news outlet, according to the criminal complaint.
Why go through all the trouble and risk?
The Justice Department does not speak to motivation, but Winner’s social media pages indicate she was a passionate environmentalist who shared Bernie Sanders material online and held some anti-Trump views. She shared numerous articles and comments against the Dakota Access and Keystone XL pipelines (which Trump has moved to revive) on her Facebook page, even posting a letter she sent to the office of Sen. David Perdue, R-Ga.
“Repeat after me: In the United States of America, in the year 2017, access to clean, fresh water is not a right, but a privilege based off of one’s socio-economic status,” Winner wrote in a Facebook posting about four months ago.
Winner also posted using the hashtag #F---ingWall, in an entry about Trump “silencing” the Environment Protection Agency.
Winner also posted in February, before Trump revived construction on the Dakota Access Pipeline: “You have got to be s---ting me right now. No one has called? The White House shut down their phone lines. There have been protests for months, at both the drilling site and outside the White House. I’m losing my mind. If you voted for this piece of s---, explain this. He’s lying. He’s blatantly lying and the second largest supply of freshwater in the country is now at risk. #NoDAPL #NeverMyPresident #Resist.”
And in one telling post before the general election, she wrote, "On a positive note, this Tuesday when we become the United States of the Russian Federation, Olympic lifting will be the national sport."
As for non-political interests, her social accounts also suggest she's a workout buff and donates to veterans' and children's charities.
Air Force officials confirmed that Winner served active duty from December of 2010 to last December. It was not immediately clear if she was ever deployed. Winner was a cryptologic language analyst, requiring fluency in at least one foreign language which was not divulged. Winner attained the rank of senior airmen, E4, and was last stationed at Ft. Mead in Maryland.
The Justice Department did not specify whether Winner is being charged in connection with the Intercept’s report, but the site noted the NSA report cited in its story was dated May 5 of this year -- the affidavit released by the DOJ supporting Winner’s arrest also said the report was dated “on or about” May 5.
“Exceptional law enforcement efforts allowed us to quickly identify and arrest the defendant,” Deputy Attorney General Rod Rosenstein said on Monday. “Releasing classified material without authorization threatens our nation’s security and undermines public faith in government.”
Rosenstein added: “People who are trusted with classified information and pledge to protect it must be held accountable when they violate that obligation.”
Winner has held a top secret clearance during her employment at Pluribus International Corporation. She has been employed at the facility since mid-February.
Late Monday night, WikiLeaks founder Julian Assange tweeted his support for Winner.
“Alleged NSA whistle-blower Reality Leigh winner must be supported. She is a young woman accused of courage in trying to help us know,” Assange posted on Twitter.
On Tuesday, The Intercept released a statement saying they had no knowledge of the identity of the person who provided them with the classified documents.
Did Obama tell the truth about Russia’s election meddling?By Paul Mirengoff
During a news conference last December, President Obama claimed that Russian interference in the 2016 election ended after he told Russian President Vladimir Putin to “cut it out” in early September. In Obama’s telling, he warned Putin of “serious consequences” if Russian interference continued. As a result the interference ceased.
Here is what Obama told the American public:
What I was concerned about in particular was making sure [the DNC hack] wasn’t compounded by potential hacking that could hamper vote counting, affect the actual election process itself. So in early September when I saw President Putin in China, I felt that the most effective way to ensure that that didn’t happen was to talk to him directly and tell him to cut it out and there were going to be serious consequences if he didn’t.
And in fact we did not see further tampering of the election process. But the leaks through WikiLeaks had already occurred.
However, Peter Hasson of the Daily Caller points out that Obama’s self-serving claim is contradicted by leaked documents. These documents indicate that Russia attempted to interfere in the election just days before it occurred: Hasson writes:
NSA documents published by The Intercept on Monday revealed that as late as October 31 or November 1, hackers launched an election-related spearfishing operation “targeting U.S. local government organizations.”
In other words, Russia was still tampering with the American electoral process after Obama said they ceased doing so. The documents’ authenticity has been confirmed by U.S. officials, and the U.S. Department of Justice charged on Monday the woman who leaked the Top Secret documents to The Intercept.
“The NSA assessed that this phase of the spear-fishing operation was likely launched on either October 31 or November 1 and sent spear-fishing emails to 122 email addresses ‘associated with named local government organizations,’ probably to officials ‘involved in the management of voter registration systems,’” The Intercept reported.
And that’s not all:
The leaked documents reveal that two other election-related hacking efforts were launched in October — one month after Putin supposedly “cut it out.”
There’s no reason to believe that the Russian efforts to “hack” the voting process succeeded. But it’s noteworthy that Russia went after the exact target — “actual election process itself — that Obama says he was determined to stopping them, and did stop them, from targeting.
It was always difficult to believe that Putin would take seriously a directive by Obama to “cut it out” (“it” being anything Putin wanted to do). As I reported in 2009, the Russians concluded, based on what they witnessed during Obama’s visit to Moscow, that the president was a lightweight. As one source told me, they felt they could “steal his pants.”
Obama repeatedly confirmed this assessment. He did so most egregiously when he turned to Russia to bail him out after Assad crossed the “red line” by using chemical weapons on civilians. But this wasn’t the only example.
Obama’s assertion that he caused Putin to back away from interfering in the 2016 election is best viewed as an attempt to reclaim his trousers, or at least to substitute a fig leaf. But now we know that Obama’s assertion was false.