A 25-year-old Federal Government contractor was arrested by the FBI on Saturday (3rd June) in Georgia for leaking classified information to an online news outlet.
Reality Leigh Winner, a contractor with Pluribus International Corporation assigned to a U.S. government agency facility in Georgia, who had a top-secret security clearance, was accused of removing classified material from a government facility and mailing it to ‘The Intercept,’ an online publication.
The report that was leaked is about alleged cyber attack attempt by Russian military intelligence officers on a voting software company and local election officials. The NSA document (dated May 5, 2017) argues that hackers, believed to be associated with the Russian General Main Staff Intelligence Directorate (GRU), had attempted to break into VR Systems, a Florida company that sells voting registration equipment used in the 2016 US presidential election. However, the document did not say whether the hack had any impact on the election’s outcome.
The Intercept published the story that is based upon a classified document it received anonymously, on Monday (5th June). Though the Winner was arrested on Saturday (3rd June), the Justice Department announced Winner’s arrest hours after The Intercept story was published.
What’s confusing in the whole incident is the fact that the arrest of Winner was made on Saturday, two days before the actual disclosure went online. So, how the federal authorities identified that Winner was the one behind the leak?
How The Intercept Outed Reality Winner?
The federal officials began their investigation after The Intercept contacted the NSA on May 30 and turned over a copy of the report to verify the authenticity of that document while asking for comment before publishing its report.
The document posted by the Intercept isn’t the original PDF file, but a PDF containing the pictures of the printed version that was then later scanned in. That means, Winner did not mail the actual pdf document directly to The Intercept; instead, she took prints of the document and then emailed a scanned copy of it to the publication.
And this is what the mistake made by Winner, which helped federal officials identify the leaker. Because, according to Robert Graham of Errata Security, most new printers print nearly invisible yellow dots that track down exactly when and where documents, any document, is printed.
Since the NSA logs all printing jobs on its printers, it can use this to match up precisely who printed the document.
Graham also explains in his blog post, the step-by-step procedure about how anyone can analyze the scanned copy of any printed document to retrieve secretly stored information, which in this case revealed:
“The document leaked by the Intercept was from a printer with model number 54, serial number 29535218. The document was printed on May 9, 2017, at 6:20. The NSA almost certainly has a record of who used the printer at that time.”
The FBI special agent who wrote the affidavit in support of Winner’s arrest alleges that she printed out the document from her work computer on May 9, 2017, and mailed it to a “News Outlet.” The outlet then showed the document to the NSA in order to confirm its authenticity. The Government Agency conducted an internal audit to determine who accessed the intelligence reporting since its publication and determined that six individuals printed this reporting. WINNER was one of these six individuals. A further audit of the six individuals’ desk computers revealed that Winner had e-mail contact with the News Outlet.
Winner “admitted intentionally identifying and printing the classified intelligence reporting at issue” and mailing it to the outlet, according to the criminal complaint released by the DoJ on Monday. Winner further admitted removing the classified intelligence reporting from her office space, retaining it, and mailing it from Augusta, Georgia, to the news outlet, which she knew was not authorized to receive or possess the documents.