Cyberwarfare / Nation-State Attacks , Data Loss Prevention (DLP) , Fraud Management & Cybercrime

Former NSA Contractor Pleads Guilty to 'Top Secret' Leak

Plea Deal Calls For Reality Winner to Serve 63-Month Sentence
Former NSA Contractor Pleads Guilty to 'Top Secret' Leak
Reality Leigh Winner, pictured, faced up to 10 years in prison.

A former NSA contractor accused of leaking a classified document describing Russian meddling with U.S. voting systems has pleaded guilty to one count of violating the Espionage Act.

See Also: Global Ransomware Threat Report H1 2022

Prosecutors' plea deal with Reality Leigh Winner, 26, calls for her to spend 63 months in prison, and must still be approved by a judge, the New York Times reports. Winner, who appeared in federal court in Augusta, Georgia, on Tuesday, could have faced a 10-year sentence.

Reality Leigh Winner

The Times reports that Winner's prosecution for leaking classified material is the first such prosecution during President Donald Trump's administration. Over the past five years, the U.S. government has struggled to contain leaks of classified material, which has exposed voluminous amounts of information from the NSA and CIA (see US Government Plans to Indict Alleged CIA Leaker).

At her hearing, Winner told Chief Judge J. Randal Hall that "all of my actions I did willfully, meaning I did so of my own free will," the Times reports.

On a Friends of Reality Winner website dedicated to her case, Winner's mother, Billie Winner Davis, writes that the plea agreement was in her daughter's best interests, especially as she'd already been jailed for 389 days without bail.

"Given the time and circumstances and the nature of the espionage charge, I believe that this was the only way that she could receive a fair sentence," she writes.

Creased Document

Winner, a former U.S. Air Force linguist, was working for a contractor, Pluribus International, when her legal trouble started.

Winner was arrested at her home on June 2, 2017, just hours after news website The Intercept published a report based on classified material (see US Contractor Arrested in Leak of NSA Top-Secret File).

According to an FBI affidavit, Winner admitted that she'd printed the classified document and mailed it to The Intercept.

The five page document, which originated with the NSA, was labeled "top secret." It describes spear-phishing efforts by one of Russia's intelligence agencies, the Main Intelligence Directorate, or GRU, aimed at hacking U.S. election officials and a U.S. voting software supplier.

The campaigns used email addresses that closely resembled legitimate ones. The emails sent to targets contained rigged Microsoft Word documents designed to eventually facilitate the delivery of malicious software.

To verify the authenticity of the allegedly leaked document, The Intercept supplied an image of the document - in PDF format - to Winner's employer, which passed it on to the U.S. government. According to the affidavit for a search warrant, the government noticed that the document "appeared to be folded and/or creased, suggesting that they had been printed and hand-carried out of a secured space."

A probe found that six people had printed out the document, including Winner. Investigators examined Winner's desktop computer and found that she had email contact with The Intercept.

Further investigation showed that four days after the document was created on May 5, 2017, Winner had searched a classified system for certain search terms, which resulted in her finding it.

Intercept Contributes To Winner's Defense

The Intercept, for its part, has been pilloried with allegations that it failed to protect its source by having sent photos of the actual documents to Winner's employer, which passed them to the U.S. government.

The Intercept maintains that it had no knowledge of who sent it the documents. But an internal review found that "our practices fell short of the standards to which we hold ourselves for minimizing the risks of source exposure when handling anonymously provided materials," the publication stated in July 2017.

As a result, The Intercept's parent company, First Look Media, contributed funds to Winner's defense via its Press Freedom Defense Fund.

"We at The Intercept have always opposed the use of the Espionage Act against government whistleblowers," the publication wrote. "Our stand is unwavering and we would object to the prosecution of Winner under the act even if we had no connection to the materials she is accused of disclosing."

Digital Watermark

Source: Robert Graham

Information security experts have noted that the printed document had been digitally watermarked, which would have aided investigators as they sought to unmask Winner.

"The problem is that most new printers print nearly invisibly yellow dots that track down exactly when and where documents, any document, is printed. Because the NSA logs all printing jobs on its printers, it can use this to match up precisely who printed the document," Robert David Graham, who heads offensive security research firm Errata Security, said in a blog post last year.

Source: Robert Graham

Graham said the microdots on the document were easy to decode, for example by using a free, online tool provided by privacy rights groups Electronic Frontier Foundation. "The document leaked by the Intercept was from a printer with model number 54, serial number 29535218," Graham found. "The document was printed on May 9, 2017 at 6:20 [a.m.]. The NSA almost certainly has a record of who used the printer at that time."

Russian Interference Continues

Many security experts have been sympathetic to Winner having leaked the document, contending that she was acting as a whistleblower at a time when the Trump administration was continuing to downplay Russian interference with the 2016 presidential election (see Russian Meddling: Trump Hasn't Ordered Direct NSA Response).

A logo supporting Winner. (Source:

In terms of the leaked document itself, it served as an interesting tidbit that added technical depth to the Russian government efforts to disrupt the 2016 U.S. presidential election. But the U.S. intelligence community had already made up its mind and publicly released its findings in January 2017. That's when the Office of the Director of National Intelligence released a report stating that Russian president Vladimir Putin had ordered an influence operation seeking to disrupt the 2016 campaign.

Earlier this year, the nation's top intelligence official told Congress that intelligence agencies had seen no decrease in Russian attacks online since 2016. "The 2018 U.S. midterm elections are a potential target for Russian influence operations," Director of National Intelligence Dan Coats warned the Senate Intelligence Committee in February (see Will Congress Lose Midterm Elections to Hackers?).

Executive Editor Mathew Schwartz also contributed to this article.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.