By Charlie Savage
WASHINGTON – An intelligence contractor was charged with sending a classified report about Russia’s interference in the 2016 election to the news media, the Justice Department announced Monday, the first criminal leak case under President Trump.
The case showed the department’s willingness to crack down on leaks, as Trump has called for in complaining that they are undermining his administration. His grievances have contributed to a sometimes tense relationship with the intelligence agencies he oversees.
The Justice Department announced the case against the contractor, Reality Leigh Winner, 25, about an hour after the national security news outlet The Intercept published the apparent document, a May 5 intelligence report from the National Security Agency.
The report described two cyberattacks by Russia’s military intelligence unit, the GRU – one in August against a company that sells voter registration-related software and another, a few days before the election, against 122 local election officials.
The Intercept said the NSA report had been submitted anonymously. But shortly after its article was published, the Justice Department said that the FBI had arrested Winner at her house in Augusta, Ga., on Saturday. It also said she had confessed to an agent that she had printed out a May 5 intelligence file and mailed it to an online news outlet.
It was not immediately clear who is serving as the defense lawyer for Winner, who has been charged under the Espionage Act.
An accompanying FBI affidavit said she has worked for Pluribus International Corp. at a government facility in Georgia since Feb. 13. While it did not identify the agency or the facility, the NSA uses Pluribus contractors and opened a branch facility in the suburbs outside Augusta in 2012.
The FBI affidavit said reporters for the news outlet, which it also did not name, had approached the NSA with questions for their story and, in the course of that dialogue, provided a copy of the document in their possession. An analysis of the file showed it was a scan of a copy that had been creased or folded, the affidavit said, “suggesting they had been printed and hand-carried out of a secured space.”
The NSA’s auditing system showed that six people had printed out the report, including Winner. Investigators examined the computers of those six people and found that Winner had been in email contact with the news outlet, but the other five had not. In a statement, the deputy attorney general, Rod J. Rosenstein, praised the operation.
“Releasing classified material without authorization threatens our nation’s security and undermines public faith in government,” he said. “People who are trusted with classified information and pledge to protect it must be held accountable when they violate that obligation.”
Espionage Act charges carry a sentence of up to 10 years in prison, although conventional leak cases have typically resulted in prison terms of one to three years.
Once rare, leak cases have become far more common in the 21st century, in part because of electronic trails that make it easier for investigators to determine who both had access to a leaked document and was in contact with a reporter. Depending on how they are counted, the Obama administration brought nine or 10 leak-related prosecutions – about twice as many as were brought under all previous presidencies combined.
Rosenstein helped prosecute one of them, a case against James E. Cartwright, a retired four-star Marine general and a former vice chairman of the Joint Chiefs of Staff accused of disclosing classified information to reporters. Cartwright pleaded guilty to lying to investigators about his conversations with journalists but was later pardoned by President Barack Obama.
Trump called for a crackdown in the context of leaks about what surveillance has shown about his own associates’ contacts with Russian officials. The report Winner is accused of leaking, by contrast, focuses on pre-election hacking operations targeting voter registration databases and does not mention the Trump campaign.
The U.S. intelligence community has concluded that Russia conducted a broad influence campaign for the purpose of undermining Hillary Clinton’s candidacy and sowing doubts about the democratic process if she had won.
In October, when the Obama administration accused Russia of stealing and releasing Democratic emails, it also said there was a pattern of probing of voter registration-related systems that were traceable to Russian servers, but stopped short of saying the Russian government was behind them. The intelligence report, citing unspecified information the NSA obtained in April, suggests the government is now satisfied that Moscow was the culprit.
Both attacks described in the report relied on spear phishing, a tactic that uses spoof emails to trick users into clicking links or opening attachments that then install malicious software on their computers. The GRU sent the emails from two free American web-based email providers, Google’s Gmail and Microsoft’s Outlook.com, it said.
The first attack, on Aug. 24, involved an attack on a U.S. company “evidently to obtain information on elections-related software and hardware solutions.”
That attack was most likely successful. The report said the GRU used data most likely obtained from it to conduct the second set of attacks, a “voter registration themed spear-phishing campaign targeting U.S. local government organizations.”
Specifically, it said, in late October or early November, the GRU sent to 122 local elections officials emails designed to look like they were from that company and containing attachments designed to look like an updated system manual and checklist. Opening the attachment would download malicious software from a remote server, the report said.
The report masked the name of the software vendor, referring to it as “U.S. Company 1,” in keeping with standard minimization rules for intelligence reports based on surveillance. However, the report contained references to an electronic voter identification system used by poll workers and sold by VR Systems, a Florida company.
VR Systems’ website said its products were used by jurisdictions in California, Florida, Illinois, Indiana, New York, North Carolina, Virginia and West Virginia. In a statement, VR acknowledged that there had been a problem, while stressing that none of its products dealt with vote marking or tabulation.
“When a customer alerted us to an obviously fraudulent email purporting to come from VR Systems, we immediately notified all our customers and advised them not to click on the attachment,” it said. “We are only aware of a handful of our customers who actually received the fraudulent email and of those, we have no indication that any of them clicked on the attachment or were compromised as a result.”