A former developer for the National Security Agency’s elite Tailored Access Operations hacking group was sentenced in Baltimore Tuesday to five years and six months in prison for bringing home highly classified attack tools and documents that wound up in the hands of a Russian security company.
Nghia Hoang Pho, 70, pleaded guilty last October to a federal charge of Willful Retention of Classified Information. Beginning in 2010, Pho smuggled government hacking tools and classified documents from the NSA’s Maryland headquarters work from home after hours. The security breach led to a bizarre incident in 2015 in which Moscow-based Kaspersky Lab slurped up classified documents and source code from Pho’s home computer, which was running the company’s anti-virus software. The U.S. has since banned Kaspersky products from government networks, partially as a result of that incident.
Kaspersky has acknowledged copying Pho’s secret files, but described the incident as an unintended byproduct of its routine malware scanning. Pho’s cache included the source code for an NSA hacking tool that Kaspersky’s product properly detected and flagged for analysis. Kaspersky wound up with classified documents as well, because they were bundled with the code in a ZIP archive. Company founder Eugene Kaspersky ordered his researchers to delete their copy of the documents and code in 2015, the company asserted in a blog post last year, adding that the material “was not shared with any third parties.”
The sentence is less than the minimum six-and-a-half years recommended by federal sentencing guidelines. Prosecutors sought the recommended maximum term of eight years.
Last month, another NSA contractor received roughly the same sentence for leaking a single document to a news outlet. Reality Winner, 26, was sentenced to 5 years, 3 months in prison for revealing that Russia attempted to hack election-related systems in the U.S. in 2016. The same information was later declassified and included in Robert Mueller’s indictment of Russian intelligence officers.
In a court filing last March, then-NSA director Mike Rogers said Pho’s actions “placed at risk some of NSA's most sophisticated, hard to achieve and important techniques” of electronic spying, and forced the NSA “abandon certain important initiatives, at great economic and operational cost."
“In addition, NSA was faced with the crucial and arduous task of accounting for all of the exposed classified materials, including Top Secret information,” Rogers wrote. “These efforts were tremendously expensive and diverted critical resources away from NSA's intelligence-gathering mission, including the development of new and innovative ways to conduct signals intelligence.”
Pho came to the NSA’s and FBI’s attention as they investigated a massive leak of NSA attack code by a self-described hacking group called the Shadow Brokers, who started publishing the agency’s secrets in the final months of the Obama administration, and increased in frequency and impact after the U.S. bombing of a Syrian airfield in April last year. The most harmful leak, on April 14 of last year, included an exploit against Windows machines that was quickly harnessed by the North Korean government to launch the massive WannaCry ransomware attack.
The Shadow Brokers’ identity remains a mystery, but security experts have named Russia’s intelligence services as the most likely culprit. “Circumstantial evidence and conventional wisdom indicates Russian responsibility,” exiled NSA whistleblower Edward Snowden tweeted last August. “Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the [Democratic National Committee] hack.”
The same Shadow Brokers investigation led the FBI to an NSA contractor named Hal Martin, who, like Pho, worked in the agency’s hacking unit. Martin was found hoarding two decades of agency secrets in his Maryland home. He is scheduled for trial in June 2019. Neither Pho nor Martin have been accused of deliberately passing the NSA’s secrets to outsiders.
The investigation apparently failed to solve its central mystery though, and the source of the Shadow Brokers’ material has still not been determined, or if it has, it’s a secret. For their part, the Shadow Brokers were last heard from in October 2017.
