Case Updates

In light of the recent actions and publications, I make these updates:

Update 1: NGHIA HOANG PHO

Who ?

Pho was employed as a developer in Tailored Access Operations (TAO, operations and intelligence collection from foreign automated information systems or networks, as well as actions taken to prevent, detect and respond to unauthorized activity within DoD information systems and computer networks, for the United States and its allies) at the National Security Agency (NSA). He held a certain number of security clearances included TOP SECRET.

What did he do?

According to court documents, Pho removed massive troves of highly classified national defense information without authorization and kept it at his home. The official court count against him is Willful Retention of Classified National Defense Information Maybe more, but one part of the court audition is sealed for National Security Reason.

Sentence

He was sentenced to 66 months in prison, to be followed by three years of supervised release, for willful retention of classified national defense information.

Letter from NSA Director (Michael S. ROGERS) about the NGHIA HOANG PHO Case

In a letter recovered by Politico Journalist’s, The NSA Director, Michael S. ROGERS, told these sentences:

Some of NSA's most sophisticated, hard-to-achieve, and important techniques of collecting [signals intelligence] from sophisticated targets of the NSA, including collection that is crucial to decision makers when answering some of the Nation's highest-priority questions... Techniques of the kind Mr. Pho was entrusted to protect, yet removed from secure space, are force multipliers, allowing for intelligence collection in a multitude of environments around the globe and spanning a wide range of security topics. Compromise of one technique can place many opportunities for intelligence collection and national security insight at risk.

My Analysis (MODERATE CONFIDENCE)

After carefully read the Rogers letter, we can assume with moderate confidence that NHGIA HOANG PHO was the / part of / source of the #ShadowBrokers leaks. Rogers talked about techniques, nsa accounting, and other things, indicates strong and long term impacts. These things can be Eternal… class exploits, or about the framework FuzzBunch. I like how Rogers talked about Trust too, cause this whole case eroded the Trust partnership with some U.S. services. This was a strong impact and indicting someone for the presumed the /part of /source showed NSA taken time but finally found something. It’s a hard advertising to everyone working for them and a strong technical & political message too.

Unfortunately, even if predictable, there is a part of the judgment sealed, where, I presume, technical details and information landed. Maybe, in some future, the full story will be declasified? Who’s knows ? :)

References:

• Nghia Hoang Pho Court Document
• Nghia Hoang Pho Plead guilty letter
• Nghia Hoang Pho NSA Director Letter
• Nghia Hoang Pho DOJ announcment

Update 2: HAROLD T. MARTIN, III

Who ?

Harold Thomas Martin III, is a former contractor for Booz Allen Hamilton, a defense contractors well-known company for working for the U.S. Department of Defense. He was employed in the Tailored Access Operations Unit (TAO, operations and intelligence collection from foreign automated information systems or networks, as well as actions taken to prevent, detect and respond to unauthorized activity within DoD information systems and computer networks, for the United States and its allies) at the National Security Agency (NSA). Harold Thomas Martin III had a Top Secret National Security clearance.

What is he being accused of?

According to court documents, Harold Thomas Martin III removed massive troves of highly classified national defense information (TOP SECRET, SCI; some of them were produced in 2014) without authorization and kept it at his home. He started removing not earlier than 1996 and continuing through August 27, 2016 The 29th August 2016, acording to the criminal complaint court document, Harold Thomas Martin III is being prosecuted for 2 counts:

• Count 1: Theft of Government Property (18 U.S.C. §641)
• Count 2: Unauthorized Removal or Retention of Classified Documents or Materials by Government Employee or Contractor (18 U.S.C. §1924)

The official court twenty counts against him are Willful Retention of Classified National Defense Information These counts are a choice of 20 Documents retrieved by FBI agents inside an amount of 50 Terabytes of data and hard copy (papers)

Sentence

Sentences pending, he agree to plead guilty for 1 of the 20 counts of “willful retention of classified national defense information”.

My Analysis (LOW CONFIDENCE)

After carefully reviewed again these documents, I would say there’s nothing can’t indicate Harold Thomas Martin III wasn’t the source of the initial leak, of his own free will or not. My thoughts are he wasn’t the source knowingly. But I want to replace the context, needed here and it was the reason of this blog entry: Harold Thomas Martin III is a person who’ve problem in his life, made huge mistakes or offenses (leaving TS/SCI docs on his vehicule seats in the driveway per eg.). According court document, Martin made some research on how U.S. detect leaks (technologies and procedures), about russian language too and others languages.

For me, he contacted the ShadowBrokers when they gone public and send a DM to @shadowbrokerss Twitter account with the famous sentence “shelf life, three weeks”, which can be a time limited access link to some materials. If as some people in this neighboorhod said, he was a true patriot, he maybe tried to catch them, and this can be just a bad game ended by the FBI raid. But this can be a try to shared with TA TSB some documents to prove he had access to interesting files too. This later opinion has been strengthened in the FBI minds by the discovery of an old letter where it threatened colleagues and the way they used TS/SCI files. Adding he was in posession of a “sophiticated software tool which runs without being installed on a computer and provides anonymous internet access, leaving no digital footprint on the machine” which I assumed FBI talked about a live distribution like Tails, adding FBI found evidence he had remote data storage accounts and he masters the encryption, that’s a lot of, moderate to high, indicators and I understand the RED alert as, I thinks, FBI done. During the RAID FBI found 50 Terabytes of information (Digital, paper back) per eg. Secret NSA emails, Document A about a NAVY OP classified TS/SCI; In all of this troves, FBI restrained the indictment to 20 Documents they’ve found, each document is a count of Willful Retention of Classified National Defense Information.

There’s a lot to say in this case, TS/SCI classified documents lying in the back seat of a vehicule parked in the driveway, NSA won’t be able to detect 50 Terabyes exfiltration, but I don’t thinks he’s the primary source knowingly but one of his account maybe have been breached and his backups have been recovered, which would make him the indirect source. Unfortunately, even if predictable, there is a part of the information redacted, where, I presume, technical details and information landed.

Maybe, in some future, the full story will be declasified? Who’s knows ? :)

References:

• Harold Martin Criminal Complaint Court Document
• Harold Martin Criminal Indictment (some parts redacted)
• Harold Martin Criminal Government response to defendants motion for a detention hearing
• Harold Martin Criminal DOJ announcment 1
• Harold Martin Criminal DOJ announcment 2
• Harold Martin Plead guilty Count1 (Document A)

HAL case Timeline

2016

August

• 2016-08-25 Thursday 25th August 2016 - Twitter warrant issued against @hal_999999999
• 2016-08-27 Saturday 27 August 2016 - Search Warrants (Residence, vehicule, person and storage sheds) have been issued by Judge Stephanie A. Gallagher
• 2016-08-27 2:30 PM Saturday 27 August 2016 - Search warrant in his house was executed, PC seized
• 2016-08-29 Monday 29th 2016 - Court held initial apperance

September

• 2016-09-08 Thursday 8th September - Defendant submitted a written waiver of preliminary hearing.
• 2016-09-13 Tuesday 13th September 2016 - Government filed a a consent motion to extend the period within which an indictment or information must be filed
• 2016-09-13 Tuesday 13th September 2016 - The Court entered an order extending the period to 2017-03-01 (Wednesday 1st March 2017)

October

• 2016-10-05 Wednesday 5th October 2016 - Governement moved to unseal the case, court agreed
• 2016-10-05 Wednesday 5th October 2016 - U.S. DOJ published “Government Contractor Charged with Removal of Classified Materials and Theft of Government Property”
• 2016-10-17 Thursday 17th October 2016 - Defendant filed a motion seeking a detention hearing
• 2016-10-21 2:15 PM Friday 21th October 2016 - Scheduled hearing before United States Magistrate Judge A. David Copperthite

2017

February

• 2017-02-08 Wednesday 8th February 2017 - U.S. DOJ Indictment returned from Grand Jury (20 Counts of Willful Retention of National Defense Information)
• 2017-02-08 Wednesday 8th February 2017 - U.S. DOJ published “Government Contractor Facing Federal Indictment for Willful Retention of National Defense Information”
• 2017-02-14 11:00 AM Tuesday 14 February 2017 - Hearing presided by U.S. Magistrate Judge A. David Copperthite in U.S. District Court in Baltimore

March

• 2017-03-01 Wednesday 1st March 2017 - Period to filed an indictment or information ended

2018

January

• 2018-01-22 Monday 22th January 2018 - Scheduled to plead guilty of count “Willful Retention of Classified National Defense Information” in Baltimore Federal Court

November

• 2018-11-14 Wednesday 14th November 2018 - Hearings for motions

December

• 2018-12-03 Monday 3rd December 2018 - Motions requests verdicts

2019

June

• 2019-06-17 Monday 17th June 2019 - Planed court trial