NSA contractor Reality Leigh Winner faces charges for mailing classified information to a media outlet. Winner gave a report to The Intercept that shows “Russian military intelligence executed a cyberattack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 100 local election officials just days before last November’s presidential election.”

The FBI arrested Winner on June 3 at her home in Georgia. She went to court on Monday afternoon.

The NSA Document

The Intercept reported:

The report indicates that Russian hacking may have penetrated further into U.S. voting systems than was previously understood. It states unequivocally in its summary statement that it was Russian military intelligence, specifically the Russian General Staff Main Intelligence Directorate, or GRU, that conducted the cyber attacks described in the document:

Russian General Staff Main Intelligence Directorate actors … executed cyber espionage operations against a named U.S. company in August 2016, evidently to obtain information on elections-related software and hardware solutions. … The actors likely used data obtained from that operation to … launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations.

This NSA summary judgment is sharply at odds with Russian President Vladimir Putin’s denial last week that Russia had interfered in foreign elections: “We never engaged in that on a state level, and have no intention of doing so.” Putin, who had previously issued blanket denials that any such Russian meddling occurred, for the first time floated the possibility that freelance Russian hackers with “patriotic leanings” may have been responsible. The NSA report, on the contrary, displays no doubt that the cyber assault was carried out by the GRU.

But the report does not indicate if the NSA concluded whether the “interference had any effect on the election’s outcome and concedes that much remains unknown about the extent of the hackers’ accomplishment.”

The Russian’s Plans

The hackers simply wanted to “pose as an e-voting vendor and trick local government employees into opening Microsoft Word documents” filled with malware that gave the hackers access to computers.

Emails were sent on August 24, 2016, to “employees of an unnamed U.S. election software company.” The NSA did not specifically name a company, but the report “contains references to a product made by VR Systems, a Florida-based vendor of electronic voting services and equipment whose products are used in eight states.” The Intercept continued:

The spear-phishing email contained a link directing the employees to a malicious, faux-Google website that would request their login credentials and then hand them over to the hackers. The NSA identified seven “potential victims” at the company. While malicious emails targeting three of the potential victims were rejected by an email server, at least one of the employee accounts was likely compromised, the agency concluded. The NSA notes in its report that it is “unknown whether the aforementioned spear-phishing deployment successfully compromised all the intended victims, and what potential data from the victim could have been exfiltrated.”

On October 27, the hackers created a Gmail address that looked like “it belonged to an employee at VR Systems.” The documents they sent out had the malware:

The NSA assessed that this phase of the spear-fishing operation was likely launched on either October 31 or November 1 and sent spear-fishing emails to 122 email addresses “associated with named local government organizations,” probably to officials “involved in the management of voter registration systems.” The emails contained Microsoft Word attachments purporting to be benign documentation for VR Systems’ EViD voter database product line, but which were in reality maliciously embedded with automated software commands that are triggered instantly and invisibly when the user opens the document. These particular weaponized files used PowerShell, a Microsoft scripting language designed for system administrators and installed by default on Windows computers, allowing vast control over a system’s settings and functions. If opened, the files “very likely” would have instructed the infected computer to begin downloading in the background a second package of malware from a remote server also controlled by the hackers, which the secret report says could have provided attackers with “persistent access” to the computer or the ability to “survey the victims for items of interest.” Essentially, the weaponized Word document quietly unlocks and opens a target’s back door, allowing virtually any cocktail of malware to be subsequently delivered automatically.


Pluribus International Corporation employed Winner and shipped her to a facility on February 13 where she “held a Top Secret security clearance.” She has been known to post anti-Trump posts on social media, like this one (from Heavy):


Heavy also reported that she set up a Twitter account under the name Sara Winners, which she used “to comment on a slew of political things, such as the North Dakota Pipeline and politics.” She also served “as an active member of the U.S. Air Force.” From Mashable:




The Department of Justice noted that Winner spoke to agents as they served out the search warrant:

During that conversation, Winner admitted intentionally identifying and printing the classified intelligence reporting at issue despite not having a “need to know,” and with knowledge that the intelligence reporting was classified. Winner further admitted removing the classified intelligence reporting from her office space, retaining it, and mailing it from Augusta, Georgia, to the news outlet, which she knew was not authorized to receive or possess the documents.

The NSA found out she printed off the report through its auditing system. Six people printed it off. Only Winner “had been in email contact with the news outlet.” And it looks like The Intercept ratted her out:

Donations tax deductible
to the full extent allowed by law.