NSA employee pleads guilty after stolen classified data landed in Russian hands

The classified data was later collected by Kaspersky software running on the staffer's home computer.
Written by Zack Whittaker, Contributor

(Image: file photo)

A former National Security Agency hacker has admitted to illegally taking highly classified information from the agency's headquarters, which was later stolen by Russian hackers.

Nghia Pho, 67, a Maryland resident who worked for the NSA's Tailored Access Operations, the agency's elite hacking unit, entered a guilty plea on Friday to charges of willful retention of national defense information.

The Justice Dept. confirmed the news in a statement on Friday. The New York Times was first to report the news.

Documents released by the Justice Dept. accuse Pho of removing top secret information from the agency over a five yer period through March 2015.

Pho held some of the highest levels of security clearance at the agency, including sensitive compartmented information and "need to know" clearance, reserved for only a fraction of the agency's staff.

Although the documents don't make it clear exactly what specific classified data and records were taken -- beyond hard copy and digital files stored in Pho's residence -- several earlier reports have pointed to hacking tools developed for offensive operations launched by the NSA, such as targeting foreign networks and systems for conducting surveillance.

News of the breach was first reported by The Wall Street Journal earlier this year, which said hackers working for Russian intelligence had obtained classified NSA data.

The hackers targeted the then NSA employee in 2015 when he opened the classified work on his home computer running Kaspersky antivirus software. Russian hackers are said to have targeted the employee after they identified the NSA files through the antivirus software.

The company's founder Eugene Kaspersky previously said he believes that his company's products were exploited to obtain files from Pho's computer.

Kaspersky admitted to collecting and uploading the classified data to its servers in Moscow, but only after several kinds of malware were found on Pho's computer. (Other antivirus products often upload suspicious data to its servers to analyze.)

Kaspersky, a Moscow-based security company, has repeatedly denied working with the Kremlin to conduct espionage. Eugene Kaspersky told ZDNet this week that his company would "move the business out" of the country if the Russian government asked it to spy.

Pho is expected to be sentenced in April, where he may receive the maximum sentence of ten years in prison. According to the Times, prosecutors are not asking for more than eight years.

The case is one of several major breaches at the NSA since the Edward Snowden disclosures in 2013.

Pho is among three employees to be charged, including Harold Martin, an NSA contractor, who was indicted for removing terabytes of secret data from the agency's headquarters, and Reality Winner, another contractor, who was indicted this year for leaking classified secrets to news site The Intercept.

Another major breach of data included the agency's trove of highly classified hacking tools, which were later used to launch a large scale, global ransomware attack. Earlier this year, hackers used the tools to silently infect Windows computers with a backdoor to then launch the WannaCry ransomware.

This week, ZDNet revealed the fifth and most recent breach of NSA data in as many years, including new details about the Ragtime surveillance program, which targets Americans' data.

Editorial standards