Nghia Hoang Pho, 68, was sentenced on Tuesday in Baltimore, Maryland by US District Judge George L. Russell, III, the Department of Justice announced. It took nearly a year for Pho to be sentenced, since he pleaded guilty to one count of “willful retention of classified national defense information” in October 2017.
According to the DOJ, the Vietnam-born Pho worked as a developer at the NSA’s Tailored Access Operations (TAO) since April 2006. Starting in 2010 and through March 2015, Pho “removed and retained US government property, including documents and writings that contained national defense information classified as Top Secret and SCI” or sensitive compartmented information, and kept them at his Ellicott City, Maryland home.
“Pho knew that he was not authorized to remove the material or store it at his home,” his plea agreement said.
Here is where things get interesting. According to US Attorney Robert K. Hur, Pho’s actions “compromised some of our country’s most closely held types of intelligence, and forced NSA to abandon important initiatives to protect itself and its operational capabilities, at great economic and operational cost.”
Yet Pho pleaded guilty only to keeping the documents at his home, not letting them fall into the hands of a third party – and Hur’s quote is the only bit in the DOJ release to even hint at such a possibility.
Enter the Russians. Original charges against Pho said he had installed security software on his home computer made by the Russian tech firm Kaspersky Lab. Unnamed DOJ officials then told the media that the government believed Russian hackers - who else? - exploited the antivirus software to steal the top secret NSA files. Kaspersky software was quickly banned from all US government computers based on that suspicion.
The company denied the accusations it was being used as a conduit for Russian government hackers, going so far as to offer its source code to the US government for inspection. However, Kaspersky admitted they had, in fact, found NSA malware on an unidentified user’s computer and dated the discovery to September 2014.
According to a Kaspersky statement from October 2017, the unidentified user - who may or may not have been Pho - “appears to have downloaded and installed pirated software on his machines, as indicated by an illegal Microsoft Office activation key generator...which turned out to be infected with malware.”
Having identified the malware, Kaspersky’s software “scanned the computer multiple times,” which resulted in detection of more suspicious files, including a 7-zip archive.
“The archive itself was detected as malicious and submitted to Kaspersky Lab for analysis, where it was processed by one of the analysts. Upon processing, the archive was found to contain multiple malware samples and source code for what appeared to be Equation malware,” the company said, referring to the TAO by another name. Kaspersky added that the archive was then deleted from their systems and “not shared with any third parties” on the explicit orders of CEO Eugene Kaspersky himself.
Kaspersky left open the possibility that third-party hackers could have used malware to access those files on their own. Just a few months prior, in April, a group calling itself Shadow Brokers had released the code for many of the NSA’s malware tools, putting the agency into unwelcome spotlight.
Analyzing the hack, NSA whistleblower Edward Snowden confirmed that TAO was the branch of the agency engaged in cyber attacks abroad. Snowden suggested at the time that whoever stole the code had lurked in NSA systems because TAO had not cleaned up after themselves, and that his blowing the whistle in 2013 may have alerted the agency to the breach.
Our IP Address: