Tag Archives: Cyber Security

WikiLeaks says it releases files on CIA cyber spying tools

FILE PHOTO: People are silhouetted as they pose with laptops in front of a screen projected with binary code and a Central Inteligence Agency (CIA) emblem, in this picture illustration taken in Zenica, Bosnia and Herzegovina October 29, 2014. REUTERS/Dado Ruvic/File Photo/Illustration

By Dustin Volz and Warren Strobel

WASHINGTON (Reuters) – Anti-secrecy group WikiLeaks on Tuesday published what it said were thousands of pages of internal CIA discussions about hacking techniques used over several years, renewing concerns about the security of consumer electronics and embarrassing yet another U.S. intelligence agency.

The discussion transcripts showed that CIA hackers could get into Apple Inc iPhones, Google Inc Android devices and other gadgets in order to capture text and voice messages before they were encrypted with sophisticated software.

Cyber security experts disagreed about the extent of the fallout from the data dump, but said a lot would depend on whether WikiLeaks followed through on a threat to publish the actual hacking tools that could do damage.

Reuters could not immediately verify the contents of the published documents, but several contractors and private cyber security experts said the materials, dated between 2013 and 2016, appeared to be legitimate.

A longtime intelligence contractor with expertise in U.S. hacking tools told Reuters the documents included correct “cover” terms describing active cyber programs.

Among the most noteworthy WikiLeaks claims is that the Central Intelligence Agency, in partnership with other U.S. and foreign agencies, has been able to bypass the encryption on popular messaging apps such as WhatsApp, Telegram and Signal.

The files did not indicate the actual encryption of Signal or other secure messaging apps had been compromised.

The information in what WikiLeaks said were 7,818 web pages with 943 attachments appears to represent the latest breach in recent years of classified material from U.S. intelligence agencies.

Security experts differed over how much the disclosures could damage U.S. cyber espionage. Many said that, while harmful, they do not compare to former National Security Agency contractor Edward Snowden’s revelations in 2013 of mass NSA data collection.

“This is a big dump about extremely sophisticated tools that can be used to target individual user devices … I haven’t yet come across the mass exploiting of mobile devices,” said Tarah Wheeler, senior director of engineering and principal security advocate for Symantec.

Stuart McClure, CEO of Cylance, an Irvine, California, cyber security firm, said that one of the most significant disclosures shows how CIA hackers cover their tracks by leaving electronic trails suggesting they are from Russia, China and Iran rather than the United States.

Other revelations show how the CIA took advantage of vulnerabilities that are known, if not widely publicized.

In one case, the documents say, U.S. and British personnel, under a program known as Weeping Angel, developed ways to take over a Samsung smart television, making it appear it was off when in fact it was recording conversations in the room.

The CIA and White House declined comment. “We do not comment on the authenticity or content of purported intelligence documents,” CIA spokesman Jonathan Liu said in a statement.

Google declined to comment on the purported hacking of its Android platform, but said it was investigating the matter.

Snowden on Twitter said the files amount to the first public evidence that the U.S. government secretly buys software to exploit technology, referring to a table published by WikiLeaks that appeared to list various Apple iOS flaws purchased by the CIA and other intelligence agencies.

Apple Inc did not respond to a request for comment.

The documents refer to means for accessing phones directly in order to catch messages before they are protected by end-to-end encryption tools like Signal.

Signal inventor Moxie Marlinspike said he took that as “confirmation that what we’re doing is working.” Signal and the like are “pushing intelligence agencies from a world of undetectable mass surveillance to a world where they have to use expensive, high-risk, extremely targeted attacks.”

CIA CYBER PROGRAMS

The CIA in recent years underwent a restructuring to focus more on cyber warfare to keep pace with the increasing digital sophistication of foreign adversaries. The spy agency is prohibited by law from collecting intelligence that details domestic activities of Americans and is generally restricted in how it may gather any U.S. data for counterintelligence purposes.

The documents published Tuesday appeared to supply specific details to what has been long-known in the abstract: U.S. intelligence agencies, like their allies and adversaries, are constantly working to discover and exploit flaws in any manner of technology products.

Unlike the Snowden leaks, which revealed the NSA was secretly collecting details of telephone calls by ordinary Americans, the new WikiLeaks material did not appear to contain material that would fundamentally change what is publicly known about cyber espionage.

WikiLeaks, led by Julian Assange, said its publication of the documents on the hacking tools was the first in a series of releases drawing from a data set that includes several hundred million lines of code and includes the CIA’s “entire hacking capacity.”

The documents only include snippets of computer code, not the full programs that would be needed to conduct cyber exploits.

WikiLeaks said it was refraining from disclosing usable code from CIA’s cyber arsenal “until a consensus emerges on the technical and political nature of the C.I.A.’s program and how such ‘weapons’ should be analyzed, disarmed and published.”

U.S. intelligence agencies have said that Wikileaks has ties to Russia’s security services. During the 2016 U.S. presidential campaign, Wikileaks published internal emails of top Democratic Party officials, which the agencies said were hacked by Moscow as part of a coordinated influence campaign to help Republican Donald Trump win the presidency.

WikiLeaks has denied ties to Russian spy agencies.

Trump praised WikiLeaks during the campaign, often citing hacked emails it published to bolster his attacks on Democratic Party candidate Hillary Clinton.

WikiLeaks said on Tuesday that the documents showed that the CIA hoarded serious security vulnerabilities rather than share them with the public, as called for under a process established by President Barack Obama.

Rob Knake, a former official who dealt with the issue under Obama, said he had not seen evidence in what was published to support that conclusion.

The process “is not a policy of unilateral disarmament in cyberspace. The mere fact that the CIA may have exploited zero-day [previously undisclosed] vulnerabilities should not surprise anyone,” said Knake, now at the Council on Foreign Relations.

U.S. officials, speaking on condition of anonymity, said they did not know where WikiLeaks might have obtained the material.

In a press release, the group said, “The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

U.S. intelligence agencies have suffered a series of security breaches, including Snowden’s.

In 2010, U.S. military intelligence analyst Chelsea Manning provided more than 700,000 documents, videos, diplomatic cables and battlefield accounts to Wikileaks.

Last month, former NSA contractor Harold Thomas Martin was indicted on charges of taking highly sensitive government materials over a course of 20 years, storing the secrets in his home.

(Reporting by Dustin Volz and Warren Strobel; additional reporting by Joseph Menn, Mark Hosenball, Jonathan Landay and Jim Finkle; Editing by Grant McCool)

Consumer Reports to consider cyber security in product reviews

A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in a photo illustration in Paris April 15, 2014. REUTERS/Mal Langsdon

(Reuters) – Consumer Reports, an influential U.S. non-profit group that conducts extensive reviews of cars, kitchen appliances and other goods, is gearing up to start considering cyber security and privacy safeguards when scoring products.

The group, which issues scores that rank products it reviews, said on Monday it had collaborated with several outside organizations to develop methodologies for studying how easily a product can be hacked and how well customer data is secured.

Consumer Reports will gradually implement the new methodologies, starting with test projects that evaluate small numbers of products, Maria Rerecich, the organization’s director of electronics testing, said in a phone interview.

“This is a complicated area. There is going to be a lot of refinement to get this right,” Rerecich said.

The effort follows a surge in cyber attacks leveraging easy-to-exploit vulnerabilities in webcams, routers, digital video recorders and other connected devices, which are sometimes collectively referred to as the internet of things.

“Personal cyber security and privacy is a big deal for everyone. This is urgently needed,” said Craig Newmark, the founder of Craigslist who sits on the board of directors at Consumer Reports.

In one high-profile October attack, hackers used a piece of software known as Mirai to cripple an internet infrastructure provider, blocking access to PayPal, Spotify, Twitter and dozens of other websites for hours. Another attack in November shut off internet access to some 900,000 Deutsche Telekom customers.

Security researchers have said the attacks are likely to continue because there is little incentive for manufacturers to spend on securing connected devices.

“We need to shed light that this industry really hasn’t been caring about the build quality and software safety,” said Peiter Zatko, a well-known hacker who is director of Cyber Independent Testing Lab, one of the groups that helped Consumer Reports establish the standards.

The first draft of the standards is available online at https://thedigitalstandard.org.

Issues covered in the draft include reviewing whether software is built using best security practices, studying how much information is collected about a consumer and checking whether companies delete all user data when an account is terminated.

Jeff Joseph, senior vice president for the Consumer Technology Association, called the decision by Consumer Reports a “positive step” but cautioned that the group “must be very clear about how they score products and the limitations of what consumers can expect.”

(Reporting by Jim Finkle in Boston; Editing by Peter Cooney and Lisa Shumaker)

Yahoo says about 32 million accounts accessed using ‘forged cookies’

A photo illustration shows a Yahoo logo on a smartphone in front of a displayed cyber code and keyboard on December 15, 2016. REUTERS/Dado Ruvic/File Illustration - RTX2VKYK

(Reuters) – Yahoo Inc <YHOO.O>, which disclosed two massive data breaches last year, said on Wednesday that about 32 million user accounts were accessed by intruders in the last two years using forged cookies.

The company said some of the latest intrusions can be connected to the “same state-sponsored actor believed to be responsible for the 2014 breach”, in which at least 500 million accounts were affected.

“Based on the investigation, we believe an unauthorized third party accessed the company’s proprietary code to learn how to forge certain cookies,” Yahoo said in its latest annual filing.

These cookies have been invalidated so they cannot be used to access user accounts, the company said.

Forged cookies allow an intruder to access a user’s account without a password.

Yahoo also said in December that data from more than 1 billion user accounts was compromised in August 2013, making it the largest breach in history.

The company said on Wednesday that it would not award Chief Executive Marissa Mayer a cash bonus for 2016, following the independent committee’s findings related to the 2014 security incident.

Mayer has also offered to forgo any 2017 annual equity award as the breaches occurred during her tenure, Yahoo said.

Last month, Verizon Communications Inc <VZ.N>, which is in the process of buying Yahoo’s core assets, lowered its original offer by $350 million to $4.48 billion.

(Reporting by Rishika Sadam in Bengaluru; Editing by Anil D’Silva)

China warns against cyber ‘battlefield’ in internet strategy

A map of China is seen through a magnifying glass on a computer screen showing binary digits in Singapore in this January 2, 2014 photo illustration. REUTERS/Edgar Su

BEIJING (Reuters) – The strengthening of cyber capabilities is an important part of China’s military modernization, the government said on Wednesday, warning that the internet should not become “a new battlefield”.

China, home to the largest number of internet users, has long called for greater cooperation among countries in developing and governing the internet, while reiterating the need to respect “cyber sovereignty”.

But Beijing, which operates the world’s most sophisticated online censorship mechanism known elsewhere as the “Great Firewall”, has also signaled that it wants to rectify “imbalances” in the way standards across cyberspace are set.

“The building of national defense cyberspace capabilities is an important part of China’s military modernization,” the Foreign Ministry and the Cyberspace Administration of China, the country’s internet regulator, said in a strategy paper on the ministry’s website.

China will help the military in its important role of “safeguarding national cyberspace sovereignty, security and development interests” and “hasten the building of cyberspace capabilities”, they said, but also called on countries to “guard against cyberspace becoming a new battlefield”.

Countries should not engage in internet activities that harm nations’ security, interfere in their internal affairs, and “should not engage in cyber hegemony”.

“Enhancing deterrence, pursing absolute security and engaging in a (cyber) arms race – this is a road to nowhere,” Long Zhao, the Foreign Ministry’s coordinator of cyberspace affairs, said at a briefing on the strategy.

“China is deeply worried by the increase of cyber attacks around the world,” Long said.

The United States has accused China’s government and military of cyber attacks on U.S. government computer systems. China denies the accusations and says it is a victim of hacking.

A cyber attack from China crashed the website of South Korea’s Lotte Duty Free on Thursday, a company official said, at a time when South Korean firms are reporting difficulties in China following the deployment of a U.S. missile defense system in South Korea that China objects to.

While China’s influence in global technology has grown, its ruling Communist Party led by President Xi Jinping has presided over broader and more vigorous efforts to control and censor the flow of information online.

The “Great Firewall” blocks many social media services, such as Twitter, Facebook, YouTube, Instagram, Snapchat and Google, along with sites run by human rights groups and those of some foreign media agencies.

Chinese officials say the country’s internet is thriving and controls are needed for security and stability.

(Reporting by Michael Martina and Catherine Cadell; Editing by Nick Macfie)

EU needs common approach on testing banks’ cyber-risks: Dombrovskis

European Commission Vice-President Valdis Dombrovskis addresses a news conference on the European Semester Winter Package in Brussels, Belgium February 22, 2017. REUTERS/Francois Lenoir

BRUSSELS (Reuters) – European Union countries should test bank defenses against cyber-attacks using a common set of requirements, a senior EU official said on Tuesday, as the bloc plans measures to boost the retail market for financial products.

Cyber attacks against banks have increased in numbers and sophistication in recent years, raising questions on lenders’ capacity to protect their customers.

Seeking to reassure savers and strengthen financial stability, several EU countries are conducting tests on banks’ security systems, but EU authorities warned national initiatives may be less effective and more costly than a common EU approach.

“We want to avoid a proliferation of testing obligations that operate in different countries,” the EU commission’s vice president Valdis Dombrovskis told a conference in Brussels.

“We believe tests that meet comparable standards should be recognized across borders,” he added. This could pave the way for common stress-tests carried out at EU level, as suggested by EU officials in past weeks.

The call for higher cyber-security comes as the Commission prepares a policy action plan on retail financial services, such as insurance, loans and payments, that will be released in the coming weeks.

Dombrovskis said the plan would encourage the use of remote identification schemes, such as e-signature and e-identification, to try to boost consumers’ access to financial services and lower costs.

It will also attempt to facilitate the take-up of new technologies in the financial sector, where emerging fintech companies are challenging traditional actors in a range of services, including payments and insurance.

“Our focus should be on removing barriers to market entry and keeping our legislation proportionate,” Dombrovskis said, noting that changes may create new risks that need to be addressed with greater sharing of information among financial firms and common testing of security systems.

(Reporting by Francesco Guarascio; Editing by Keith Weir)

Homeland Security employees locked out of computer networks: sources

A U.S. Customs and Border Protection agent applauds President Donald Trump's remarks at Homeland Security headquarters in Washington, U.S. January 25, 2017. REUTERS/Jonathan Ernst

By Dustin Volz

WASHINGTON (Reuters) – U.S. Department of Homeland Security employees in the Washington area were unable to access some agency computer networks on Tuesday, according to three sources familiar with the matter.

It was not immediately clear how widespread the issue was or how significantly it affected daily functions at DHS, a large government agency whose responsibilities include immigration services, border security and cyber defense.

Employees began experiencing problems logging into networks at 5 a.m. ET on Tuesday due to a problem related to the personal identify verification (PIV) cards used by federal workers and contractors to access certain information systems, one source said. At least four DHS buildings were affected, the source said, including locations used by U.S. Citizenship and Immigration Services.

Another source said the cards did not appear to be responsible. DHS did not immediately respond to requests for comment.

President Donald Trump vowed to make cyber security a priority during his administration, following an election marred by hacks of Democratic Party emails that U.S. intelligence agencies concluded were carried out by Russia in order to help Trump, a Republican, win. At a White House event last month he said he would “hold my Cabinet secretaries and agency heads accountable, totally accountable, for the cyber security of their organizations.”

Trump had planned to sign a cyber security executive order last month but it was put on hold to allow more time for review.

(Reporting by Dustin Volz; Editing by Jonathan Oatis)

New York state cyber security regulation to take effect March 1

projection of man in binary code representing cyber security or cyber attack

By Karen Freifeld and Jim Finkle

NEW YORK/BOSTON (Reuters) – New York state on Thursday announced final regulations requiring banks and insurers to meet minimum cyber-security standards and report breaches to regulators as part of an effort to combat a surge in cyber crime and limit damages to consumers.

The rules, in the works since 2014, followed a series of high-profile data breaches that resulted in losses of hundreds of millions of dollars to U.S. companies, including Target Corp, Home Depot Inc and Anthem Inc .

They lay out unprecedented requirements on steps financial firms must take to protect their networks and customer data from hackers and disclose cyber events to state regulators.

“These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place” to protect businesses and clients “from the serious economic harm caused by these devastating cyber-crimes,” Governor Andrew Cuomo said in a statement.

The state in December delayed implementation of the rules by two months and loosened some requirements after financial firms complained they were onerous and said they would need more time to comply.

The new rules call for banks and insurers to scrutinize security at third-party vendors that provide them goods and services. In 2015, the New York Department of Financial Services found that a third of 40 banks polled did not require outside vendors to notify them of breaches that could compromise data.

The revised rule requires firms to perform risk assessments in order to design a program particular to them, and gives them at least a year-and-a-half to comply with the requirements. The final rule took into account the burden on smaller companies, a spokeswoman for the agency said.

Covered entities must annually certify compliance.

Institutions subject to the regulation include state-chartered banks, as well as foreign banks licensed to operate in the state, along with any insurer that does business in New York.

A task force of U.S. state insurance regulators is also developing a model cyber security law, which individual state legislatures could ultimately choose to adopt.

Hong Kong police struggle to stop brokerage hacking spree

Electric display chart

By Michelle Price

HONG KONG (Reuters) – Hong Kong police are struggling to deal with digital pump-and-dump schemes targeting brokerages – a little-known type of computer-generated fraud that surged in the Chinese territory last year.

Although the money involved was small – only about $20 million worth of shares – there were 81 such incidents reported in 2016, more than triple the number in 2015, according to police.

In the scheme, criminals invest in thinly traded penny stocks and then manipulate their share prices by ordering trades from hacked brokerage accounts. They earn profits by selling before the fraudulent trades are reported.

After last year’s cyber-heist of $81 million at Bangladesh’s central bank and a series of hacks of ATM’s around the world, authorities fear such pump-and-dump schemes could be increasingly used for electronic theft.

Hong Kong is a favored place for such attacks because of the number of thinly-traded penny stocks in the territory and because its securities industry has fallen behind other financial centers in defending against cyber fraud.

At least seven brokers and eight banks have been targeted in Hong Kong, including HSBC Holdings Plc and Bank of China International (BOCI) Securities, according to regulators and people familiar with confidential investigations.

A spokesman for HSBC declined to comment.

A spokeswoman for BOCI Securities said he could not comment on its case but the brokerage would continue to invest in IT security.

“If you ask regulators in the industry what is the number one threat, not surprisingly it’s all about cyber attacks,” Ashley Alder, CEO of the Hong Kong Securities and Futures Commission (SFC) and chairman of the International Organization of Securities Commissions, said in a speech to the local legislature last week.

“We’ve seen that happen not only in banking but also at brokers in Hong Kong, in particular recent attacks to do with basically hijacking share trading accounts.”

Such schemes surfaced more than a decade ago in the United States. Charles Schwab Corp, E*Trade Financial Corp and JP Morgan Chase & Co. were identified as victims of these schemes in a 2006 complaint filed by the Securities and Exchange Commission.

The pace of attacks reported in the United States has slowed in recent years after big brokerages implemented a variety of strategies to thwart the hacks, said John Reed Stark, a former chief of the Securities and Exchange Commission’s (SEC) Office of Internet Enforcement.

Some use algorithms to identify and halt unusual trading activity, others scrutinize Internet traffic for orders coming from suspicious servers and one stopped permitting customers to use its online trading platform from buying penny stocks, said Stark, who now runs cyber-security consulting firm John Reed Stark Consulting LLC.

But such protections are rare in Hong Kong, where the government has only recently started suggesting security improvements to banks and brokerages which have traditionally considered stock trading to be low-risk.

TWO-FACTOR AUTHENTICATION

The Hong Kong SFC last year told firms to increase surveillance of client transactions and data protection.

Authorities believe that hackers accessed brokerage accounts using stolen or guessed passwords, according to investigators. This might have been thwarted if they were protected with two-factor authentication, the Hong Kong Monetary Authority has said.

Two-factor authentication typically includes a password and a piece of information only the user has, for instance an electronic token with changing numbers.

“Hong Kong is being targeted because they have not instituted the same cyber protections that we see in the U.S. and certain parts of Europe,” said Jeff Cramer, a former U.S. prosecutor.

Cramer, who is managing director with cyber-security investigations firm Berkeley Research Group, said he expects to see more attacks in Hong Kong and perhaps other Asian nations, including China, Japan and South Korea that are also behind in cyber security.

FIGHTING BACK

Such pump and dump cases have proven tough to crack in the United States because the masterminds are typically overseas, using surrogates and pseudonyms to make investments.

Brokerages are typically not required to go public when they are hacked, so cases often only surface when the government files a complaint against suspected cyber criminals, or the hack results in litigation.

The attack involving BOCI Securities year became public after it was sued by a customer that claimed its account was breached.

Trading firm Fast Track Holdings Limited alleged in court documents that somebody hacked into its brokerage account on the afternoon of September 23 using a valid user ID and password. Within 18 minutes, the intruder had emptied the account by spending HK$38 million to buy 49 million shares of thinly traded Pa Shun Pharmaceutical, according to Fast Track.

The stock soared more than 30 percent after the purchase, which was made at a 36 percent premium to the previous day’s closing price, Reuters data shows.

BOCI alerted Fast Track of the suspicious activity an hour later, but it has said in court documents it should not be held financially responsible, saying it found no evidence its systems had been compromised.

Peter Pang, Pa Shun’s CFO, told Reuters the management “would keep an eye to the incident and report to the regulators and the public when necessary”.

One person familiar with the case said Fast Track’s management believes the incident was a pump and dump scam and that Pa Shun was targeted because it is thinly-traded, but it remained unclear who was responsible.

Fast Track’s directors did not respond to requests for comment.

(Additional reporting by Jim Finkle in Boston and Jessica Yu, Katy Wong and Donny Kwok in Hong Kong; Editing by Raju Gopalakrishnan)

‘Digital Geneva Convention’ needed to deter nation-state hacking: Microsoft president

microsoft president brad smith

By Dustin Volz

SAN FRANCISCO (Reuters) – Microsoft President Brad Smith on Tuesday pressed the world’s governments to form an international body to protect civilians from state-sponsored hacking, saying recent high-profile attacks showed a need for global norms to police government activity in cyberspace.

Countries need to develop and abide by global rules for cyber attacks similar to those established for armed conflict at the 1949 Geneva Convention that followed World War Two, Smith said. Technology companies, he added, need to preserve trust and stability online by pledging neutrality in cyber conflict.

“We need a Digital Geneva Convention that will commit governments to implement the norms needed to protect civilians on the internet in times of peace,” Smith said in a blog post.

Smith outlined his proposal during keynote remarks at this week’s RSA cybersecurity conference in San Francisco, following a 2016 U.S. presidential election marred by the hacking and disclosure of Democratic Party emails that U.S. intelligence agencies concluded were carried out by Russia in order to help Republican Donald Trump win.

Cyber attacks have increasingly been used in recent years by governments to achieve foreign policy or national security objectives, sometimes in direct support of traditional battlefield operations. Despite a rise in attacks on governments, infrastructure and political institutions, few international agreements currently exist governing acceptable use of nation-state cyber attacks.

The United States and China signed a bilateral pledge in 2015 to refrain from hacking companies in order to steal intellectual property. A similar deal was forged months later among the Group of 20 nations.

Smith said President Donald Trump has an opportunity to build on those agreements by sitting down with Russian President Vladimir Putin to “hammer out a future agreement to ban the nation-state hacking of all the civilian aspects of our economic and political infrastructures.”

A Digital Geneva Convention would benefit from the creation of an independent organization to investigate and publicly disclose evidence that attributes nation-state attacks to specific countries, Smith said in his blog post.

Smith likened such an organization, which would include technical experts from governments and the private sector, to the International Atomic Energy Agency, a watchdog based at the United Nations that works to deter the use of nuclear weapons.

Smith also said the technology sector needed to work collectively and neutrally to protect internet users around the world from cyber attacks, including a pledge not to aid governments in offensive activity and the adoption of a coordinated disclosure process for software and hardware vulnerabilities.

(Reporting by Dustin Volz; Editing by Dan Grebler)

NSA contractor indicted over mammoth theft of classified data

NSA HQ

By Dustin Volz

(Reuters) – A former National Security Agency contractor was indicted on Wednesday by a federal grand jury on charges he willfully retained national defense information, in what U.S. officials have said may have been the largest heist of classified government information in history.

The indictment alleges that Harold Thomas Martin, 52, spent up to 20 years stealing highly sensitive government material from the U.S. intelligence community related to national defense, collecting a trove of secrets he hoarded at his home in Glen Burnie, Maryland.

The government has not said what, if anything, Martin did with the stolen data.

Martin faces 20 criminal counts, each punishable by up to 10 years in prison, the Justice Department said.

“For as long as two decades, Harold Martin flagrantly abused the trust placed in him by the government,” said U.S. Attorney Rod Rosenstein.

Martin’s attorney could not immediately be reached for comment.

Martin worked for Booz Allen Hamilton Holding Corp when he was taken into custody last August.

Booz Allen also had employed Edward Snowden, who leaked a trove of secret files to news organizations in 2013 that exposed vast domestic and international surveillance operations carried out by the NSA.

The indictment provided a lengthy list of documents Martin is alleged to have stolen from multiple intelligence agencies starting in August 1996, including 2014 NSA reports detailing intelligence information “regarding foreign cyber issues” that contained targeting information and “foreign cyber intrusion techniques.”

The list of pilfered documents includes an NSA user’s guide for an intelligence-gathering tool and a 2007 file with details about specific daily operations.

The indictment also alleges that Martin stole documents from U.S. Cyber Command, the CIA and the National Reconnaissance Office.

Martin was employed as a private contractor by at least seven different companies, working for several government agencies beginning in 1993 after serving in the U.S. Navy for four years, according to the indictment.

His positions, which involved work on highly classified projects involving government computer systems, gave him various security clearances that routinely provided him access to top-secret information, it said.

Unnamed U.S. officials told the Washington Post this week that Martin allegedly took more than 75 percent of the hacking tools belonging to the NSA’s tailored access operations, the agency’s elite hacking unit.

Booz Allen, which earns billions of dollars a year contracting with U.S. intelligence agencies, came under renewed scrutiny after Martin’s arrest was revealed last October. The firm announced it had hired former FBI Director Robert Mueller to lead an audit of its security, personnel and management practices.

A Booz Allen spokeswoman did not have an immediate comment on Martin’s indictment.

Martin’s initial appearance in the U.S. District Court of Baltimore was scheduled for next Tuesday, the Justice Department said.

(Reporting by Dustin Volz in Washington and Jonathan Stempel in New York; editing by Jonathan Oatis and Phil Berlowitz)