October 12, 2022

Jareh Dalke arrested for offering NSA documents to the Russians


On September 28, the FBI arrested Jareh S. Dalke, who attempted to sell the Russians some highly classified documents which he exfiltrated within less than a month after he started working at the NSA. Court records provide a lot of interesting details about this case, but also raise a number of questions.



Union Station in Denver, Colorado, where Jareh Dalke provided highly
classified NSA documents to someone he assumed to be a Russian agent



A job at the NSA

At the time of his arrest, Jareh Sebastian Dalke lived in Colorado Springs, Colorado and was 30 years old. He had been a member of the US Army from 2015 to 2018 and obtained a bachelor in Cybersecurity and Information Assurance from Western Governor's University in 2019. According to his resume he also has a master's degree from Norwich University, which includes a focus on cyber policy and technical vulnerability analysis.

On June 6, 2022, Dalke became a civilian employee of the NSA and started as an information systems security designer assigned to an NSA facility in the Washington DC metro area. Not mentioned in the court records is why Dalke took a job more than 1600 miles or 2600 kilometers from where he lived, while the NSA also has a regional Cryptologic Center in Denver, which is just 70 miles or 110 km from his hometown.

It would have made more sense if Dalke only attended a training at the NSA facility near Washington, while his actual job would have been at the regional center in Denver - similar to Edward Snowden, who first attended a two-week training course at NSA headquarters before starting as an infrastructure analyst at the NSA's regional center in Hawaii.


Security clearance

For his new job at the NSA, Dalke's clearance for Secret information from his time at the Army was upgraded to a Top Secret/SCI clearance, which is common for almost everyone working at the NSA. This clearance requires the most rigorous vetting, which includes disclosing financial information like debts and bankruptcies going back seven years.

According to court records, Dalke had filed for bankruptcy in December 2017 when he had some 32,000 USD in student loan debt and 51,000 USD in other non-secured debt, primarily from credit cards. Usually things like these are a red flag, as it makes someone vulnerable to blackmail or willing to sell classified information - which was exactly what happened in this case.


Exploiting a misconfiguration

Once at the NSA, Dalke apparently soon got access to classified information beyond what he was allowed to see. This was due to "a misconfiguration in the system" as he later told his presumed Russian contact. It's asthonising that he found this flaw already within 10 days after he started his job: he printed one of the stolen classified documents already on June 17, 2022. Was this an extreme coincidence or was it orchestrated?

A highly speculative theory could be that the Russians had Dalke recruited early on and urged him to apply for a position at the NSA (which could explain why he took a job that was 1600 miles away). Once Dalke was inside, the Russians gave him the details about the misconfiguration and which information he should look for. In the court records there's nothing that hints at this option, but also not much that contradicts it.


Printing classified documents

Later, Dalke printed at least three additional documents with which he was able to walk out. Exfiltrating printed documents is easier than information in electronic form as the latter can be detected by detection gates. Earlier it had become clear that there were no pocket checks at the NSA and security guards only conducted random checks and used their discretion in order to keep and build the trust of the employees.

It's not clear how Dalke transferred the classified documents to his presumed Russian contact, but he could have known that making a scan or a photo of a printed document still makes it individually traceable.

That was painfully demonstrated by the case of former NSA employee Reality Winner, who printed a document which she provided to the investigative website The Intercept. Due to sloppyness of The Intercept, the document was recognized and traced by the NSA, after which the FBI arrested Winner on June 3, 2017.


The NSA document which Reality Winner leaked to The Intercept in 2017
(click to view the full document)



Contacting the Russians

According to the court records submitted by the FBI, Jareh Dalke abruptly left the NSA because of "a family illness that required him to be away for nine months, a period which the agency was unable to support." He submitted his resignation on June 28 and was debriefed from his TS/SCI clearance on July 1, 2022.

At the end of July, Dalke began communicating with someone he believed to be associated with the Russian government, but who actuallly was an undercover agent of the FBI, a so-called Online Covert Employee (OCE). According to the FBI they exchanged encrypted e-mail messages through a legitimate foreign e-mail provider, likely the Swiss company ProtonMail or a similar secure e-mail provider.

It's not known how Dalke came in contact with the undercover FBI agent, but he could have tried to contact for example the Russian embassy in Washington and was then detected by the FBI which closely monitors such communication channels. If so, the FBI could subsequently contact Dalke under the guise of being a Russian intelligence officer.

(Emptywheel noticed that on the same day that Dalke was arrested, the FBI also arrested Jamie Lee Henry and her wife Anna Gabrielian, who wanted to provide Russia with medical records of senior American military officers)


Dalke's motives

According to court records, Dalke told the undercover FBI agent that he "recently learned that my heritage ties back to your country, which is part of why I have come to you as opposed to others". Although he had already left the NSA, he said that he worked for the US government because he "questioned our role in damage to the world in the past and by mixture of curiosity for secrets and a desire to cause change."

Dalke then told his contact that he had "exfiltrated some information that is of a very high level" which was related to foreign targeting of US systems and information on cyber operations, among other topics.

He added that at the moment he was on a temporary assignment elsewhere that didn't allow him access to such information, but that he planned to return to a position that would give him access to information from both the NSA and another government agency.


Proof of willingness

Dalke offered the information in exchange for a specific kind of cryptocurrency, stating, "there is an opportunity to help balance scales of the world while also tending to my own needs."

On August 5, the undercover FBI agent asked him for some proof, after which Dalke sent him three excerpts, two from Top Secret documents and one from a document classified as Secret. According to NSA records, Dalke had printed these documents on June 17, 22 and 23 and was also the only NSA employee to have printed all of these documents.

On August 10, Dalke also sent his covert contact a full document from another US government agency, as a "show of good faith" and that he was "willing to provide full documents without reservation." This four-page document contained information about a foreign government leader and was classified SECRET//NOFORN.


Request for verification

In two e-mails from August 23 and 24, Dalke requested his covert contact to verify that he was truly a representative of the Russian government. According to court records, Dalke claimed that he had reached out through "multiple published channels to gain a response. This included submission to the SVR TOR site."

The SVR is the Russian foreign intelligence agency, which apparently has a website on the anonymous TOR network as well. Dalke requested a verification by a posting on an official website or through a report in a government-controlled Russian media outlet. It's not clear whether or how this was conducted, but the e-mail communications between Dalke and the undercover FBI agent continued.


The website of the Russian foreign intelligence agency SVR on the public internet


Seeking additional information

On August 26, Dalke claimed that his total debt was already some 237,000 USD and that 93,000 USD was coming due very soon. Accordingly, he requested 85,000 USD in return for all the classified information he had in his possession - a remarkably risky way of solving debts, given the high salaries which Dalke, with his TS/SCI clearance, could have expected when he would take a job in the private sector.

Dalke even told his contact that he would share additional information in the future, once he returned to the Washington DC area. And indeed, on August 11 he had applied to an external vacancy at the NSA again. The NSA's Human Resources Department was unaware of the FBI investigation into Dalke and conducted a telephonic interview with him on August 24, in which he expressed his desire to return to the agency.

This is very similar to Snowden, who took his last job at the NSA to get even more access. But while Snowden was looking for additonal information about NSA collection efforts, Dalke was apparently primarily interested in the money and appeared much less careful in hiding his digital traces.

On August 25, the undercover FBI agent sent a second amount of cryptocurrency to an address that Dalke had provided. A few days later, Dalke deposited a similar amount of the same type of cryptocurrency on an account in his true name at the cryptocurrency exchange Kraken, from which he withdrew the same amount in US dollars (ca. 4,500 USD) and deposited it at his bank account.


Final transfer and arrest

After much back and forth, Dalke and the undercover FBI agent agreed to transfer the full documents in Denver, Colorado. Dalke was told that a secure connection would be available at Union Station, on September 28, 2022, between 11:30 a.m. and 3:30 p.m., during which time he could transmit the classified material.

We don't know how this electronic dead drop worked, but a likely option would be a secure wifi connection. That allows communicating at a certain distance without meeting in person or using the telephone network or the internet.

On September 28, Dalke arrived at Union Station and used his laptop to transfer five documents via the secure connection. Right after that he was arrested by the FBI.


Union Station in Denver, Colorado



Highly classified documents

In Denver, Dalke had sent the undercover FBI agent the following five documents:

1. A letter in which he wrote that he was very happy to provide the information and asked whether there were any desired documents which he was willing to find when he returned to his main office.

2. A ten-page typed document containing additional information related to the threat assessment of the military offensive capabilities of a foreign government (source of excerpt 1 which Dalke had sent his covert contact earlier on).
Classification: TS//SI-G//OC/REL TO USA, CAN, GBR/FISA

3. A fourteen-page typed document containing additional information related to sensitive US defense capabilities, a portion of which relates to a foreign government (source of excerpt 3).
Classification: TS//SI-G//OC/NF

4. A fourteen-page typed document containing additional information regarding plans to update a certain cryptographic program (source of excerpt 2).
Classification: TS//SI-G//OC/NF

5. A fourteen-page typed annex containing additional information related to the plans to update a certain cryptographic program (source of excerpt 2).
Classification: TS//SI-G//OC/NF


The abbreviations in these classification markings stand for:

- TS = Top Secret (release would cause exceptionally grave damage to national security)

- SI = Special Intelligence (intelligence from intercepted foreign communications)

- G = GAMMA (highly sensitive communications intercepts)

- OC = ORCON (the originator of the information controls to whom it is released)

- NF = NOFORN (the information may not be disclosed to foreign nationals)

- REL TO USA, CAN, GBR (Releasable to the US, Canada and the United Kingdom)

- FISA (information derived from FISA collection inside the US)


The GAMMA compartment

It is remarkable that all four documents which Jareh Dalke eventually transferred to his covert contact have the classification marking GAMMA, which is a compartment of the Special Intelligence (SI) control system to provide additional protection for highly sensitive communication intercepts.

Such documents are of course closely guarded and even among the more than thousand documents published during the Snowden revelations, there were none from the GAMMA compartment. The Snowden trove did include 12 entries of the NSA's internal WikiInfo platform which has the maximum classification level TOP SECRET//SI-GAMMA/TALENT KEYHOLE, but these particular entries have no GAMMA information in them.

In 2015, however, Wikileaks had published a number of intelligence reports from the GAMMA compartment about the French president, the German chancellor and the UN secretary general. They were part of a series of documents, provided by a still unknown source, which were even more embarrassing for the US government than most of the Snowden files.




Intelligence report classified TOP SECRET//COMINT-GAMMA,
published by Wikileaks in 2015
(click to enlarge)



Conclusion

Almost ten years after Snowden left the NSA with several hundred thousand files, it's remarkable and surprising that it's apparently still possible that someone gets a job there and just walks out with highly sensitive documents - within less than a month!

However, as the court records leave several key questions unanswered, we don't known whether Jareh Dalke was just "lucky" to find a way to solve his debts, or whether he was part of a more sophisticated Russian spying operation.

As former NSA general counsel Rajesh De explained back in 2016, it is unlikely "you’re going to be able to stop every incident of somebody taking documents if they’re determined to do so. But the real question is how quickly can you detect it, how quickly can you mitigate the harm of any such incident." That at least seems to have gone well in this case.



Links and sources
- Court records: Affidavit (Sept. 27) - Indictment (Oct. 7)
- Schneier on Security: NSA Employee Charged with Espionage (Oct. 4, 2022)
- Clearancejobs: Ex-NSA Employee Arrested by FBI for Attempted Espionage (Sept. 30, 2022)
- Emptywheel: FBI Seems to Be Collecting Offers to Spy for Russia (Sept. 30, 2022)
- The New York Times: Former National Security Agency Employee Charged With Espionage (Sept. 30, 2022)

No comments:

Some older articles on this weblog that are of current interest: