Full Report
The former executive sold the trade secrets to a Russian cyber-tools broker that “publicly advertises itself as a reseller of cyber exploits to various customers, including the Russian government,” according to the Department of Justice.
Analysis Summary
# Threat Actor: Internal Insider (Peter Williams)
## Attribution & Identity
**Actor Identification:** An unnamed former executive of L3 Harris's Trenchant division (which deals in spyware and zero-days). The individual pleaded guilty to being the seller.
**Aliases/Associated Groups:** None explicitly named for the individual actor, but the activity is linked to a **Russian cyber-tools broker** that advertises exploit resale, including to the Russian government. The activity is framed similarly to international arms dealing in the cyber domain.
## Activity Summary
The individual (**Peter Williams**) stole trade secrets, specifically "sensitive and protected cyber-exploit components" (national security software, including at least eight exploit components), from L3 Harris over a three-year period (2022 to 2025). These materials were intended only for sale to the U.S. government and approved allies. Williams sold these secrets to the identified Russian broker in exchange for promised millions in cryptocurrency, and provided "follow-on support."
## Tactics, Techniques & Procedures
- **Theft of Trade Secrets:** Stole sensitive and protected cyber-exploit components over three years.
- **Bribery/Corruption:** Received promises of millions in cryptocurrency for the stolen secrets.
- **Contractual Agreements:** Signed multiple contracts with the broker for initial sales and ongoing support.
**MITRE ATT&CK IDs:** Not explicitly provided in the text, but would include T1552 (Abuse Elevation Control Mechanism - to gain access to secrets) and T1510 (Data Destruction/Obfuscation related to covering the theft).
## Targeting
- **Sectors:** Defense Contractor/Intelligence Technology Sector (L3 Harris/Trenchant).
- **Geography:** The actor operated from the US (L3 Harris) and sold to a broker servicing the **Russian government** and other entities.
- **Victims:**
1. **L3 Harris / Trenchant:** Direct victim of intellectual property theft ($35 million in losses).
2. **Unsuspecting Victims:** Inferred targets of the exploits themselves, as the tools were provided to foreign actors "who are not allies with the U.S."
## Tools & Infrastructure
- **Malware Families Used:** The stolen items are described as "spyware exploits" and **"cyber-exploit components"** (zero-days). Specific names of malware or exploit families are not disclosed.
- **Infrastructure (C2, domains, IPs):** No specific malicious infrastructure (C2 addresses, domains, IPs) is mentioned, only that the purchaser is a Russian broker.
## Implications
This incident highlights the significant threat posed by insider access to highly sensitive US defense technology (zero-days and spyware components). The transfer of these capabilities directly to entities working with the Russian government raises severe national security concerns, as these sophisticated tools are now likely being used against various international targets. DOJ officially categorized this activity as comparable to international arms dealing.
## Mitigations
- Strict data access controls and monitoring around zero-day/exploit repositories.
- Enhanced insider threat monitoring for employees with access to classified or sensitive intellectual property, particularly tracking unapproved communications or large cryptocurrency transactions.
- Review contractual agreements and monitoring for "follow-on support" related to proprietary cyber tools.