Critical Infrastructure Security , Government , Industry Specific

White House Probes Classified Intelligence 'Discord Leaks'

Leaks Likely as Significant as Snowden Files, Vault 7, Shadow Brokers, Expert Says
White House Probes Classified Intelligence 'Discord Leaks'
Headquarters of the U.S. Department of Defense in Arlington, Virginia (Image: Wiyre Media/CC BY 2.0)

The Biden administration is probing how highly classified military and intelligence documents detailing national security secrets came to be leaked on social media.

See Also: Use Cases: Censys for Federal Agencies

A tranche of over 100 documents, some marked "Top Secret," appear to have been leaked in multiple batches beginning in January via the Discord messaging service. Apparently unnoticed at the time, the documents subsequently spread via 4Chan, Telegram and Twitter accounts.

U.S. officials say the leaked documents may be genuine, although security experts who have reviewed them say some appear to have been doctored, sometimes crudely.

"The Department of Defense continues to review and assess the validity of the photographed documents that are circulating on social media sites and that appear to contain sensitive and highly classified material," the agency said in a Friday statement.

The Pentagon has referred the matter to the Department of Justice, which confirmed Sunday that it has launched a criminal investigation into the leaks.

Senior DOD officials Friday restricted the flow of classified information with U.S. allies as the agency's probe continues, two U.S. officials told The Washington Post. "One described the clampdown as unusually strict and said it revealed a high level of panic among Pentagon leadership," it reported.

Whether there will be political or diplomatic fallout from the leaks remains unclear. This past weekend, U.S. officials "engaged with allies and partners and have informed relevant congressional committees of jurisdiction about the disclosure," Sabrina Singh, Pentagon deputy press secretary, said in a statement.

The existence of the documents, which include analyses of Russia's invasion of Ukraine dated up to March, was first reported by The New York Times on Friday, one day after the Biden administration said it was investigating a potential leak of intelligence tied to Ukraine. More leaked documents subsequently came to light.

At least some of those documents appear to be genuine, according to multiple experts who have reviewed them. "We're looking at finished intelligence reporting here from multiple U.S. agencies, various sources," said Thomas Rid, an expert on disinformation and information operations who's a professor of strategic studies at Johns Hopkins University.

Many of the leaked documents reportedly focus on assessments of Russia's invasion of Ukraine, including a March 1 battlefield report tied to Russia's attempt to take the eastern Ukrainian city of Bakhmut. But other intelligence reportedly focuses on China, terrorism, Iran's nuclear program, the Middle East and North Korea's missile program, central Africa and more.

Discord Leaks' Impact: 'Significant'

Experts say the leaks reveal not just intelligence assessments but also certain capabilities, such as U.S. intelligence visibility into high-level Russian military planning, as well as the activities of the Wagner Group of mercenaries. The leaks also appear to reveal intelligence gathered by a new, advanced generation of U.S. infrared spy satellites about which little is known, The Washington Post reported.

"The Discord Leaks are probably one of the four most significant intelligence leaks this century" so far, Rid said, together with the files leaked by Edward Snowden, the CIA hacking tool Vault 7 leak and the Shadow Brokers leaks of National Security Agency exploits. While the Discord Leaks contain fewer documents than the others, they include highly secretive, "finished" intelligence assessments, rather than tools or more general communications, he added.

The Discord Leaks documents may have been first disseminated around Jan. 13 via a now-deleted Discord server called "Thug Shaker Central," supposedly named after the person who set up the server, reported Aric Toler, a researcher with Netherlands-based investigative group Bellingcat.

"While it has as yet not been possible to uncover the original source of these apparent leaks, it has been possible to trace the spread of the documents over a variety of internet forums in recent months before they were reported by pro-Russian Telegram channels and then major media outlets," Toler said.

It's possible that a U.S. intelligence analyst leaked or lost the documents, experts say.

In part, that's because some of leaked information is reportedly marked "NOFORN," which the Pentagon said "is used to indicate intelligence information that may not be released in any form to foreign governments, foreign nationals, foreign organizations, or non-U.S. citizens," according to the Pentagon.

Canadian Gas Pipeline

One leaked document discusses Russian hacking group Zarya and screenshots it shared with Russia's Security Service purporting to show access to a Canadian gas pipeline company, reported cybersecurity journalist Kim Zetter. Zarya indicated its hackers could change valve pressure, disable alarms and initiate an emergency shutdown of the unnamed facility. One operational technology expert who spoke with Zetter cast doubt on the claims. "There's a very large gap between having access to a controller like an HMI and being able to actually cause a physical, kinetic, purposeful impact in the world," said Lesley Carhart, a director of incident response at cybersecurity firm Dragos.

Russia Eyed as Culprit

The Ukrainian government in a statement said that President Volodymyr Zelenskyy and his top officials, in a Friday staff meeting, "focused on measures to prevent the leakage of information regarding the plans of the defense forces of Ukraine."

A top Zelenskyy adviser, Mykhailo Podolyak, suggested Russia is behind the leaks, claiming they contained a "very large amount of fictitious information." He said this suggested the leaks were "standard elements of operational games by Russian intelligence and nothing more."

Some former U.S. officials also suggest Moscow might be tied to the leaks, or at least to subsequent attempts to capitalize on them. "As many of these were pictures of documents, it appears that it was a deliberate leak done by someone that wished to damage the Ukraine, U.S. and NATO efforts," a former U.S. deputy assistant secretary of defense, Mick Mulroy, told ABC News.

In at least one document, which includes assessments of Russian and Ukrainian battlefield casualties, researchers report that the figures have been crudely altered to reduce Russia's losses while overstating those of Ukraine.

"Russia's obvious manipulation of some facts has made it more difficult to determine what is real and what is not - something that may help somewhat limit the damage overall, ironically," Mulroy added.

Multiple theories continue to circulate about how the documents, which were apparently folded together before being photographed, came to be leaked. The photographs of the documents reportedly include unusual, extraneous items, such as a knife, a cracked smartphone and glue. Because of that, some have hypothesized that the documents might have been lost and were later found and photographed by whoever posted them.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.