In a suburb of Cincinnati about 30 minutes north of the Ohio River, right down the street from the local Hooters, a little known subsidiary of defense giant Northrop Grumman works on contracts for the Central Intelligence Agency.
Xetron Corporation, whose products range from military sensors to communications systems to information security software, shows up in nearly 400 documents published earlier this month by WikiLeaks. Those documents describe some of the tools the CIA uses to hack phones, smart TVs, and other digital products to conduct espionage overseas — and some of the partners that help them do it, like Xetron.
Now Xetron employees are facing additional scrutiny in the wake of the WikiLeaks dump, according to one source familiar with the matter, with some of them suddenly pulled in to polygraph examinations. It’s unclear if the government is conducting an active investigation into the company as a potential source of the leaks or if the firm is simply responding to stepped-up security requirements on some of its projects.
According to the source, it typically takes months for contractors to schedule the polygraph examinations required on certain sensitive government contracts — sometimes up to a year. “But if it was really important for a mission it would happen immediately … or [if there’s] concern about the project,” the person said. Another source familiar with Xetron’s operations said being suddenly asked to sit for a polygraph in the context of normal project requirements is unusual. The sources requested anonymity to preserve their employability in the buttoned-up world of defense contracting.
The FBI, Xetron, and Northrop Grumman all declined to comment. “Thank you for reaching out to us. At this time we’re not able to provide a comment on this matter,” Northrop Grumman spokesperson Matt McQueen wrote.
“We have no comment on the authenticity of purported intelligence documents released by WikiLeaks or on the status of any investigation into the source of the documents,” Heather Fritz Horniak, spokesperson for the CIA wrote in an email to The Intercept.
The material released by WikiLeaks show that Xetron provided the CIA with tools to gain unauthorized access to Cisco routers. In one document, Xetron engineers are shown working with “The Bakery” — an unidentified group, possibly a codename for a unit within the CIA — to create “Cinnamon”: a malicious implant for Cisco devices. Another document says that Xetron developed software that routes communications back and forth between computers compromised by the CIA and command servers also controlled by the agency.
Xetron has been sharing hacking techniques with the intelligence community going back to at least 2010, according to documents from NSA whistleblower Edward Snowden. In that year, according to a top-secret schedule, a Xetron representative was slated to present malicious Windows software named “Orca” at one of the CIA’s annual “Jamboree” technology conferences for agency staff and contractors. Orca was designed to circumvent a security feature of Windows that prevented anyone from tampering with programs on a computer hard drive. Orca instead tampered with programs after they had been loaded from the drive into memory.
In a follow-on presentation at the 2011 Jamboree, another Xetron representative was scheduled to detail research into techniques to obscure the origins of malicious software like Orca. In 2012, a Xetron representative was slated to outline a technique for reverse engineering — that is, essentially re-creating — the “embedded” software used to operate real-world machines, according to a Jamboree conference schedule.
It’s not clear whether the CIA ever adopted any of the methods outlined in Xetron’s presentations. Asked about the Snowden documents, the agency wrote that “it is CIA’s job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad. America deserves nothing less. It is also important to note that CIA is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and CIA does not do so.” The NSA did not comment.
Xetron’s proximity to the intelligence community has become particularly noteworthy in the wake of reports that federal investigators are focused on CIA contractors as the most likely sources of the documents published by WikiLeaks — although there is no evidence linking the company to that breach. The documents exposed details on many CIA capabilities, including a library of hacks against smartphones deemed “impressive” by digital security experts. Intelligence officials are taking the breach seriously; the CIA in a statement said the document release would “not only jeopardize U.S. personnel and operations, but also equip our adversaries with tools and information to do us harm.” According to two sources working at major defense contractors, such employers are taking extra steps to remind employees about company ethics — giving speeches and posting fliers in the halls about appropriate data transfer procedures.
It’s highly likely the government knows where the leak came from, or has a good idea, said Nick Weaver, a senior staff researcher at the International Computer Science Institute in Berkeley.
“I would be shocked if the investigators don’t already know when and by whom the data was accessed, by combining access logs on the server with the very narrow time range when this leak could have occurred,” he wrote in a text message. “If they don’t know this by now, it indicates that a huge amount of effort dealing with insider threats was wasted. Google was able to do this analysis for the data allegedly stolen from their autonomous car project. Why couldn’t the CIA?”
Despite claiming some 68,000 employees as of 2013, Xetron has maintained a relatively low profile over the years. One exception came in 2011, when the hacker collective Anonymous released email purloined from digital security firm HBGary; in one such email, HBGary reportedly discussed negotiating with Xetron to provide Xetron computer malware it could repurpose or re-sell.
Xetron began as a smaller “defense electronics” firm in 1972 and was purchased by Westinghouse Electric Corporation in 1986. Both companies were acquired by Northrop Grumman in 1996. Xetron’s Ohio plant endured an expensive fire, which inflicted $15 million in damage, in the early 1990s.
“Xetron specializes in providing solutions that meet operational needs or fill technology gaps,” reads a recent description of the company written by Northrop Grumman for potential government customers. One specialty includes “computer network operations” — expertise in encryption and intrusion detection as well as “reverse engineering and computer assault.”
“Our many repeat Government customers can attest to the reliability of the products we provide,” the description reads. “Click the links below to learn more about just some of the products and services we offer. Even if you don’t see it here, tell us what you need. Chances are we can help.”
The company draws a large number of students from nearby engineering schools; it has a partnership on “cyber informatics” with the University of Cincinnati where employees of the company can take classes alongside students. In September 2016, representatives of Xetron went to the University of Dayton to recruit engineers “to join their highly skilled Cyber and Intelligence, Surveillance, and Reconnaissance development teams,” according to a public Facebook post.
Multiple former employees described an office environment focused on beating rivals like Lockheed Martin for government contracts, but where it was not unusual to spend years on a proof-of-concept only to see it left unused.
“Morale was weak, to say the least,” one former employee said. Even so, few former employees were willing to discuss even banal details about working at Xetron; it’s not at all clear that the environment would push someone to leak sensitive work product. “I think a lot of them still believe in the mission, they were just overworked and underappreciated.”
Documents published with this article: