Peter Williams, Ex-ASD, Pleads Guilty to Selling Eight Exploits to Russia

Peter Williams, Ex-ASD, Pleads Guilty to Selling Eight Exploits to Russia

The former general manager of a U.S. defense contractor, Peter Williams, has pleaded guilty to selling "eight sensitive and protected cyber-exploit components" to Russian zero-day broker Operation Zero.*

The broker claims to buy exploits from developers and resell them to non-NATO buyers, including the Russian government.

Williams, an Australian national, was previously employed by Australia's signals intelligence agency ASD, from around 2007 to the mid-2010s. He later joined Linchpin Labs, which was acquired alongside Azimuth Security to form what eventually became L3Harris Trenchant, the vulnerability and exploit development subsidiary of L3Harris. By the time of his arrest, Williams had become the general manager there.

The thefts occurred over three years from 2022 and reportedly netted him $1.3 million.

The Department of Justice doesn't specify which exploits Williams stole and sold, but earlier this month TechCrunch reported that the company had separate teams developing Google Chrome and iOS zero-days.

In that same TechCrunch article, Trenchant was reported to be investigating a possible leak of company tools. An unnamed security researcher was even fired in early 2025, reportedly for being involved in leaking Google Chrome exploits. That researcher told TechCrunch they were "a scapegoat." He said he was an iOS researcher, so didn't even have access to the vulnerabilities Trenchant suspected him of leaking.

It is noteworthy that Williams was in charge of the leak investigation and fired the unnamed researcher.

This whole episode is sordid and almost as serious as a leak directly from a Five Eyes agency. It's even led some activists to question the role of commercial outfits in developing these types of exploits.

Leaks from commercial vendors are, evidently, a risk. But we wouldn't throw the baby out with the bathwater just yet.

Governments need exploits to protect and advance their interests, and it's just not realistic for them to bring all vulnerability research and exploit development in-house and share those capabilities across agencies.

Even within a single government, the needs and resources between agencies differ significantly. Take the U.S., for example. The National Security Agency (NSA) needs a variety of exploits that can be used covertly to address the nation's highest intelligence priorities.

These intelligence requirements are enduring, so the agency balances the benefits of using exploits with the risks of them being discovered and burned. The NSA, correctly, tends to be more cautious about flinging exploits around because the fate of nations hangs on its ongoing ability to access targets.

Cyber capabilities are central to the NSA's mission, and given its size and resourcing, it makes sense that it has specialist exploit development teams. It is not going to want to share these hard-earned capabilities with agencies that, in its view, will gamble them on less important short-term operations.

The FBI, for example, has different imperatives that result in a different risk calculus. It may need to defend its methods in court, so it must be prepared to accept a greater level of transparency. Targets are typically less sophisticated, and targeting is often short term: find evidence, arrest, convict, move on.

Both the NSA and the FBI have real requirements for exploits, but they want to use them in different ways. There is a real tension here that makes it difficult for them to share tools.

And it's not just the FBI. Within the U.S. alone, a multitude of agencies have a legitimate interest in acquiring cyber capabilities but don't have the size, the skills, or the focus to make it practical to build them in-house.

And that's just in the U.S. law enforcement and intelligence community, never mind the broader Five Eyes. This is a gap that the private sector can, and does, fill.

Rather than clamping down on private-sector exploit development firms that sell to responsible customers, we expect governments will try to encourage more robust personnel security. Being a defense contractor, L3Harris is, in some sense, "inside the tent" and will already have pretty strict security procedures in place. But we expect there will be a review of those procedures.

The reality is that exploit development is of intense interest to states of all shapes and sizes. Security researchers have been targeted by state hackers, even ones at Trenchant.

Although secrets are arguably less likely to leak from secret squirrel government intelligence agencies, it is just not possible to keep all exploit development capabilities cloistered away there. Governments need the private sector.

However, regardless of where research is conducted, perfect security is impossible. Sometimes secrets leak.

*CyberScoop was the first to report that the Russian broker was Operation Zero. Risky Business Media has independently confirmed this reporting from its own sources.

The One-Man Cyber Army

U.S. National Cyber Director Sean Cairncross wants to counter Chinese cyber threats, but he faces an uphill battle as the federal government's cyber capacity is slashed by workforce and funding cuts.

Speaking at the Meridian Summit in Washington, D.C., Cairncross said that Chinese cyber behavior is intended to cause the U.S. harm, CyberScoop reported.

He continued, saying that "it sits on our critical infrastructure systems and threatens chaos."

He said that, to date, the U.S. has not done a great job of sending the message to China that its behavior in cyberspace "is unacceptable."

That's fair enough, but we are left wondering how he intends to send that message.

In its 2025 annual implementation report, the Cyberspace Solarium Commission 2.0 said that the U.S. government's "ability to protect itself and its allies from cyber threats is stalling and, in several areas, slipping." Per the report:

This year's assessment makes clear that technology is evolving faster than federal efforts to secure it. Meanwhile, cuts to cyber diplomacy and science programs and the absence of stable leadership at key agencies like the Cybersecurity and Infrastructure Agency (CISA), the State Department, and the Department of Commerce have further eroded momentum.

Four out of five of the report's recommendations suggest reversing the Trump administration's workforce and funding cuts. They included the following: restore workforce and funding at CISA; restore funding and personnel at the State Department; restore support to … You get the idea.

We'd be very surprised if any of these recommendations are implemented.

The report's top suggestion, however, is to "enhance the authorities of the Office of the National Cyber Director" (ONCD). It says that although the office has "proven effective at convening agencies and shaping strategy," it doesn't have the clout to enforce decisions across government.

It continues that President Trump should issue an executive order to essentially empower the ONCD with increased authority to review agency cyber budgets and "convening authority" over civilian cyber policy.

This recommendation seems like it would appeal to Trump's preference for strong and decisive executive decision-making, and we hope it gains some traction. In infosec terms, a strong ONCD is a compensating control for the loss of cyber capacity across the rest of the federal government.

Is it enough? We don't think so. But it's the best we can hope for in the short term.

Three Reasons to Be Cheerful This Week:

1. Victims escape scam compound: Over a thousand people have escaped from the KK Park scam compound in the wake of a Myanmar military raid. Outside observers were previously skeptical about the raid, and there are reports that it was staged due to international pressure. But it appears that the raid achieved some good.
2. Ransomware payment rates at all-time low: According to ransomware incident response firm Coveware, ransom payment rates in the third quarter of the year were only 23 percent. Given the sheer amount of ransomware around, that is still a lot of payments, but back in 2019 the payment rate was 85 percent, so this is real progress.
3. Google announces recovery contacts: Among other scam protections, Google is rolling out a feature that allows eligible personal Google accounts to designate trusted accounts to help verify user identities in the event of a lost or stolen device or account compromise.

Shorts

U.K. Defense Leak Resulted in 49 Deaths

A U.K. Ministry of Defense data breach has resulted in the deaths of 49 Afghans, according to a study conducted for a parliamentary inquiry. In 2022, after the Taliban had seized control of the country, the ministry accidentally leaked a spreadsheet containing the details of 19,000 people who had worked for the U.K. government in Afghanistan.

The study also found a "profound mismatch" between the advice being provided by the Ministry of Defense compared to the risks that individuals identified in the breach were facing. The ministry advice was to use a VPN and limit social media use. Respondents' experiences included: "I was recognised by the Taliban and badly beaten up," "the Taliban searched my family home and continue to threaten my relatives," and "my father was brutally beaten to the point that his toenails were forcibly removed, and my parents remain under constant and serious threat."

According to The Guardian, the U.K. government has spent over 2 billion pounds over the past two years to relocate more than 20,000 of the affected individuals to the U.K.

Risky Biz Talks

In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq dissect a recent Chinese CERT report that the NSA had hacked China's national time-keeping service.

From Risky Bulletin:

HackingTeam successor linked to recent Chrome zero-days: The company that formed from the remnants of Italian spyware vendor HackingTeam is now allegedly involved in hacking all sorts of private- and public-sector targets in Belarus and Russia.

Memento Labs has targeted media outlets, universities, research centers, government organizations, financial institutions, and other organizations.

The company operates a spyware platform named Dante, through which it deploys infrastructure, exploits, and its final payload—the LeetAgent implant/agent.

[more on Risky Bulletin]

Russian bill would require researchers to report bugs to the FSB: Russian lawmakers are working on a new bill that would require security researchers, security firms, and other white-hat hackers to report all vulnerabilities to the state, in a law that's similar in spirit to a law already in effect in China since 2021.

The bill is currently being discussed among lawmakers, and no official draft is available. It is part of Russia's efforts to regulate its white-hat ecosystem, a process officials began back in 2022.

[more on Risky Bulletin]

iOS 26 change deletes clues of old spyware infections: Apple's latest mobile operating system update, iOS 26, has made a change to a crucial log file that stores evidence of past spyware infections.

According to iPhone forensics and investigations firm iVerify, Apple is now rewriting the shutdown.log file after every device reboot, instead of appending new data at the end.

This is removing older log entries that contain indicators of compromise with spyware families such as NSO's Pegasus and Intellexa's Predator.

[more on Risky Bulletin]