Peter Williams, Ex-ASD, Pleads Guilty to Selling Eight Exploits to Russia

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Knocknoc .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

The former general manager of a US defence contractor, Peter Williams , has pleaded guilty to selling "eight sensitive and protected cyber-exploit components" to Russian 0day broker Operation Zero *.

The broker claims to buy exploits from developers and resell them to non-NATO buyers, including the Russian government.

Williams, an Australian national, was previously employed by Australia's signals intelligence agency ASD, from around 2007 to the mid-2010s. He later joined Linchpin Labs, which was acquired alongside Azimuth Security to form what eventually became L3Harris Trenchant, the vulnerability and exploit development subsidiary of L3Harris. By the time of his arrest, Williams had become the general manager there.

The thefts occurred over three years from 2022, and reportedly netted him USD$1.3 million. 

The DoJ doesn't specify which exploits Williams stole and sold, but earlier this month TechCrunch reported that the company had separate teams developing Google Chrome and iOS 0days.

In that same Techcrunch article, Trenchant was reported to be investigating a possible leak of company tools. An unnamed security researcher was even fired in early 2025, reportedly for being involved in leaking Google Chrome exploits. That researcher told TechCrunch they were "a scapegoat". He said he was an iOS researcher, so didn't even have access to the vulnerabilities Trenchant suspected him of leaking. 

It is noteworthy that Williams was in charge of the leak investigation and fired the unnamed researcher.

This whole episode is sordid and almost as serious as a leak directly from a Five Eyes agency. It's even led some activists to question the role of commercial outfits in developing these types of exploits. 

Leaks from commercial vendors are, evidently, a risk. But we wouldn't throw the baby out with the bathwater just yet.

Governments need exploits to protect and advance their interests and it's just not realistic for them to bring all vulnerability research and exploit development in-house and share those capabilities across agencies.

Even within a single government the needs and resources between agencies differ significantly.  Take the US, for example. The NSA needs a variety of exploits that can be used covertly to address the nation's highest intelligence priorities. 

These intelligence requirements are enduring and so the agency balances the benefits of using exploits with the risks of them being discovered and burnt. It, correctly, tends to be more cautious about flinging exploits around because the fate of nations hangs on its ongoing ability to access targets.  

Cyber capabilities are central to the NSA's mission, and given its size and resourcing, it makes sense that it has specialist exploit development teams. It is not going to want to share these hard-earned capabilities with agencies that, in its view, will gamble them on less-important short-term operations. 

The FBI, for example, has different imperatives that result in a different risk calculus. It may need to defend its methods in court, so must be prepared to accept a greater level of transparency. Targets are typically less sophisticated and targeting is often short term: find evidence, arrest, convict, move on. 

Both the NSA and FBI have real requirements for exploits, but they want to use them in different ways. There is a real tension here that makes it difficult for them to share tools. 

And it's not just the FBI. Within the US alone there are a multitude of agencies that have a legitimate interest in acquiring cyber capabilities, but don't have the size, the skills or the focus to make it practical to build them in-house. 

And that's just in the US law enforcement and intelligence community, never mind the broader Five Eyes. This is a gap that the private sector can, and does, fill. 

Rather than clamping down on private sector exploit development firms that sell to responsible customers, we expect governments will try to encourage more robust personnel security. Being a defence contractor, L3Harris is, in some sense, "inside the tent" and will already have pretty strict security procedures in place. But we expect there will be a review of those procedures. 

The reality is that exploit development is of intense interest to states of all shapes and sizes. Security researchers have been targeted by state hackers, even ones at Trenchant .

Although secrets are arguably less likely to leak from secret squirrel government intelligence agencies, it is just not possible to keep all exploit development capabilities cloistered away there. Governments need the private sector. 

However, regardless of where research is conducted, perfect security is impossible. Sometimes secrets leak. 

* CyberScoop was the first to report that the Russian broker was Operation Zero. Risky Business Media has independently confirmed this reporting from its own sources.

The One Man Cyber Army

US National Cyber Director Sean Cairncross wants to counter Chinese cyber threats, but he faces an uphill battle as the federal government's cyber capacity is slashed by workforce and funding cuts.

Speaking at the Meridian Summit in Washington DC, Cairncross said that Chinese cyber behaviour is intended to cause the US harm , CyberScoop reported. 

He continued that, "it sits on our critical infrastructure systems and threatens chaos."

He said that, to date, the US has not done a great job of sending the message to China that its behaviour in cyberspace "is unacceptable".

That's fair enough, but we are left wondering how he intends to send that message. 

In its 2025 annual implementation report , the Cyberspace Solarium Commission 2.0 said that the US government's "ability to protect itself and its allies from cyber threats is stalling and, in several areas, slipping". Per the report:

This year's assessment makes clear that technology is evolving faster than federal efforts to secure it. Meanwhile, cuts to cyber diplomacy and science programs and the absence of stable leadership at key agencies like the Cybersecurity and Infrastructure Agency (CISA), the State Department, and the Department of Commerce have further eroded momentum.

Four out of five of the report's recommendations suggest reversing the Trump administration's workforce and funding cuts. They included: restore workforce and funding at CISA; restore funding and personnel at the state department; restore support to… You get the idea.

We'd be very surprised if any of these recommendations are implemented. 

The report's top suggestion, however, is to "enhance the authorities of the Office of the National Cyber Director" (ONCD). It says that although the office has "proven effective at convening agencies and shaping strategy", it doesn't have the clout to enforce decisions across government. 

It continues that President Donald Trump should issue an executive order to essentially empower the ONCD with increased authority to review agency cyber budgets and "convening authority" over civilian cyber policy. 

This recommendation seems like it would appeal to President Trump's preference for strong and decisive executive decision-making, and we hope it gains some traction. In infosec terms, a strong ONCD is a compensating control for the loss of cyber capacity across the rest of the federal government. 

Is it enough? We don't think so. But it's the best that we can hope for in the short term. 

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Victims escape scam compound: Over a thousand people have escaped from the KK Park scam compound in the wake of a Myanmar military raid . Outside observers were previously skeptical about the raid, and there are reports that it was staged due to international pressure. But it appears that the raid achieved some good. 
2. Ransomware payment rates at all-time low: According to ransomware incident response firm Coveware, ransom payment rates in the third quarter of the year were only 23%. Given the sheer amount of ransomware around that is still a lot of payments, but back in 2019 the payment rate was 85%, so this is real progress. 
3. Google announces recovery contacts: Among other scam protections , Google is rolling out a feature that allows eligible personal Google accounts to designate trusted accounts to help verify user identities in the event of a lost or stolen device or account compromise. 

Sponsor Section

In this Risky Business sponsor interview , Patrick Gray chats with Knocknoc CEO Adam Pointon about why true Zero Trust architectures never really got there. Spinning up ZTNA access to core applications and slapping SSO prompts on everything else is great, but if we're honest, it's not really Zero Trust. So, how and why did we get here?

Shorts

UK Defence Leak Resulted in 49 Deaths

A UK Ministry of Defence (MoD) data breach has resulted in the deaths of 49 Afghans, according to a study conducted for a parliamentary inquiry. In 2022, after the Taliban had seized control of the country, the MoD accidentally leaked a spreadsheet containing the details of 19,000 people who had worked for the UK government in Afghanistan. 

The study also found a "profound mismatch" between the advice being provided by the MoD compared to the risks that individuals identified in the breach were facing. MoD advice was to use a VPN and limit social media use. Respondents' experiences included: "I was recognised by the Taliban and badly beaten up", "the Taliban searched my family home and continue to threaten my relatives" and "my father was brutally beaten to the point that his toenails were forcibly removed, and my parents remain under constant and serious threat". 

According to The Guardian , the UK government has spent over £2 billion over the past two years to relocate more than 20,000 of the affected individuals to the UK. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq Tom Uren and The Grugq dissect a recent Chinese CERT report that the NSA had hacked China's national time-keeping service.

Or watch it on YouTube!

From Risky Bulletin :

HackingTeam successor linked to recent Chrome zero-days: The company that formed from the remnants of Italian spyware vendor HackingTeam is now allegedly involved in hacking all sorts of private and public sector targets in Belarus and Russia.

Memento Labs has targeted media outlets, universities, research centers, government organizations, financial institutions, and other organizations.

The company operates a spyware platform named Dante, through which it deploys infrastructure, exploits, and its final payload—the LeetAgent implant/agent.

[ more on Risky Bulletin ]

Russian bill would require researchers to report bugs to the FSB: Russian lawmakers are working on a new bill that would require security researchers, security firms, and other white-hat hackers to report all vulnerabilities to the state, in a law that's similar in spirit to a law already in effect in China since 2021.

The bill is currently being discussed among lawmakers, and no official draft is available. It is part of Russia's efforts to regulate its white-hat ecosystem, a process officials began back in 2022.

[ more on Risky Bulletin ]

iOS 26 change deletes clues of old spyware infections: Apple's latest mobile operating system update, iOS 26, has made a change to a crucial log file that stores evidence of past spyware infections.

According to iPhone forensics and investigations firm iVerify , Apple is now rewriting the shutdown.log file after every device reboot, instead of appending new data at the end.

This is removing older log entries that contain indicators of compromise with spyware families such as NSO's Pegasus and Intellexa's Predator.

[ more on Risky Bulletin ]