Peter Williams, a veteran cybersecurity executive who was the head of the hacking and surveillance tech division of U.S. defense contractor L3Harris, has been ordered to pay $10 million to his former employer. Williams was the central figure in one of the worst leaks of advanced hacking tools in the history of the United States and its closest allies.

On Wednesday, a judge ordered Williams to pay that amount in restitution on top of the $1.3 million he had already been ordered to pay to L3Harris. Williams, a 39-year-old Australian citizen who previously worked in one of Australia’s intelligence agencies, was until last year the general manager of Trenchant. Born out of the acquisition of two sister startups, Trenchant is L3Harris’ division that develops advanced spyware and hacking tools and sells them to the U.S. government and its allies in the Five Eyes intelligence alliance, a coalition of five English-speaking nations that share classified intelligence with one another. In addition to the U.S., the alliance includes Australia, Canada, New Zealand, and the United Kingdom.

Veteran cybersecurity reporter Kim Zetter first reported the new order to pay restitution in her newsletter. 

Williams’ lawyers did not respond to a request for comment.

Last year, Williams was arrested and accused of stealing seven unspecified trade secrets — almost certainly cyber exploits, which is code that hijacks software vulnerabilities, and surveillance technology — from Trenchant and then selling them to Operation Zero. The Russian firm acts as a broker, buying and selling hacking tools, and it says it works exclusively with the Russian government and local companies.

Williams pleaded guilty and was sentenced to more than seven years in prison. 

Williams made $1.3 million selling the trade secrets, which he used to buy luxury watches, a house near Washington, D.C., and family vacations. Trenchant told prosecutors that it suffered losses of up to $35 million due to Williams’ theft. 

U.S. prosecutors said Williams “betrayed” the United States and its allies by giving Operation Zero, which the U.S. government calls “one of the world’s most nefarious exploit brokers,” tools that could have been used to hack “millions of computers and devices around the world.” 

As TechCrunch previously reported, Williams took advantage of his privileged “full access” to Trenchant’s internal network to siphon the tools out of the company’s offices. After Williams sold the hacking tools to Operation Zero, some of them ended up being used by Russian government spies in Ukraine, and later Chinese cybercriminals, according to former L3Harris employees who recognized the stolen code in cybersecurity research that Google published after investigating the cyberattacks in which those tools were deployed.

Williams also tried to frame one of his employees for the theft.

Poland’s intelligence service said it detected attacks on five water treatment plants where hackers could have taken control of the industrial equipment inside, including, in the worst case, tampering with the safety of the water supply.

The story is relevant beyond Poland’s borders: U.S. water infrastructure has faced similar threats in recent years. In 2021, a hacker briefly gained access to a water treatment plant in Oldsmar, Florida and attempted to increase the level of sodium hydroxide — a caustic chemical — to dangerous levels. The FBI and the U.S. Cybersecurity and Infrastructure Security Agency have since warned that water utilities remain a soft target for foreign hackers.

On Friday, Poland’s Internal Security Agency, the country’s top intelligence agency, published a report covering the last two years of the agency’s operations and threats the country faced. The report said Polish intelligence thwarted multiple acts of sabotage from Russian government spies and hackers, who targeted military facilities, critical infrastructure (essential systems such as power grids, water supplies, and transportation networks), as well as civilian targets. These attacks, according to the report, may have resulted in fatalities.  

“The most serious challenge remains the sabotage activity against Poland, inspired and organized by Russian intelligence services. This threat was (and is) real and immediate. It requires full mobilization,” read the report.

The report did not specify whether the hackers behind the attacks on the water treatment facilities were Russian government spies. But Poland has recently been the target of several attempts by Russian government hackers to attack its infrastructure, including a failed attempt to bring down the country’s energy grid. That breach was later attributed to poor security controls at the targeted facilities.

Poland’s experience is part of a growing global pattern of attacks on water and energy infrastructure. As recently as last month, a joint advisory from the Cybersecurity and Infrastructure Security Agency, the FBI, the NSA, and several other federal agencies warned that Iranian-backed hackers are actively targeting programmable logic controllers — the industrial computers that run water and energy facilities — at U.S. utilities. The same Iranian hacking group, CyberAv3ngers, previously broke into digital control panels at multiple U.S. water treatment plants in Pennsylvania in 2023, in attacks that federal agencies linked to escalating hostilities in the Middle East.

In other words, the attacks against Poland are not unique, they follow a strategy that the Russian government is applying both in war zones such as Ukraine, as well as against Western countries that it sees as longstanding enemies. The plan, according to Polish intelligence, is to destabilize and weaken the West, and cyberattacks and cyberespionage are just tools in a larger toolkit for Putin’s regime.