Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/2/2019
06:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ex-NSA Contractor Was a Suspect In Shadow Brokers Leak

New court document shows law enforcement suspected possible involvement of Harold Martin in Shadow Brokers' release of classified NSA hacking tools.

A new court opinion, first reported on by Politico, shows that Harold Martin, a former NSA contractor whom some have previously speculated was the individual behind the leaks of some highly classified NSA hacking tools in 2016, was indeed a prime suspect in the case.

Martin was arrested in August 2016 after law enforcement agents raided his home near Baltimore, Maryland, and discovered nearly 50 terabytes of government data, including documents marked "Secret" and "Top Secret," in his possession.

His arrest came just days after an outfit calling itself the Shadow Brokers publicly released several highly-classified NSA offensive hacking tools and exploits and offered to sell more stolen tools via auction to any interested parties. Up to now, the government has not said if the documents in Martin's possession at the time of his arrest included the NSA hacking tools. Neither has law enforcement explicitly identified Martin as being involved in the Shadow Brokers leak.

A federal grand jury last February indicted Martin on 20 counts of willfully retaining national defense information. His trial is scheduled to start June 2017. 

Martin initially admitted to taking government documents from the workplace and bringing them home without authorization. He later filed a motion seeking to suppress certain evidence gathered from his home as well as his own statements to FBI agents.

Court Filings

In a 19-page opinion, the US District Court for the District of Maryland recently denied Martin's bid to suppress the evidence from his home as well as cell-site location information collected from his mobile service provider. However, the court upheld Martin's motion to suppress his statements to the FBI on the grounds that it was obtained without a Miranda warning.

The latest court document does not shed much new light on Martin's involvement in the Shadow Brokers leak, but it does make clear that the raid on his house, and the subsequent arrest, happened because law enforcement at least suspected his involvement in the matter.

The court's document shows that the August 2016 raid on Martin's home was prompted by some Twitter messages that Martin posted suggesting he had knowledge about the NSA hacking tools. The Twitter messages were posted shortly before the Shadow Brokers publicly leaked the first set of tools and announced their intention to auction off the rest.

The FBI used that fact to justify its request for a warrant to collect information associated with Martin's Twitter account and for a separate warrant to search Martin's resident, person, and vehicles. In making a case for the search warrants, the government also showed that Martin, in his role as an NSA contractor, had had access to the hacking tools that the Shadow Brokers had put up for sale.

"In this case, there was a substantial basis for the Magistrate's finding of probable cause to issue the search warrant for information associated with the Defendant's Twitter account," District Judge Richard Bennett wrote in explaining his decision to deny Martin's motion to suppress evidence. The fact that Martin posted his messages just hours before Shadow Brokers made it publicly available, combined with his access to the documents also made the warrant justifiable, the judge said.

"Thus although the Defendant's Twitter messages could have had any number of innocuous meanings in another setting, these allegations regarding the context of Defendant's messages provide a substantial basis for the Magistrate's conclusion that there was a "fair probability" that evidence would be found in Martin's possession, he said.

Insider Threat

Martin's illegal activities are believed to have begun in 1996 and continued through his arrest in 2016. Over that period he misappropriated literally millions of pages of government data and stored them at home in various formats. Previous court documents have described him as an individual who had the security clearance to work on highly classified projects that gave him access to sensitive documents and government secrets. Prosecutors have noted how Martin, as a trusted insider, was able to easily bypass the many expensive controls that the NSA and other government agencies he worked for had implemented to protect data.

The tools and exploits that the Shadow Brokers leaked back in 2016 continue to be widely used even today. The leaked exploits included zero-day exploits and exploits that target vulnerabilities in a wide range of firewalls and other network products.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jcavery
50%
50%
jcavery,
User Rank: Moderator
1/4/2019 | 4:57:40 PM
Re: Define Stupid
No chance of an employment future. People have received life sentences for far less. Especially if they are able to prove the leaks caused damage to National Security or even put agent lives in danger.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/3/2019 | 9:43:35 AM
Define Stupid
Here you have stupid plus - how can IT contractors be so dumb as to think they can get away with theft of government data and put career and livelihood at risk.  Do you think he has an employment future?  
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27221
PUBLISHED: 2021-01-21
In Eclipse OpenJ9 up to version 0.23, there is potential for a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding.
CVE-2021-1067
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the implementation of the RPMB command status, in which an attacker can write to the Write Protect Configuration Block, which may lead to denial of service or escalation of privileges.
CVE-2021-1068
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the NVDEC component, in which an attacker can read from or write to a memory location that is outside the intended boundary of the buffer, which may lead to denial of service or escalation of privileges.
CVE-2021-1069
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the NVHost function, which may lead to abnormal reboot due to a null pointer reference, causing data loss.
CVE-2020-26252
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...