Attacks/Breaches

1/2/2019
06:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ex-NSA Contractor Was a Suspect In Shadow Brokers Leak

New court document shows law enforcement suspected possible involvement of Harold Martin in Shadow Brokers' release of classified NSA hacking tools.

A new court opinion, first reported on by Politico, shows that Harold Martin, a former NSA contractor whom some have previously speculated was the individual behind the leaks of some highly classified NSA hacking tools in 2016, was indeed a prime suspect in the case.

Martin was arrested in August 2016 after law enforcement agents raided his home near Baltimore, Maryland, and discovered nearly 50 terabytes of government data, including documents marked "Secret" and "Top Secret," in his possession.

His arrest came just days after an outfit calling itself the Shadow Brokers publicly released several highly-classified NSA offensive hacking tools and exploits and offered to sell more stolen tools via auction to any interested parties. Up to now, the government has not said if the documents in Martin's possession at the time of his arrest included the NSA hacking tools. Neither has law enforcement explicitly identified Martin as being involved in the Shadow Brokers leak.

A federal grand jury last February indicted Martin on 20 counts of willfully retaining national defense information. His trial is scheduled to start June 2017. 

Martin initially admitted to taking government documents from the workplace and bringing them home without authorization. He later filed a motion seeking to suppress certain evidence gathered from his home as well as his own statements to FBI agents.

Court Filings

In a 19-page opinion, the US District Court for the District of Maryland recently denied Martin's bid to suppress the evidence from his home as well as cell-site location information collected from his mobile service provider. However, the court upheld Martin's motion to suppress his statements to the FBI on the grounds that it was obtained without a Miranda warning.

The latest court document does not shed much new light on Martin's involvement in the Shadow Brokers leak, but it does make clear that the raid on his house, and the subsequent arrest, happened because law enforcement at least suspected his involvement in the matter.

The court's document shows that the August 2016 raid on Martin's home was prompted by some Twitter messages that Martin posted suggesting he had knowledge about the NSA hacking tools. The Twitter messages were posted shortly before the Shadow Brokers publicly leaked the first set of tools and announced their intention to auction off the rest.

The FBI used that fact to justify its request for a warrant to collect information associated with Martin's Twitter account and for a separate warrant to search Martin's resident, person, and vehicles. In making a case for the search warrants, the government also showed that Martin, in his role as an NSA contractor, had had access to the hacking tools that the Shadow Brokers had put up for sale.

"In this case, there was a substantial basis for the Magistrate's finding of probable cause to issue the search warrant for information associated with the Defendant's Twitter account," District Judge Richard Bennett wrote in explaining his decision to deny Martin's motion to suppress evidence. The fact that Martin posted his messages just hours before Shadow Brokers made it publicly available, combined with his access to the documents also made the warrant justifiable, the judge said.

"Thus although the Defendant's Twitter messages could have had any number of innocuous meanings in another setting, these allegations regarding the context of Defendant's messages provide a substantial basis for the Magistrate's conclusion that there was a "fair probability" that evidence would be found in Martin's possession, he said.

Insider Threat

Martin's illegal activities are believed to have begun in 1996 and continued through his arrest in 2016. Over that period he misappropriated literally millions of pages of government data and stored them at home in various formats. Previous court documents have described him as an individual who had the security clearance to work on highly classified projects that gave him access to sensitive documents and government secrets. Prosecutors have noted how Martin, as a trusted insider, was able to easily bypass the many expensive controls that the NSA and other government agencies he worked for had implemented to protect data.

The tools and exploits that the Shadow Brokers leaked back in 2016 continue to be widely used even today. The leaked exploits included zero-day exploits and exploits that target vulnerabilities in a wide range of firewalls and other network products.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jcavery
50%
50%
jcavery,
User Rank: Moderator
1/4/2019 | 4:57:40 PM
Re: Define Stupid
No chance of an employment future. People have received life sentences for far less. Especially if they are able to prove the leaks caused damage to National Security or even put agent lives in danger.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/3/2019 | 9:43:35 AM
Define Stupid
Here you have stupid plus - how can IT contractors be so dumb as to think they can get away with theft of government data and put career and livelihood at risk.  Do you think he has an employment future?  
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6455
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a double-free problem in the function rec_mset_elem_destroy() in the file rec-mset.c.
CVE-2019-6456
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a NULL pointer dereference in the function rec_fex_size() in the file rec-fex.c of librec.a.
CVE-2019-6457
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_aggregate_reg_new in rec-aggregate.c in librec.a.
CVE-2019-6458
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_buf_new in rec-buf.c when called from rec_parse_rset in rec-parser.c in librec.a.
CVE-2019-6459
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_extract_type in rec-utils.c in librec.a.