Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/2/2019
06:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ex-NSA Contractor Was a Suspect In Shadow Brokers Leak

New court document shows law enforcement suspected possible involvement of Harold Martin in Shadow Brokers' release of classified NSA hacking tools.

A new court opinion, first reported on by Politico, shows that Harold Martin, a former NSA contractor whom some have previously speculated was the individual behind the leaks of some highly classified NSA hacking tools in 2016, was indeed a prime suspect in the case.

Martin was arrested in August 2016 after law enforcement agents raided his home near Baltimore, Maryland, and discovered nearly 50 terabytes of government data, including documents marked "Secret" and "Top Secret," in his possession.

His arrest came just days after an outfit calling itself the Shadow Brokers publicly released several highly-classified NSA offensive hacking tools and exploits and offered to sell more stolen tools via auction to any interested parties. Up to now, the government has not said if the documents in Martin's possession at the time of his arrest included the NSA hacking tools. Neither has law enforcement explicitly identified Martin as being involved in the Shadow Brokers leak.

A federal grand jury last February indicted Martin on 20 counts of willfully retaining national defense information. His trial is scheduled to start June 2017. 

Martin initially admitted to taking government documents from the workplace and bringing them home without authorization. He later filed a motion seeking to suppress certain evidence gathered from his home as well as his own statements to FBI agents.

Court Filings

In a 19-page opinion, the US District Court for the District of Maryland recently denied Martin's bid to suppress the evidence from his home as well as cell-site location information collected from his mobile service provider. However, the court upheld Martin's motion to suppress his statements to the FBI on the grounds that it was obtained without a Miranda warning.

The latest court document does not shed much new light on Martin's involvement in the Shadow Brokers leak, but it does make clear that the raid on his house, and the subsequent arrest, happened because law enforcement at least suspected his involvement in the matter.

The court's document shows that the August 2016 raid on Martin's home was prompted by some Twitter messages that Martin posted suggesting he had knowledge about the NSA hacking tools. The Twitter messages were posted shortly before the Shadow Brokers publicly leaked the first set of tools and announced their intention to auction off the rest.

The FBI used that fact to justify its request for a warrant to collect information associated with Martin's Twitter account and for a separate warrant to search Martin's resident, person, and vehicles. In making a case for the search warrants, the government also showed that Martin, in his role as an NSA contractor, had had access to the hacking tools that the Shadow Brokers had put up for sale.

"In this case, there was a substantial basis for the Magistrate's finding of probable cause to issue the search warrant for information associated with the Defendant's Twitter account," District Judge Richard Bennett wrote in explaining his decision to deny Martin's motion to suppress evidence. The fact that Martin posted his messages just hours before Shadow Brokers made it publicly available, combined with his access to the documents also made the warrant justifiable, the judge said.

"Thus although the Defendant's Twitter messages could have had any number of innocuous meanings in another setting, these allegations regarding the context of Defendant's messages provide a substantial basis for the Magistrate's conclusion that there was a "fair probability" that evidence would be found in Martin's possession, he said.

Insider Threat

Martin's illegal activities are believed to have begun in 1996 and continued through his arrest in 2016. Over that period he misappropriated literally millions of pages of government data and stored them at home in various formats. Previous court documents have described him as an individual who had the security clearance to work on highly classified projects that gave him access to sensitive documents and government secrets. Prosecutors have noted how Martin, as a trusted insider, was able to easily bypass the many expensive controls that the NSA and other government agencies he worked for had implemented to protect data.

The tools and exploits that the Shadow Brokers leaked back in 2016 continue to be widely used even today. The leaked exploits included zero-day exploits and exploits that target vulnerabilities in a wide range of firewalls and other network products.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jcavery
50%
50%
jcavery,
User Rank: Moderator
1/4/2019 | 4:57:40 PM
Re: Define Stupid
No chance of an employment future. People have received life sentences for far less. Especially if they are able to prove the leaks caused damage to National Security or even put agent lives in danger.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/3/2019 | 9:43:35 AM
Define Stupid
Here you have stupid plus - how can IT contractors be so dumb as to think they can get away with theft of government data and put career and livelihood at risk.  Do you think he has an employment future?  
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.