Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10/21/2016
01:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

NSA Contractor Over 20 Years Stole More Than 50 Terabytes Of Gov't Data

Harold Martin, now in custody, is a risk to himself and others if freed from custody, a US prosecutor warns in a detailed filing in the case.

When law enforcement officials stumbled upon a cache of firearms while executing a search warrant on the premises of Harold Martin, the National Security Agency (NSA) contractor recently arrested for stealing classified information, his very distraught wife asked for the weapons to be removed from her home.

She was afraid that he would use them to kill himself if he "thought it was all over," US Attorney Rod Rosenstein said in a pretrial motion that paints a troubling if somewhat incomplete picture of the man behind what could arguably be the biggest-ever case of insider theft.

Rosenstein's motion, filed in the US District Court for the District of Maryland this week, urges the court not to release Martin from pretrial custody. It uses his wife's concerns of self-inflicted harm and a litany of other reasons as a basis for the request.

The 12-page legal brief alleges that in the 20 years between 1996 and 2016 that Martin worked with government, he stole a staggering 50 terabytes of data in digital form and an additional six banker's boxes full of printed documents.

It is unclear why Martin’s alleged theft of classified as well as unclassified data over such an extended period of time was never spotted. The apparent fact that he was able to continue illegally accessing data even after Snowden's data theft prompted a government-wide security overhaul, also is sure to raise new alarms about the effectiveness of that overhaul.

A lot of the data he allegedly stole was marked Secret or Top Secret and at least some of it is what the government considers as information of national defense and national security import.

For instance, one of the classified documents allegedly in Martin's possession was marked "Top Secret/Sensitive Compartmented Information" ("TS/SCI") and pertained to specific operational plans against a known US enemy, Rosenstein said. Martin's cache of stolen data is also believed to have included information on top-secret hacking tools developed by US intelligence agencies, the New York Times reported this week, citing unnamed sources.

The staggering volume of data that was allegedly found in Martin's possession would appear to make his theft even bigger than Edward Snowden's heist.

"The Defendant was in possession of an astonishing quantity of marked classified documents which he was not entitled to possess," Rosestein noted in somewhat of an understatement. "Many of the marked documents were lying openly in his home office or stored in the backseat and trunk of his vehicle."

Martin regularly carried highly sensitive data in his vehicle and routinely parked it in his driveway because he didn’t have an enclosed garage, the filing revealed.

Even the 50,000 gigabytes of digital information that he is believed to have stolen could be a conservative estimate, Rosenstein’s legal brief said, noting that each gigabyte offers enough space for storing 10,000 pages of text and images.

The legal document shows that Martin's alleged illegal behavior began in 1996 when he abused his access to classified information while serving in the US Naval Reserves. Between then and his arrest on August 27, Martin worked at several government agencies including the National Security Agency, as an employee for seven different private contractors.

With his security clearance, Martin worked on highly classified and specialized projects and signed numerous non-disclosure agreements acknowledging the sensitive nature of his work and his commitment not to abuse his access to sensitive data.

"The Defendant's decades of criminal behavior were in flagrant violation of his many promises and oaths, as well as the law," Rosenstein said.

The motion called attention to Martin's enrollment in a Ph.D program in information security at the time of his arrest, and of his several advanced degrees and expertise in areas like encryption, anonymization, and secure-communication. Such skills would make it easy for Martin to access and transmit information to others that he may have stored online, Rosenstein said in arguing against Martin's release from custody.

"As a trusted insider, the Defendant was able to defeat myriad, expensive controls placed on that information," and he has the skill to transfer all of the stolen information electronically and make it available to others if he was given access to the Internet, the prosecuting attorney noted.

The motion does not make clear what Martin's motives might have been. But it makes clear that there's enough evidence to suggest that Martin either illegally shared or planned to share the data with others.

For example, the 10 firearms recovered from his home included an "AR-style tactical rifle and a pistol-grip shotgun with a flash suppressor."

In addition, he had a loaded handgun in his car in violation of state law. If Martin had stolen it for his own edification as claimed, there would have been little reason to "arm himself as though he ere trafficking in dangerous contraband," Rosenstein argued.

Similarly, a printed email chain marked "Top Secret" recovered from Martin's car had handwritten notes on the back of the document describing classified technical operations and appear intended "for an audience outside of the Intelligence Community."

'Prime Target'

The extensive publicity the case has received guarantees that every foreign counterintelligence agency knows Martin has access to highly sensitive data either hidden in physical locations, cyberspace, or stored in his head, the filing said.

"This makes the Defendant a prime target, and his release would seriously endanger the safety of the country and potentially even the Defendant himself," Rosenstein said.

Related stories

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.