Attacks/Breaches

1/2/2019
06:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ex-NSA Contractor Was a Suspect In Shadow Brokers Leak

New court document shows law enforcement suspected possible involvement of Harold Martin in Shadow Brokers' release of classified NSA hacking tools.

A new court opinion, first reported on by Politico, shows that Harold Martin, a former NSA contractor whom some have previously speculated was the individual behind the leaks of some highly classified NSA hacking tools in 2016, was indeed a prime suspect in the case.

Martin was arrested in August 2016 after law enforcement agents raided his home near Baltimore, Maryland, and discovered nearly 50 terabytes of government data, including documents marked "Secret" and "Top Secret," in his possession.

His arrest came just days after an outfit calling itself the Shadow Brokers publicly released several highly-classified NSA offensive hacking tools and exploits and offered to sell more stolen tools via auction to any interested parties. Up to now, the government has not said if the documents in Martin's possession at the time of his arrest included the NSA hacking tools. Neither has law enforcement explicitly identified Martin as being involved in the Shadow Brokers leak.

A federal grand jury last February indicted Martin on 20 counts of willfully retaining national defense information. His trial is scheduled to start June 2017. 

Martin initially admitted to taking government documents from the workplace and bringing them home without authorization. He later filed a motion seeking to suppress certain evidence gathered from his home as well as his own statements to FBI agents.

Court Filings

In a 19-page opinion, the US District Court for the District of Maryland recently denied Martin's bid to suppress the evidence from his home as well as cell-site location information collected from his mobile service provider. However, the court upheld Martin's motion to suppress his statements to the FBI on the grounds that it was obtained without a Miranda warning.

The latest court document does not shed much new light on Martin's involvement in the Shadow Brokers leak, but it does make clear that the raid on his house, and the subsequent arrest, happened because law enforcement at least suspected his involvement in the matter.

The court's document shows that the August 2016 raid on Martin's home was prompted by some Twitter messages that Martin posted suggesting he had knowledge about the NSA hacking tools. The Twitter messages were posted shortly before the Shadow Brokers publicly leaked the first set of tools and announced their intention to auction off the rest.

The FBI used that fact to justify its request for a warrant to collect information associated with Martin's Twitter account and for a separate warrant to search Martin's resident, person, and vehicles. In making a case for the search warrants, the government also showed that Martin, in his role as an NSA contractor, had had access to the hacking tools that the Shadow Brokers had put up for sale.

"In this case, there was a substantial basis for the Magistrate's finding of probable cause to issue the search warrant for information associated with the Defendant's Twitter account," District Judge Richard Bennett wrote in explaining his decision to deny Martin's motion to suppress evidence. The fact that Martin posted his messages just hours before Shadow Brokers made it publicly available, combined with his access to the documents also made the warrant justifiable, the judge said.

"Thus although the Defendant's Twitter messages could have had any number of innocuous meanings in another setting, these allegations regarding the context of Defendant's messages provide a substantial basis for the Magistrate's conclusion that there was a "fair probability" that evidence would be found in Martin's possession, he said.

Insider Threat

Martin's illegal activities are believed to have begun in 1996 and continued through his arrest in 2016. Over that period he misappropriated literally millions of pages of government data and stored them at home in various formats. Previous court documents have described him as an individual who had the security clearance to work on highly classified projects that gave him access to sensitive documents and government secrets. Prosecutors have noted how Martin, as a trusted insider, was able to easily bypass the many expensive controls that the NSA and other government agencies he worked for had implemented to protect data.

The tools and exploits that the Shadow Brokers leaked back in 2016 continue to be widely used even today. The leaked exploits included zero-day exploits and exploits that target vulnerabilities in a wide range of firewalls and other network products.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jcavery
50%
50%
jcavery,
User Rank: Moderator
1/4/2019 | 4:57:40 PM
Re: Define Stupid
No chance of an employment future. People have received life sentences for far less. Especially if they are able to prove the leaks caused damage to National Security or even put agent lives in danger.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/3/2019 | 9:43:35 AM
Define Stupid
Here you have stupid plus - how can IT contractors be so dumb as to think they can get away with theft of government data and put career and livelihood at risk.  Do you think he has an employment future?  
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18913
PUBLISHED: 2019-03-21
Opera before 57.0.3098.106 is vulnerable to a DLL Search Order hijacking attack where an attacker can send a ZIP archive composed of an HTML page along with a malicious DLL to the target. Once the document is opened, it may allow the attacker to take full control of the system from any location with...
CVE-2018-20031
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2018-20032
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon t...
CVE-2018-20034
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2019-3855
PUBLISHED: 2019-03-21
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.