The National Security Agency discovered what has been called the largest breach of classified data in its history in 2016 after getting a tip from a Russian cybersecurity firm that the U.S. government has banned from its networks as a spy threat, according to people familiar with the matter.
Federal prosecutors in August 2016 arrested a former NSA contractor, Harold T. Martin III, accusing him of taking home without permission at least 50 terabytes of data — the rough equivalent of 500 million pages of material — that included highly sensitive hacking tools.
But the NSA’s enhanced vigilance was not what led to Martin’s arrest at his home in Glen Burnie, Md.
Rather, earlier that month, Moscow-based Kaspersky Lab notified the NSA that it had received strange Twitter messages from Martin seeking to speak with Kaspersky’s founder, along with a cryptic comment, “shelf life, three weeks,” according to two people familiar with the matter who spoke on the condition of anonymity to discuss an ongoing investigation.
The messages were sent shortly before a massive online release of NSA hacking tools, according to a redacted court document made public last month. The coincidence startled Kaspersky researchers, who received the messages and through Internet sleuthing identified Martin.
The court document and Kaspersky’s role in alerting the NSA were first reported by Politico.
The release of NSA tools by a group calling itself the Shadow Brokers rattled the agency, and suspicion immediately fell upon Martin, who had access to the NSA’s elite hacking unit.
However, while U.S. intelligence officials said they have long believed the Shadow Brokers is linked to Russian intelligence, no evidence has emerged publicly in Martin’s case to suggest he was the group’s source. Martin, who is in plea negotiations over charges of willful retention of national defense information and theft of government property, is not facing accusations that he transmitted classified material to any unauthorized recipient.
Kaspersky Lab declined to comment, as did Martin’s defense attorney, James Wyda, and the U.S. attorney’s office for the District of Maryland, which is prosecuting Martin. His trial is set for June.
For years, U.S. intelligence agencies suspected that the company, founded by Eugene Kaspersky, a graduate of a KGB-supported cryptography school, was enabling Russian espionage. In early 2015, the firm issued a report on a sweeping espionage operation run by an entity they dubbed “The Equation Group” that was widely understood to be the NSA. The report revealed NSA tools and capabilities, causing great concern within the agency and the Obama administration.
Then, in September 2017, the U.S. government moved to ban the use of Kaspersky software by federal agencies amid concerns that the company’s software could enable Russian spying. Kaspersky has issued public statements denying it helps any government with cyberespionage.
The Twitter messages Kaspersky shared with federal authorities helped provide the legal basis for a magistrate judge to issue a search warrant for Martin’s Twitter account and then for his house.
“Although [his] Twitter messages could have had any number of innocuous meanings in another setting,” their timing and his access to the tools made for “a fair probability” that a search would turn up evidence of a crime, wrote U.S. District Judge Richard D. Bennett in a December memorandum explaining his decision not to suppress evidence obtained by the FBI.
On Aug. 27, 2016, two weeks after the Shadow Brokers first released the NSA’s hacking tools online and as Russia was engaged in an operation to interfere in the U.S. presidential election, nine SWAT agents dressed in protective gear, some with guns drawn, confronted Martin at his home, according to Bennett’s memo.
Martin was placed face down on the ground and handcuffed. Then he was interrogated by three FBI agents for four hours. More than a dozen officers searched Martin’s home, shed and car, according to the memo. They were stunned by the material they found — six banker’s boxes of paper documents, dozens of computers, thumb drives and other digital storage devices that belonged to the government, prosecutors said.
Martin’s haul included more than 75 percent of the NSA’s hacking tool library, some U.S. officials said. Prosecutors said he took the government data over a 20-year period — the result, his lawyer has said, of a “compulsive” hoarding habit.
Martin held a series of contracting jobs and worked at the NSA from 2012 to 2015, where he was an employee of Booz Allen Hamilton. He worked at the agency’s Tailored Access Operations unit, which created and deployed the tools used to hack into networks around the world for intelligence.
Martin is in jail, pending resolution of his case.