Content, Americas

NSA Shadow Brokers Data Leak: Prime Suspect Named

Cybersecurity hacks, like bank robberies, are often inside jobs to one degree or another, anecdotal evidence tells us.

Yet another example showed up in a new U.S. District Court opinion that fingered Harold Martin, an ex-National Security Agency (NSA) third-party contractor long suspected as a central figure in the Shadow Brokers’ 2016 heist and subsequent online fire sale of the agency’s top secret hacking tools.

Martin apparently sent a Twitter message just hours before the Shadow Brokers put up for sale on the dark web a trove of the NSA’s highly classified hacking tools, according to a new ruling released by U.S. District Court for the District of Maryland Judge Richard Bennett, Politico reported. The timing was too convenient not to make a tie-in, Bennett said. Based on suspicions aroused by the tweat, Martin was arrested in August 2016 after Federal Bureau of Investigation (FBI) agents raided his Maryland home and uncovered some 50 terabytes of government data he wasn’t supposed to have.

(Some more background: The Shadow Brokers began stealing NSA spy tools in 2016, some of which catalyzed the destructive WannaCry ransomware outbreak that year. Shortly after WannaCry emerged, the Shadow Brokers promised to release the NSA’s hacking tools every month, a threat it didn’t carry out. Late in 2017, law enforcement still had no clues who did it.)

Now more than two years after the NSA bungle, it looks like new ties to the hacks are slowly emerging. While Judge Bennett's ruling doesn’t specifically link Martin to the Shadow Brokers burglary, it does underline that the FBI believed he was a prime mover in the caper, as Politico reported. “The Defendant’s Twitter messages … were sent just hours before what was purported to be stolen government property was advertised and posted on multiple online- content-sharing sites, including Twitter,” Bennett wrote.

In the aftermath, Martin admitted he was caught with the goods but later sought to suppress some evidence that FBI officials gathered from his home in the raid. Judge Bennett denied the
motion, which means that the evidence can be presented at Martin’s trial this coming June, some three years after his arrest. Still, none of this directly connects Martin to the Shadow Brokers or if he actually leaked classified information to the hackers that found its way to an online marketplace.

The FBI, however, is closing in on other suspects, Politico reported. Last September, a federal judge sentenced Nghia Pho, who was employed by the same NSA hacking team that sprung the leak, to five and a half years in prison for walking off with top secret information over a five-year period. Pho acknowledged he did it but claimed it wasn’t to betray the U.S. but rather to spruce up a job performance evaluation, a hard-to-believe defense considering the time span of his packing up sensitive NSA materials.

Pho stored the information he snuck out on an unsecured personal computer. The data was subsequently lifted by Russia-backed cyber attackers possibly by exploiting flaws in Moscow-based, security provider Kaspersky’s software to identify files.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.