Tech

How a Russian firm helped catch alleged data thief

The 2016 arrest of a former National Security Agency contractor charged with a massive theft of classified data began with an unlikely source: a tip from a Russian cybersecurity firm that the U.S. government has called a threat to the country.

Moscow-based Kaspersky Lab turned Harold T. Martin III in to the NSA after receiving strange Twitter messages in 2016 from an account linked to him, according to two people with knowledge of the investigation. They spoke with POLITICO on condition of anonymity because theyre not authorized to discuss the case.

The companys role in exposing Martin is a remarkable twist in an increasingly bizarre case that is believed to be the largest breach of classified material in U.S. history.

It indicates that the governments own internal monitoring systems and investigators had little to do with catching Martin, who prosecutors say took home an estimated 50 terabytes of data from the NSA and other government offices over a two-decade period, including some of the NSAs most sophisticated and sensitive hacking tools.

The revelation also introduces an ironic turn in the negative narrative the U.S. government has woven about the Russian company in recent years.

Kaspersky Labs 10th anniversary party in Italy in September 2018 | Ian Gavan/Getty Images for Kaspersky Lab

Under both the Obama and Trump administrations, officials have accused the company of colluding with Russian intelligence to steal and expose classified NSA tools, and in 2016 the FBI engaged in an aggressive behind-the-scenes campaign to discredit the company and get its software banned from U.S. government computers on national security grounds. But even while the FBI was doing this, the Russian firm was tipping off the bureau to an alleged intelligence thief in the governments own midst.

“Its irony piled on irony that people who worked at Kaspersky, who were already in the sights of the U.S. intelligence community, disclosed to them that they had this problem,” said Stewart Baker, general counsel for the NSA in the 1990s and a current partner at Steptoe and Johnson. Its also discouraging, he noted, that the NSA apparently still hasnt “figured out a good way to find unreliable employees who are mishandling some of their most sensitive stuff.”

“We all thought [Martin] got caught by renewed or heightened scrutiny, and instead it looks as though he got caught because he was an idiot,” he told POLITICO.

As for Kaspersky, news about its assistance in apprehending Martin likely wont satisfy detractors who believe the company can still be a tool of Russian intelligence even if it occasionally assists the U.S. government.

U.S. prosecutors believe Martin used an anonymous Twitter account to send five cryptic messages to the Moscow-based security firm.

Martin, who is set to go to trial in June, was arrested August 27, 2016 following a search of his home and was subsequently indicted in February 2017. Hes been charged with 20 counts of unauthorized and willful retention of national defense information, each of which carries up to 10 years in prison.

The case unfolded after someone who U.S. prosecutors believe was Martin used an anonymous Twitter account with the name “HAL999999999” to send five cryptic, private messages to two researchers at the Moscow-based security firm. The messages, which POLITICO has obtained, are brief, and the communication ended altogether as abruptly as it began. After each researcher responded to the confusing messages, HAL999999999 blocked their Twitter accounts, preventing them from sending further communication, according to sources.

The first message sent on August 13, 2016, asked for him to arrange a conversation with “Yevgeny” — presumably Kaspersky Lab CEO Eugene Kaspersky, whose given name is Yevgeny Kaspersky. The message didnt indicate the reason for the conversation or the topic, but a second message following right afterward said, “Shelf life, three weeks,” suggesting the request, or the reason for it, would be relevant for a limited time.

The timing was remarkable — the two messages arrived just 30 minutes before an anonymous group known as Shadow Brokers began dumping classified NSA tools online and announced an auction to sell more of the agencys stolen code for the price of $1 million bitcoin. Shadow Brokers, which is believed to be connected to Russian intelligence, said it had stolen the material from an NSA hacking unit that the cybersecurity community has dubbed the Equation Group.

POLITICO first reported the existence of the cryptic Twitter messages last week when they were mentioned in a court ruling | Douglas E. Curran/AFP via Getty Images

The Twitter messages, along with clues Kaspersky researchers found that linked the Twitter account to Martin and his work in the U.S. intelligence community, led the researchers to wonder if Martin was connected to Shadow Brokers. This led the company to contact the NSA and suggest it investigate him, according to the sources.

POLITICO first reported the existence of the Twitter messages last week when they were mentioned in a court ruling made public after Martins attorneys unsuccessfully sought to invalidate FBI search warrants used in the case, on grounds that the bureau didnt have probable cause to obtain them.

U.S. District Judge Richard Bennett disagreed, citing the Twitter messages. He wrote that although the cryptic messages “could have had any number of innocuous meanings in another setting,” their timing and Martins potential access to Equation Group hacking tools through his government work made him a logical suspect in the Shadow Brokers investigation.

The partially redacted ruling quoted only two of five messages the mysterious Twitter account sent the company, and the name of the recipients was redacted. Kasperskys role as recipient and informant has not been previously disclosed.

A Kaspersky spokeswoman declined to confirm the companys involvement in the case or comment on the record.

An FBI search uncovered a trove of classified data in hard copy and digital format that Martin had taken between 1996 and 2016.

According to the sources who spoke with POLITICO, Kaspersky gave the NSA all five Twitter messages as well as evidence of the senders real identity. Then, according to the redacted court document, the FBI used the evidence to obtain search warrants for Martins Twitter account and Maryland home and property. The document doesnt indicate how the FBI learned of the Twitter messages or Martins identity.

The home search on August 27, 2016, occurred with a massive raid involving nearly two dozen FBI agents and SWAT team members with guns drawn, underscoring the cases urgency and the governments concerns about whom else Martin might have contacted. The search uncovered a trove of classified data in hard copy and digital format that Martin had taken between 1996 and 2016 — material that the government has said included some of the same Equation Group tools the Shadow Brokers possessed.

The tools were some of the most prized surveillance implements the spy agency used to track suspected terrorists, conduct other national security investigations and collect intelligence.

Questions have lingered about whether Martin supplied the classified tools to Shadow Brokers, but he has not been charged with espionage, nor have prosecutors indicated Martin had any contact with the group. The group continued to publish online after Martins arrest, discounting theories that he himself was the Shadow Brokers.

A patriot with a compulsive disorder?

And although the cryptic Twitter messages could be read as suggesting he was exploring the possibility of passing sensitive data to either Kaspersky or to the Russian government — his attorneys have argued in court that no evidence exists that Martin intended to pass information to anyone. Hes a patriot who recklessly amassed and stored the classified material only because he suffers from a compulsive disorder, his public defender, James Wyda, has said.

Matt Tait, a former information security specialist at Britains GCHQ spy agency, thinks its interesting that Martin zeroed in on Kaspersky for his correspondence.

“Why did he choose Kaspersky versus Sophos or Symantec?” he said, referring to two other antivirus companies. “He would have known better than others what that meant when the U.S. government says Kaspersky is hostile. Why did he choose that company versus another company, and what did he expect them to do?”

These are questions that may only be answered in court, if Martin doesnt strike a plea deal.

Martins defense attorney, Wyda, declined to comment this week when POLITICO asked why his client contacted Kaspersky.

“So….figure out how we talk. With Yevgeny present,” the first Twitter message said.

The revelation about how Martin was caught renews long-standing questions about the NSAs ability to prevent or detect theft of its secrets, even after increasing internal security measures following the 2013 leaks by agency contractor Edward Snowden. Those measures played no role in flagging Martin, according to the sources who spoke with POLITICO, though its not clear they were in place at the time Martin took material from the agency.

Either way, the NSA was desperate in August 2016 to uncover the identity of Shadow Brokers and determine where they got the stolen tools, but it was only after Kaspersky turned Martin in that he became a suspect.

Like Snowden, Martin had a top secret national security clearance and worked for defense and intelligence contractor Booz Allen Hamilton and other contracting companies since the late 1990s. His work with Booz Allen included jobs at the NSA between 2012 and 2015, and in the Office of the Director of National Intelligence and a Defense Department office, where some of his thefts occurred.

Over the years, he worked on “a number of highly classified, specialized projects, according to court records, and his work for the NSA put him directly in its Tailored Access Operations unit for a time — the unit that created and used the Equation Group tools. However, a former TAO worker has said Martin was simply a front office worker who wasnt involved in spy operations there.

A sign for the National Security Agency (NSA), U.S. Cyber Command and Central Security Service | Saul Loeb/AFP via Getty Images

Martins downfall unfolded in the following manner, according to the people who spoke with POLITICO.

The first Twitter messages HAL999999999 sent to one of the Kaspersky researchers began as if they were already engaged in an ongoing conversation or had previously conversed. “So….figure out how we talk. With Yevgeny present,” the message said. Then “Shelf life, three weeks.”

He sent the messages on August 13, 2016, but they sat unread for three days. Thats because the researcher didnt follow the HAL account, so the private messages went to a request folder. The researcher was on vacation and saw the messages three days later, after Shadow Brokers had made headlines and published batches of NSA tools.

The senders Twitter handle was not familiar to the Kaspersky recipient, and the account had only 104 followers. But the profile picture showed a silhouette illustration of a man sitting in a chair, his back to the viewer, and a CD-ROM with the word TAO2 on it, using the acronym of the NSAs Tailored Access Operations. The larger background picture on the profile page showed various guns and military vehicles in silhouette.

The Kaspersky researcher asked the sender, in a reply message, if he had an email address and PGP encryption key they could use to communicate. But instead of responding, the sender blocked the researchers account.

“Same dilemma as last 10 min of latest Bourne,” the message said.

Two days later, the same account sent three private messages to a different Kaspersky researcher.

“Still considering it..,” the first message said. When the researcher asked, “What are you considering?” the sender replied: “Understanding of what we are all fighting for … and that goes beyond you and me. Same dilemma as last 10 min of latest Bourne.” Four minutes later he sent the final message: “Actually, this is probably more accurate” and included a link to a YouTube video showing the finale of the film “Inception.”

The Bourne comment appears to reference a Jason Bourne film about a former CIA assassin on the run from the agency, which was released in U.S. theaters two weeks before the Twitter user contacted Kaspersky. It and the “Inception” film deal with the difficulties of distinguishing truth and reality from deception and illusion.

The Kaspersky researcher didnt respond to the Twitter sender after this. Instead, he and colleagues conducted some online sleuthing and were able to easily unmask the senders identity.

A Google search on the Twitter handle found someone using the same Hal999999999 username on a personal ad seeking female sex partners. The anonymous ad, on a site for people interested in bondage and sadomasochism, included a real picture of Martin and identified him as a 6-foot-4-inch 50-year-old male living in Annapolis, Md. A different search led them to a LinkedIn profile for Hal Martin, described as a researcher in Annapolis Junction and “technical advisor and investigator on offensive cyber issues.” The LinkedIn profile didnt mention the NSA, but said Martin worked as a consultant or contractor “for various cyber related initiatives” across the Defense Department and intelligence community.

Armed with this information, on August 22 a Kaspersky employee contacted an NSA worker hed recently met at a conference and sent him the evidence, suggesting the agency might want to investigate Martin. The FBI obtained the warrant for Martins Twitter account on the 25th, and he was arrested two days later following the search of his home.

The FBI declined to comment on this new information, as did the U.S. Attorneys office handling the case.

Tait told POLITICO that any legitimate security researchers in Kasperskys position would notify the government if a potential leaker contacted them.

“These researchers seem to have taken the view that they know how to work out how the NSA does hacking through legitimate means; they dont need leakers inside the NSA to do their job, and it probably doesnt help them to be seen as actively antagonistic to the U.S,” Tait said. “It undermines their ability to claim theyre a legitimate threat intelligence organization.”

But Kasperskys efforts apparently earned the company little regard in the government.

Under growing scrutiny

Months after Martin was formally charged, the governments campaign against the company, which had been percolating in the background throughout 2016, also went public.

Although Kaspersky has worked with U.S. law enforcement and security firms for years to track hackers, the companys relationship with the government began to grow tense around 2012 as it exposed a series of covert NSA spy kits and hacking operations after finding the previously unknown spy software on customers machines. The company has exposed more U.S. spy operations than any other cybersecurity firm in the last six years, and has in turn become a hacking target of spy agencies itself for its success in exposing not only NSA operations but those of Israel, the United Kingdom and France.

One of its most significant revelations occurred in February 2015 when the company announced discovery of a suite of sophisticated spy programs it dubbed the Equation Group tools — long before the Shadow Brokers began leaking tools from the same group in 2016.

Kaspersky discovered the tools on computers in the Middle East in 2014, and its antivirus software later detected them on a machine in the U.S. sometime in 2014. Kaspersky believed the machine had been infected with Equation Group surveillance software, but in fact it was the home computer of an NSA employee named Nghia Hoang Pho, who had improperly taken home classified documents and NSA code he was helping develop that were related to the Equation Group toolset.

Kaspersky Lab CEO Eugene Kaspersky at the Kaspersky Transparency Summit in November 2018 | Adrian Bretscher/Getty Images for Kaspersky Lab

Kasperskys software uploaded the material from Phos computer to the companys servers, as part of a standard procedure antivirus programs use to analyze previously undiscovered malicious code. Kaspersky has insisted that once it realized the collection wasnt malware, CEO Eugene Kaspersky ordered his researchers to destroy the files.

But the collection of files helped fuel U.S. allegations that Kaspersky itself poses a security threat. Thats because, unknown to Kaspersky at the time, Israel had hacked the companys network in 2014, and in 2015 quietly told U.S. officials that it saw Russian intelligence operatives siphon the tools from Phos machine with Kasperskys cooperation or knowledge, using its antivirus software. The public only learned about this allegation in 2017 when anonymous sources leaked it to reporters. But no evidence backing this claim has ever been made public, and nobody has explained how the Israelis knew the extraction was not just part of standard infection analysis and cleanup.

Sometime in 2015, the FBI began investigating Kasperskys relationship with the Russian government, and by 2016, the bureau was urging U.S. companies privately to cut business ties with the firm. Then in February 2017, the month Martin was indicted, DHS sent a secret report to government agencies saying Kasperskys software posed a national security risk. News of the report was leaked to the media along with a revelation that the FBI was investigating the company.

Seven months later, DHS issued a directive banning Kaspersky software from civilian government computers because “the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.” The ban led consumer giant Best Buy to announce it would no longer install Kaspersky antivirus software on computers it sells.

Kaspersky has long denied it has cooperated with Russian intelligence in any capacity to obtain U.S. secrets. And the U.S. government has never publicly indicated that it has any evidence to support suspicions that it has helped the Russian government use its software to spy on Kaspersky customers.

In any case, the timing of these events is notable: Its not clear whether Kaspersky knew about the FBI investigation or the Israeli allegations when the company turned Martin in to the NSA in 2016. Such knowledge could have made the company wonder if Martins communication was a test.

Baker told POLITICO that Kasperskys role in Martins arrest wasnt out of character for the company, which he doubts has ever actively aided Russian intelligence and has always wanted to be an accepted part of the cybersecurity fraternity.

“[The company] recognized that it had a problem, given its origin and location [in Russia], and so where it could be helpful to the U.S. government and show that it was not a hostile force it wouldnt have surprised me that it would do something that was meant to be … a goodwill gesture toward the U.S. government,” he said.

Although he doesnt think the governments subsequent treatment of the company was wrong, “it is pretty ironic,” he said. “And Im sure the people at Kaspersky are feeling as though they did the right thing and it did them no good.”

Read this next: Ambassador at center of US confusion set to leave Washington

Original Article