The 2016 arrest of a former National Security Agency contractor charged with a massive theft of classified data began with an unlikely source: a tip from a Russian cybersecurity firm that the U.S. government has called a threat to the country.
Moscow-based Kaspersky Lab turned Harold T. Martin III in to the NSA after receiving strange Twitter messages in 2016 from an account linked to him, according to two people with knowledge of the investigation. They spoke with POLITICO on condition of anonymity because they’re not authorized to discuss the case.
The company’s role in exposing Martin is a remarkable twist in an increasingly bizarre case that is believed to be the largest breach of classified material in U.S. history.
It indicates that the government’s own internal monitoring systems and investigators had little to do with catching Martin, who prosecutors say took home an estimated 50 terabytes of data from the NSA and other government offices over a two-decade period, including some of the NSA’s most sophisticated and sensitive hacking tools.
The revelation also introduces an ironic turn in the negative narrative the U.S. government has woven about the Russian company in recent years.
Under both the Obama and Trump administrations, officials have accused the company of colluding with Russian intelligence to steal and expose classified NSA tools, and in 2016 the FBI engaged in an aggressive behind-the-scenes campaign to discredit the company and get its software banned from U.S. government computers on national security grounds. But even while the FBI was doing this, the Russian firm was tipping off the bureau to an alleged intelligence thief in the government’s own midst.
“It’s irony piled on irony that people who worked at Kaspersky, who were already in the sights of the U.S. intelligence community, disclosed to them that they had this problem,” said Stewart Baker, general counsel for the NSA in the 1990s and a current partner at Steptoe and Johnson. It’s also discouraging, he noted, that the NSA apparently still hasn’t “figured out a good way to find unreliable employees who are mishandling some of their most sensitive stuff.”
“We all thought [Martin] got caught by renewed or heightened scrutiny, and instead it looks as though he got caught because he was an idiot,” he told
As for Kaspersky, news about its assistance in apprehending Martin likely won’t satisfy detractors who believe the company can still be a tool of Russian intelligence even if it occasionally assists the U.S. government.
Martin, who is set to go to trial in June, was arrested Aug. 27, 2016 following a search of his home and was subsequently indicted in February 2017. He’s been charged with 20 counts of unauthorized and willful retention of national defense information, each of which carries up to 10 years in prison.
The case unfolded after someone who U.S. prosecutors believe was Martin used an anonymous Twitter account with the name “HAL999999999” to send five cryptic, private messages to two researchers at the Moscow-based security firm. The messages, which POLITICO has obtained, are brief, and the communication ended altogether as abruptly as it began. After each researcher responded to the confusing messages, HAL999999999 blocked their Twitter accounts, preventing them from sending further communication, according to sources.
The first message sent on Aug. 13, 2016, asked one of the researchers to arrange a conversation with “Yevgeny” — presumably Kaspersky Lab CEO Eugene Kaspersky, whose given name is Yevgeny Kaspersky. The message didn’t indicate the reason for the conversation or the topic, but a second message following right afterward said, “Shelf life, three weeks,” suggesting the request, or the reason for it, would be relevant for a limited time.
The timing was remarkable — the two messages arrived just 30 minutes before an anonymous group known as Shadow Brokers began dumping classified NSA tools online and announced an auction to sell more of the agency’s stolen code for the price of $1 million Bitcoin. Shadow Brokers, which is believed to be connected to Russian intelligence, said it had stolen the material from an NSA hacking unit that the cybersecurity community has dubbed the Equation Group.
The Twitter messages, along with clues Kaspersky researchers found that linked the Twitter account to Martin and his work in the U.S. intelligence community, led the researchers to wonder if Martin was connected to Shadow Brokers. This led the company to contact the NSA and suggest it investigate him, according to the sources.
POLITICO first reported the existence of the Twitter messages last week when they were mentioned in a court ruling made public after Martin’s attorneys unsuccessfully sought to invalidate FBI search warrants used in the case, on grounds that the bureau didn’t have probable cause to obtain them.
U.S. District Judge Richard Bennett disagreed, citing the Twitter messages. He wrote that although the cryptic messages “could have had any number of innocuous meanings in another setting,” their timing and Martin’s potential access to Equation Group hacking tools through his government work made him a logical suspect in the Shadow Brokers investigation.