Products by the security software company Kaspersky Lab were banned from use by the United States government last year over security concerns, and its reputation has been badly damaged. In a surprising twist, Kaspersky personnel were reportedly the source of crucial information that led investigators to a former NSA contractor accused of stealing an enormous cache of classified material.
Harold T. Martin III was arrested in October of 2016. Prosecutors claim that Martin took unauthorised possession of thousands of pages of documents and “many terabytes” of data belonging to the NSA. Much of the information Martin allegedly had at his home in Maryland was classified.
As a contractor for consulting company Booz Allen Hamilton, he did contract work for the NSA and Defence Department. Citing two sources with knowledge of the investigation, Politico reports that it was Kaspersky Lab that flagged suspicious activity by Hamilton to the NSA. Politico writes:
The case unfolded after someone who U.S. prosecutors believe was Martin used an anonymous Twitter account with the name “HAL999999999” to send five cryptic, private messages to two researchers at the Moscow-based security firm. The messages, which POLITICO has obtained, are brief, and the communication ended altogether as abruptly as it began. After each researcher responded to the confusing messages, HAL999999999 blocked their Twitter accounts, preventing them from sending further communication, according to sources.
The first message sent on Aug. 13, 2016, asked for him to arrange a conversation with “Yevgeny” — presumably Kaspersky Lab CEO Eugene Kaspersky, whose given name is Yevgeny Kaspersky. The message didn’t indicate the reason for the conversation or the topic, but a second message following right afterward said, “Shelf life, three weeks,” suggesting the request, or the reason for it, would be relevant for a limited time.
Approximately 30 minutes after Kaspersky Lab received the messages, the hacking group known as the Shadow Brokers started releasing hacking tools that were stolen from the NSA. The Shadow Brokers proceeded to offer other NSA tools for sale, and the breach is considered one of the most catastrophic leaks in cybersecurity history.
The weird messages stuck out to Kaspersky staff, and the timing raised suspicions. According to Politico, they found clues linking the “Twitter account to Martin and his work in the U.S. intelligence community.” Getting the sense that there could be a connection between the strange messenger and the Shadow Brokers, Kaspersky’s people allegedly contacted the NSA to warn the agency that Martin could be a suspect.
It’s not clear exactly what clues led Kaspersky’s people to allegedly identify Martin, but documents filed by U.S. prosecutors indicate that “the user hal999999999 had a display picture matching the MVA photo of the Defendant.” Such a sloppy mistake is shocking because Martin worked for the NSA’s elite hacking unit that was formerly known as Tailored Access Operations.
The information reportedly provided by Kaspersky Lab was then used to obtain search warrants for Martin’s home and property. When asked about the veracity of the Politico report, Kaspersky Lab told Gizmodo it has no comment at this time.
Eugene Kaspersky has vigorously denied accusations that his company has close ties to Russian intelligence. Suspicions of the Moscow-based security company began to take root during the Obama administration, and President Trump officially signed a ban on the federal government doing business with Kaspersky in 2017.
Kaspersky is well-regarded in the cyber-security community, and without the U.S. government supplying evidence, the accusations have always been a bit odd.
In October of 2017, Kaspersky did confirm that his company downloaded classified documents from an NSA analyst in 2014. But according to Kaspersky, this was simply because his software detected malware on the analyst’s computer. The analyst allegedly set his Kaspersky software to send reports of any malicious detection, and as instructed it proceeded to download a 7-zip archive of documents for further review. According to Kaspersky, staff discovered that the file contained classified information, and he ordered it destroyed.
Martin’s case has also been bizarre. Edward Snowden was also a Booz Allen contractor before he leaked classified information and fled the United States, ultimately landing in Russia. Martin allegedly had much more illicit data in his possession than Snowden—an estimated 50 TB — including some of the same stolen hacking tools that the Shadow Brokers have distributed online. But prosecutors have struggled to prove that Martin had any malicious intent or shared the documents with a third-party. Martin’s lawyers have claimed that he suffers from a mental disorder that compelled him to begin hoarding documents in the ‘90s.
The timing of the revelation that Kaspersky has been beneficial in tracking down NSA suspects coincides with a court appearance by Martin’s defence team on Tuesday. His lawyers argued that they need full access to the hard drives that were confiscated from their client’s home. For one reason, they say that an analysis of metadata on the hard drive would help prove Martin never opened the files.
The lawyers hope that evidence will help support their argument that Martin was simply hoarding the data. Because of the files’ sensitive nature, prosecutors have resisted supplying a full mirror of the hard drives and have offered an abbreviated catalogue of the drives’ contents.
Martin is charged with 20 counts of illegal retention of classified information. He has offered to plead guilty to one count, which would carry a maximum sentence of 10 years in prison, but prosecutors have rejected that deal.
The question of why Martin would do any of this lingers. If he was simply hoarding information, as his defence claims, what was the purpose of sending the private messages on Twitter? Did he send those private messages? And if this is all part of a verifiable mental disorder, why would prosecutors seek such a harsh penalty?
Martin’s trial is scheduled to begin in June, and we could get some more answers as then court proceedings unfold. Then again, maybe we won’t.