Kaspersky Helped NSA Catch Spyware Leaker (Report)

Senior editor, security and privacy
Updated

Here's an ironic twist: Kaspersky Lab, the antivirus firm banned from U.S. government computers over suspected Russian intelligence ties, helped the National Security Agency catch a contractor accused of leaking U.S. secrets, a new report says.

A Kaspersky Lab facility outside Moscow, Credit: StockphotoVideo/ShutterstockA Kaspersky Lab facility outside Moscow, Credit: StockphotoVideo/Shutterstock

Writing for Politico, veteran cybersecurity report Kim Zetter says sources told her that Kaspersky researchers in 2016 gave the NSA screenshots of Twitter direct messages in which alleged leaker Harold T. Martin III tried to contact Kaspersky researchers.

The Kaspersky team also gave the NSA Martin's name and location, which the researchers had quickly figured out even though he apparently tried to disguise his identity by using a pseudonymous Twitter account. Five days later, Martin was arrested at his home in suburban Maryland.

MORE: Kaspersky Russian Spying Rumors: Should You Use This Antivirus?

Zetter says that on Aug. 13, 2016, Martin tried to reach out to a Kaspersky researcher using a Twitter account named "@hal_99999999". (The account is still up but its Tweets are protected.)

He apparently indicated that he wanted to communicate with "Yevgeny" -- presumably Kaspersky Lab chief Eugene Kaspersky -- and that whatever he wanted to talk about had a "shelf life" of "three weeks."

Those two DMs were mentioned in a December court filing that Politico uncovered last week, although information about to whom the messages were sent was redacted.

Thirty minutes after Martin sent those two DMs, the Shadow Brokers, a still-unknown group thought to be tied to Russian intelligence, starting putting stolen NSA malware up for auction online.

However, Zetter said, the Kaspersky researcher Martin tried to contact was on vacation and didn't see the DMs until Aug. 16. He then tried to respond to Martin, but Martin blocked him on Twitter.

On Aug. 18, Martin allegedly tried to reach a second Kaspersky researcher via Twitter direct messages, saying he was "still considering it." Asked by the second researcher what Martin was considering, he said "what we are all fighting for" and referred to a Jason Bourne movie and the movie "Inception."

Kaspersky tipped off the NSA

Instead of continuing the conversation, the Kaspersky team did some digging and found the same Twitter username tied to a personal ad on an S&M website, along with a personal photo and a location. They also found a LinkedIn profile for Martin.

On Aug. 22, a Kaspersky staffer sent the information to someone he knew in the NSA. On Aug. 27, the FBI raided Martin's home and arrested him.

Martin is accused of stealing 50 terabytes' worth of secrets, including spyware and hacking tools used in intelligence-gathering information, from the NSA and other government agencies over 20 years.

Martin, a contractor employed by Booz Allen Hamilton, the same firm that employed NSA leaker Edward Snowden, contends that he merely took the data home to work on it during off hours. But even that would be a major security violation.

The government seeks to prove that Martin willingly or unwillingly passed along the NSA data to the Shadow Brokers, who tried to sell the purported NSA tools online from August 2016 to April 2017 but eventually started giving it away.

Possible ties to WannaCry

Some of the NSA hacking tools uncovered by the Shadow Brokers were used in the WannaCry ransomware outbreak in May 2017, which has been blamed on North Korea. In June 2017, some of the same tools were used in the NotPetya ransomware attacks, which began in Ukraine, spread across Europe and have since been blamed on Russia.

However, no one has been able to prove a definitive connection between Martin and the Shadow Brokers.

It’s also possible that the Shadow Brokers got the information from Nghia Hoang Pho, a second NSA contractor who also took large amounts of data home.

Pho had Kaspersky antivirus software installed on his home computer, and a story in The Wall Street Journal in October 2017, citing anonymous sources, alleged that the Kaspersky software was used to steal the NSA secrets from his machine.

Kaspersky Lab retorted by saying that Pho’s computer appeared to be infected with unknown malware, and that the malware was uploaded to Kaspersky’s servers as part of normal procedures for analysis. (Most antivirus software routinely does this.)

To make things even more complicated, The New York Times said that the NSA knew this to be the case because it had been given evidence by Israeli spies who had broken into Kaspersky Lab servers.

Pho pleaded guilty to taking secret data home and was sentenced to five and a half years in prison in September 2018.

Martin plans to plead guilty Jan. 22 to a single count of willful retention of national defense information, according to court filings. He still faces trial on 19 other counts. Each of the 20 counts carries a maximum penalty of 10 years in prison.