Ex-NSA Contractor Was a Suspect In Shadow Brokers Leak

New court document shows law enforcement suspected possible involvement of Harold Martin in Shadow Brokers' release of classified NSA hacking tools.

4 Min Read
Dark Reading logo in a gray background | Dark Reading

A new court opinion, first reported on by Politico, shows that Harold Martin, a former NSA contractor whom some have previously speculated was the individual behind the leaks of some highly classified NSA hacking tools in 2016, was indeed a prime suspect in the case.

Martin was arrested in August 2016 after law enforcement agents raided his home near Baltimore, Maryland, and discovered nearly 50 terabytes of government data, including documents marked "Secret" and "Top Secret," in his possession.

His arrest came just days after an outfit calling itself the Shadow Brokers publicly released several highly-classified NSA offensive hacking tools and exploits and offered to sell more stolen tools via auction to any interested parties. Up to now, the government has not said if the documents in Martin's possession at the time of his arrest included the NSA hacking tools. Neither has law enforcement explicitly identified Martin as being involved in the Shadow Brokers leak.

A federal grand jury last February indicted Martin on 20 counts of willfully retaining national defense information. His trial is scheduled to start June 2017. 

Martin initially admitted to taking government documents from the workplace and bringing them home without authorization. He later filed a motion seeking to suppress certain evidence gathered from his home as well as his own statements to FBI agents.

Court Filings

In a 19-page opinion, the US District Court for the District of Maryland recently denied Martin's bid to suppress the evidence from his home as well as cell-site location information collected from his mobile service provider. However, the court upheld Martin's motion to suppress his statements to the FBI on the grounds that it was obtained without a Miranda warning.

The latest court document does not shed much new light on Martin's involvement in the Shadow Brokers leak, but it does make clear that the raid on his house, and the subsequent arrest, happened because law enforcement at least suspected his involvement in the matter.

The court's document shows that the August 2016 raid on Martin's home was prompted by some Twitter messages that Martin posted suggesting he had knowledge about the NSA hacking tools. The Twitter messages were posted shortly before the Shadow Brokers publicly leaked the first set of tools and announced their intention to auction off the rest.

The FBI used that fact to justify its request for a warrant to collect information associated with Martin's Twitter account and for a separate warrant to search Martin's resident, person, and vehicles. In making a case for the search warrants, the government also showed that Martin, in his role as an NSA contractor, had had access to the hacking tools that the Shadow Brokers had put up for sale.

"In this case, there was a substantial basis for the Magistrate's finding of probable cause to issue the search warrant for information associated with the Defendant's Twitter account," District Judge Richard Bennett wrote in explaining his decision to deny Martin's motion to suppress evidence. The fact that Martin posted his messages just hours before Shadow Brokers made it publicly available, combined with his access to the documents also made the warrant justifiable, the judge said.

"Thus although the Defendant's Twitter messages could have had any number of innocuous meanings in another setting, these allegations regarding the context of Defendant's messages provide a substantial basis for the Magistrate's conclusion that there was a "fair probability" that evidence would be found in Martin's possession, he said.

Insider Threat

Martin's illegal activities are believed to have begun in 1996 and continued through his arrest in 2016. Over that period he misappropriated literally millions of pages of government data and stored them at home in various formats. Previous court documents have described him as an individual who had the security clearance to work on highly classified projects that gave him access to sensitive documents and government secrets. Prosecutors have noted how Martin, as a trusted insider, was able to easily bypass the many expensive controls that the NSA and other government agencies he worked for had implemented to protect data.

The tools and exploits that the Shadow Brokers leaked back in 2016 continue to be widely used even today. The leaked exploits included zero-day exploits and exploits that target vulnerabilities in a wide range of firewalls and other network products.

Related Content:

About the Author

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights