NSA Contractor Accused of Taking Top-Secret Documents

Cybersecurity , Insider Threat , Risk Management

Arrest Comes Three Years After Snowden Leaks NSA Contractor Accused of Taking Top-Secret DocumentsThe NSA's headquarters in Fort Meade

The FBI arrested a 51-year-old National Security Agency contractor in late August for allegedly stealing top-secret documents that could compromise national security if made public, the U.S. Department of Justice says. There are indications that the case could be resolved before an indictment is filed.

See Also: API vs. Proxy: Understanding How to Get the Best Protection from Your CASB

Harold T. Martin III was detained after investigators executed a search warrant on Aug. 27, finding hard copies and digital copies of classified information after searching a vehicle, storage sheds and his residence in Glen Burnie, Md., according to the Justice Department. Booz Allen Hamilton, Martin's employer, fired him upon learning of his arrest.

Martin's arrest on Aug. 27 was kept secret until a judge approved the unsealing of an FBI affidavit on Oct. 5. Martin has been charged in federal court in Maryland with theft of government property and unauthorized removal and retention of classified materials by a government employee or contractor.

Martin's case may come to a quick resolution. On Sept. 13, federal prosecutors asked the court for more time to file an indictment. The motion, which was unopposed by Martin's defense counsel, was granted by U.S. Magistrate Judge Beth P. Gesner. The new deadline is March 1, 2017.

In asking for an extension, prosecutors cited several reasons, including that attorneys are "exploring the possibility of resolving this matter prior to presentation of the case to a grand jury." Martin's public defender couldn't immediately be reached for comment.

If convicted, Martin could face one year in prison for the unauthorized removal and retention of classified materials charge and 10 years for theft of government property.

Shadow Brokers Link?

Martin's arrest comes three years after NSA contractor Edward Snowden, who also worked for Booz Allen Hamilton, rocked the intelligence world by leaking tens of thousands of documents describing sensitive government data collection programs and cyber-espionage tools used to infiltrate foreign networks (see How Did Snowden Breach NSA Systems?).

It's unclear from the FBI's affidavit if the material allegedly stolen by Martin has been publicly released. But his arrest came less than two weeks after a mysterious group called the Shadow Brokers released in mid-August cyber-espionage tools that many experts suspect were developed by the NSA (see Confirmed: Leaked Equation Group Hacking Tools Are Real).

The U.S. government appears to be particularly concerned about six documents investigators recovered, which the Justice Department says were drawn from sensitive intelligence and produced by a government agency in 2014. The documents are critical to a "wide variety of national security issues," the Justice Department claims.

"The disclosure of the documents would reveal those sensitive sources, methods and capabilities," according to the Justice Department's news release.

The Sept. 13 motion gives an indication of the volume of material involved in Martin's case. Thousands of pages of documents and dozens of computers and digital storage devices were taken after he was served with a search warrant, it reads.

"The digital media contained many terabytes of information that must be reviewed by appropriate authorities," according to the motion. In it, a footnote describes a terabyte as equivalent to 500 hours of digital video, 200,000 image files or 1 million electronic books.

How Many Leakers?

Since the Snowden disclosures, subsequent releases of secret information have led to speculation that a second person inside U.S. government intelligence circles may be leaking information.

The theory gained traction after the German publication Der Spiegel in December 2013 published a 50-page catalog of tools from the NSA's Tailored Access Operations unit, which focuses on offensive cyber operations. Der Spiegel did not describe its source for the catalog but did not attribute it to Snowden.

The U.S. government has said Snowden's disclosures caused severe damage to intelligence operations. Snowden, who has been living in Moscow since June 2013, says he leaked the documents to show how the U.S. government's surveillance techniques infringed on the Constitutional rights of Americans. But his claim of being a whistleblower hasn't curried favor with the government, and a presidential pardon seems unlikely.

A fresh blow was delivered to the U.S. government in August when a then-unknown group calling itself the Shadow Brokers released a sample of exploit code and hacking tools that experts say probably came from the NSA (see Mystery Surrounds Breach of NSA-Like Spying Toolset).

The Shadow Brokers set up an auction for an additional batch of secret data it claimed to possess. A note written by the group was filled with what many suspected to be intentional grammar errors contrived by a native English speaker, again fueling theories that an insider may be responsible for the leak.

The hacking tools were sometimes sloppily coded but nonetheless effective, targeting widely used networking equipment that, if compromised, would allow an attacker to intercept and decrypt traffic. Cisco was among the hardest hit vendors, and subsequently patched zero-day exploits in its latest firewalls.

Martin's Background

When investigators questioned Martin, he initially denied taking the documents. But he later admitted taking documents and digital files that he knew were classified, according to the Justice Department.

Martin's LinkedIn profile is still online. The profile, which is under the name Hal Martin, shows he started work in July 2015 as a technical advisor and investigator on offensive cyber issues. It does not list an employer. Before that, Martin's profile says he worked as a contractor and consultant after doing an eight-year stint in the U.S. Navy that ended in 1996.

Martin profile says he started his PhD at University of Maryland, Baltimore County, in 2007 but that he is "trying to finish that dissertation."

Included in the profile is a link to Martin's academic web page, once hosted by UMBC. That web page is offline, but is still in Google's cache. The page contains a collection of links, including one to a research paper from 2014 that includes his university email address.

It appears Martin used his university email address to occasionally comment on security industry discussion forums. In February 2009, the same email address is listed on a discussion thread about the changing nature of applications hosted in data centers, referred to as cloud computing.

The post expresses an opinion about the security of applications that move around different data center environment and server farms. It warns of "commandos and dirty dozen types mounting the electronic castle walls," in an apparent reference to cyberattackers.

The post continued: "You just have to ask yourself if you are ready for digital aiki-do, or do you intend to let digital banditry win the day and plunder your lands. Up to you all. I'm ready if you are." The message was signed with the name "Sanjuro."

Dave Aitel, a former NSA research scientist who's now CEO of Immunity, posted an email he received from Martin in September 2012, in which he references practicing "Tomiki-ryu style Aikido." The email appears to be part of a discussion about activities at Infiltrate 2013, an annual security conference that Immunity runs.