Security Market Segment LS
Monday, 14 January 2019 11:56

Kaspersky-NSA yarn aims to reinforce Russian link to Shadow Brokers

Kaspersky-NSA yarn aims to reinforce Russian link to Shadow Brokers Pixabay

ANALYSIS Ex-NSA employees are the most likely sources for a yarn that ran in the American website Politico last week, claiming that researchers from Russian security firm Kaspersky Lab had tipped off the NSA that one of its employees, Harold Martin, could be worth investigating, after he allegedly sent Twitter messages to them.

While the article claimed to be articulating an unlikely angle — that Kaspersky Lab, which has been pushed out of the US public market by a well-organised government campaign, had helped the spy agency which probably provided information for the campaign against it — it actually serves to revive an old narrative: that the Shadow Brokers, an unknown person or persons who dumped a large number of NSA exploits on the Web in 2016, are Russian or have Russian links.

Martin is one of two NSA employees in government custody for taking classified material home; he is said to have taken nearly 50 terabytes of data home over 20 years and was arrested in August 2016. The claims about his contacting Kaspersky Lab researchers were made after a court hearing in his case resulted in the release of redacted proceedings that mentioned some of the tweets in question.

Politico said it had obtained five messages sent from an account that had been traced to Martin; in the court proceedings only two were mentioned and most of the material about them was redacted.

Shortly after the messages landed, the Brokers dumped a number of NSA exploits online and announced that they would be offering more similar exploits for a price. One message asked for a meeting with "Yevgeny" – and this was taken to refer to Kaspersky Lab chief Eugene Kasperksy, whose actual first name is Yevgeny.

Another said, "Shelf life, three weeks."

shadow brokers big

The Politico yarn, written by freelancer Kim Zetter, claims that the messages, along with the fact that Martin was working for the NSA, led the Kaspersky researchers to suspect a link with the Shadow Brokers and, as a result, contact the NSA to turn in Martin.

This is the first time that there has been an attempt to link the Shadow Brokers to Russia through Martin. Prior to this, there was speculation that another arrested NSA employee, Nghia Hoang Pho, had unwittingly been the source for the Shadow Brokers.

Pho was taken into custody in 2015 after taking hacking tools home.

The fact that files from Pho's computer had been uploaded to Kaspersky's servers was made known by the Russian firm itself; a report from Kaspersky Lab in October said Pho had the company's anti-virus software running on his PC, but appeared to have turned it off in order to run a key generator so he could install a pirated copy of Microsoft Office; had the A-V not been turned off, it would not have allowed the key generator to be run.

Later, when he turned the anti-virus back on, it had run a scan on his computer, and since Kaspersky Security Network was running, it had submitted samples of suspected NSA malware code present on his machine to Kaspersky's servers for analysis. Like any A-V solution, the software uploads suspicious files to a server for later analysis and when it encountered the NSA files on Pho's machine, it did the same.

How the Russians obtained these exploits has never been made clear, with allegations in the media that after they reached Kaspersky's Moscow offices, they were handed over to Russian government hackers. Kaspersky has denied handing over any files and said that once the nature of the files was noticed, they were all immediately deleted.

iTWire understands that the investigation carried out by Kaspersky Lab was done by a senior researcher from its American operations, Brian Bartholomew, a former employee of the US State Department.

The fact that Zetter took the story to Politico, rather than The Intercept for which she writes as well — a website with a much better reputation — is an indication that it was leaked by intelligence sources. The editor of The Intercept, Glenn Greenwald, is known to be strongly opposed to providing a forum for unnamed government and intelligence sources to ply their wares in the publication he runs.

Despite the bid to link the Brokers to Russia, the logical explanation is that they are English-speaking individuals and most probably ex-NSA employees.

One indication in this direction is the language used by the Shadow Brokers in a number of posts they made on the websites Steemit and Medium. While broken English was used in these posts, it is clear to anyone with a knowledge of the language that they had to be written by someone whose first language was English.

Secondly, the Shadow Brokers have displayed knowledge about the inner workings of the NSA that only someone from within could have. For instance, in April 2017, they published a number of tweets, since deleted, providing specific details about some of the work undertaken by a former spook, Jake Williams.

The tweets provided details about his involvement in a number of hacks during his days as a member of the NSA's Tailored Access Operations unit (which was disbanded in 2016 and absorbed into the agency’s new Directorate of Operations).

The tweets startled Williams who, until then, had not disclosed the fact that he had worked for the TAO during his NSA days. They were published shortly after he had written a blog post about the Shadow Brokers on the website of Rendition Infosec, a company he now runs.

Both the leak of NSA secrets by former contractor Edward Snowden and the Shadow Brokers are said to have shocked the NSA and created a crisis of confidence within the organisation. And the theory that says ex-NSA employees were the leakers in the second case argues that they did it in order to ensure that there would be change within the organisation.

This is not the first time that someone or a group has sought to create a narrative that links the Shadow Brokers to Russia.

A Washington-based security company, InGuardians, slipped a report to former Washington Post employee Brian Krebs in 2017, containing claims about the identity of the person behind the leak of NSA exploits by the Shadow Brokers, and claiming he was Russian.

Krebs ran the story in great detail and then suddenly took it down (archived version here). He mentioned the takedown at the very end of a story he wrote about the arrest of Pho. Comments were not allowed on this article, presumably to avoid criticism of his earlier claim.

When iTWire quizzed Krebs as to the reasons for his taking down the article, he did not provide a reply, indulging instead in personal slurs. Krebs' agenda in writing up the InGuardians "research" was questioned by well-known US security blogger Marcy Wheeler.

Zetter can probably take comfort in the fact that she is not the first one to be recruited to run this line. And she probably won't be the last either.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments