While the article claimed to be articulating an unlikely angle — that Kaspersky Lab, which has been pushed out of the US public market by a well-organised government campaign, had helped the spy agency which probably provided information for the campaign against it — it actually serves to revive an old narrative: that the Shadow Brokers, an unknown person or persons who dumped a large number of NSA exploits on the Web in 2016, are Russian or have Russian links.
Martin is one of two NSA employees in government custody for taking classified material home; he is said to have taken nearly 50 terabytes of data home over 20 years and was arrested in August 2016. The claims about his contacting Kaspersky Lab researchers were made after a court hearing in his case resulted in the release of redacted proceedings that mentioned some of the tweets in question.
Politico said it had obtained five messages sent from an account that had been traced to Martin; in the court proceedings only two were mentioned and most of the material about them was redacted.
Another said, "Shelf life, three weeks."
The Politico yarn, written by freelancer Kim Zetter, claims that the messages, along with the fact that Martin was working for the NSA, led the Kaspersky researchers to suspect a link with the Shadow Brokers and, as a result, contact the NSA to turn in Martin.
This is the first time that there has been an attempt to link the Shadow Brokers to Russia through Martin. Prior to this, there was speculation that another arrested NSA employee, Nghia Hoang Pho, had unwittingly been the source for the Shadow Brokers.
Pho was taken into custody in 2015 after taking hacking tools home.
The fact that files from Pho's computer had been uploaded to Kaspersky's servers was made known by the Russian firm itself; a report from Kaspersky Lab in October said Pho had the company's anti-virus software running on his PC, but appeared to have turned it off in order to run a key generator so he could install a pirated copy of Microsoft Office; had the A-V not been turned off, it would not have allowed the key generator to be run.
Later, when he turned the anti-virus back on, it had run a scan on his computer, and since Kaspersky Security Network was running, it had submitted samples of suspected NSA malware code present on his machine to Kaspersky's servers for analysis. Like any A-V solution, the software uploads suspicious files to a server for later analysis and when it encountered the NSA files on Pho's machine, it did the same.
How the Russians obtained these exploits has never been made clear, with allegations in the media that after they reached Kaspersky's Moscow offices, they were handed over to Russian government hackers. Kaspersky has denied handing over any files and said that once the nature of the files was noticed, they were all immediately deleted.
iTWire understands that the investigation carried out by Kaspersky Lab was done by a senior researcher from its American operations, Brian Bartholomew, a former employee of the US State Department.
The fact that Zetter took the story to Politico, rather than The Intercept for which she writes as well — a website with a much better reputation — is an indication that it was leaked by intelligence sources. The editor of The Intercept, Glenn Greenwald, is known to be strongly opposed to providing a forum for unnamed government and intelligence sources to ply their wares in the publication he runs.
Despite the bid to link the Brokers to Russia, the logical explanation is that they are English-speaking individuals and most probably ex-NSA employees.
One indication in this direction is the language used by the Shadow Brokers in a number of posts they made on the websites Steemit and Medium. While broken English was used in these posts, it is clear to anyone with a knowledge of the language that they had to be written by someone whose first language was English.
Secondly, the Shadow Brokers have displayed knowledge about the inner workings of the NSA that only someone from within could have. For instance, in April 2017, they published a number of tweets, since deleted, providing specific details about some of the work undertaken by a former spook, Jake Williams.
The tweets provided details about his involvement in a number of hacks during his days as a member of the NSA's Tailored Access Operations unit (which was disbanded in 2016 and absorbed into the agency’s new Directorate of Operations).
The tweets startled Williams who, until then, had not disclosed the fact that he had worked for the TAO during his NSA days. They were published shortly after he had written a blog post about the Shadow Brokers on the website of Rendition Infosec, a company he now runs.
Both the leak of NSA secrets by former contractor Edward Snowden and the Shadow Brokers are said to have shocked the NSA and created a crisis of confidence within the organisation. And the theory that says ex-NSA employees were the leakers in the second case argues that they did it in order to ensure that there would be change within the organisation.
This is not the first time that someone or a group has sought to create a narrative that links the Shadow Brokers to Russia.
A Washington-based security company, InGuardians, slipped a report to former Washington Post employee Brian Krebs in 2017, containing claims about the identity of the person behind the leak of NSA exploits by the Shadow Brokers, and claiming he was Russian.
Krebs ran the story in great detail and then suddenly took it down (archived version here). He mentioned the takedown at the very end of a story he wrote about the arrest of Pho. Comments were not allowed on this article, presumably to avoid criticism of his earlier claim.
When iTWire quizzed Krebs as to the reasons for his taking down the article, he did not provide a reply, indulging instead in personal slurs. Krebs' agenda in writing up the InGuardians "research" was questioned by well-known US security blogger Marcy Wheeler.
Zetter can probably take comfort in the fact that she is not the first one to be recruited to run this line. And she probably won't be the last either.