The revelation introduces an ironic turn in the negative narrative the U.S. government has woven about Kaspersky Lab in recent years | Pietro D'Aprano/Getty Images for Kaspersky Lab | Pietro D'Aprano/Getty Images for Kaspersky Lab How a Russian firm helped catch alleged data thief The US has accused Kaspersky Lab of working with Russian spies. But sources say the company exposed a massive breach that US authorities missed.

The 2016 arrest of a former National Security Agency contractor charged with a massive theft of classified data began with an unlikely source: a tip from a Russian cybersecurity firm that the U.S. government has called a threat to the country.

Moscow-based Kaspersky Lab turned Harold T. Martin III in to the NSA after receiving strange Twitter messages in 2016 from an account linked to him, according to two people with knowledge of the investigation. They spoke with POLITICO on condition of anonymity because they’re not authorized to discuss the case.

The company’s role in exposing Martin is a remarkable twist in an increasingly bizarre case that is believed to be the largest breach of classified material in U.S. history.

It indicates that the government’s own internal monitoring systems and investigators had little to do with catching Martin, who prosecutors say took home an estimated 50 terabytes of data from the NSA and other government offices over a two-decade period, including some of the NSA’s most sophisticated and sensitive hacking tools.

The revelation also introduces an ironic turn in the negative narrative the U.S. government has woven about the Russian company in recent years.

Under both the Obama and Trump administrations, officials have accused the company of colluding with Russian intelligence to steal and expose classified NSA tools, and in 2016 the FBI engaged in an aggressive behind-the-scenes campaign to discredit the company and get its software banned from U.S. government computers on national security grounds. But even while the FBI was doing this, the Russian firm was tipping off the bureau to an alleged intelligence thief in the government’s own midst.

"It's irony piled on irony that people who worked at Kaspersky, who were already in the sights of the U.S. intelligence community, disclosed to them that they had this problem,” said Stewart Baker, general counsel for the NSA in the 1990s and a current partner at Steptoe and Johnson. It’s also discouraging, he noted, that the NSA apparently still hasn’t “figured out a good way to find unreliable employees who are mishandling some of their most sensitive stuff.”

“We all thought [Martin] got caught by renewed or heightened scrutiny, and instead it looks as though he got caught because he was an idiot,” he told POLITICO.

As for Kaspersky, news about its assistance in apprehending Martin likely won’t satisfy detractors who believe the company can still be a tool of Russian intelligence even if it occasionally assists the U.S. government.

U.S. prosecutors believe Martin used an anonymous Twitter account to send five cryptic messages to the Moscow-based security firm.

Martin, who is set to go to trial in June, was arrested August 27, 2016 following a search of his home and was subsequently indicted in February 2017. He’s been charged with 20 counts of unauthorized and willful retention of national defense information, each of which carries up to 10 years in prison.

The case unfolded after someone who U.S. prosecutors believe was Martin used an anonymous Twitter account with the name “HAL999999999” to send five cryptic, private messages to two researchers at the Moscow-based security firm. The messages, which POLITICO has obtained, are brief, and the communication ended altogether as abruptly as it began. After each researcher responded to the confusing messages, HAL999999999 blocked their Twitter accounts, preventing them from sending further communication, according to sources.

The first message sent on August 13, 2016, asked for him to arrange a conversation with "Yevgeny" — presumably Kaspersky Lab CEO Eugene Kaspersky, whose given name is Yevgeny Kaspersky. The message didn't indicate the reason for the conversation or the topic, but a second message following right afterward said, "Shelf life, three weeks," suggesting the request, or the reason for it, would be relevant for a limited time.

The timing was remarkable — the two messages arrived just 30 minutes before an anonymous group known as Shadow Brokers began dumping classified NSA tools online and announced an auction to sell more of the agency’s stolen code for the price of $1 million bitcoin. Shadow Brokers, which is believed to be connected to Russian intelligence, said it had stolen the material from an NSA hacking unit that the cybersecurity community has dubbed the Equation Group.

The Twitter messages, along with clues Kaspersky researchers found that linked the Twitter account to Martin and his work in the U.S. intelligence community, led the researchers to wonder if Martin was connected to Shadow Brokers. This led the company to contact the NSA and suggest it investigate him, according to the sources.

POLITICO first reported the existence of the Twitter messages last week when they were mentioned in a court ruling made public after Martin’s attorneys unsuccessfully sought to invalidate FBI search warrants used in the case, on grounds that the bureau didn't have probable cause to obtain them.

U.S. District Judge Richard Bennett disagreed, citing the Twitter messages. He wrote that although the cryptic messages "could have had any number of innocuous meanings in another setting," their timing and Martin's potential access to Equation Group hacking tools through his government work made him a logical suspect in the Shadow Brokers investigation.

The partially redacted ruling quoted only two of five messages the mysterious Twitter account sent the company, and the name of the recipients was redacted. Kaspersky’s role as recipient and informant has not been previously disclosed.

A Kaspersky spokeswoman declined to confirm the company’s involvement in the case or comment on the record.

An FBI search uncovered a trove of classified data in hard copy and digital format that Martin had taken between 1996 and 2016.

According to the sources who spoke with POLITICO, Kaspersky gave the NSA all five Twitter messages as well as evidence of the sender's real identity. Then, according to the redacted court document, the FBI used the evidence to obtain search warrants for Martin's Twitter account and Maryland home and property. The document doesn’t indicate how the FBI learned of the Twitter messages or Martin’s identity.

The home search on August 27, 2016, occurred with a massive raid involving nearly two dozen FBI agents and SWAT team members with guns drawn, underscoring the case’s urgency and the government’s concerns about whom else Martin might have contacted. The search uncovered a trove of classified data in hard copy and digital format that Martin had taken between 1996 and 2016 — material that the government has said included some of the same Equation Group tools the Shadow Brokers possessed.

The tools were some of the most prized surveillance implements the spy agency used to track suspected terrorists, conduct other national security investigations and collect intelligence.

Questions have lingered about whether Martin supplied the classified tools to Shadow Brokers, but he has not been charged with espionage, nor have prosecutors indicated Martin had any contact with the group. The group continued to publish online after Martin’s arrest, discounting theories that he himself was the Shadow Brokers.

A patriot with a compulsive disorder?

And although the cryptic Twitter messages could be read as suggesting he was exploring the possibility of passing sensitive data to either Kaspersky or to the Russian government — his attorneys have argued in court that no evidence exists that Martin intended to pass information to anyone. He’s a patriot who recklessly amassed and stored the classified material only because he suffers from a compulsive disorder, his public defender, James Wyda, has said.

Matt Tait, a former information security specialist at Britain’s GCHQ spy agency, thinks it’s interesting that Martin zeroed in on Kaspersky for his correspondence.

“Why did he choose Kaspersky versus Sophos or Symantec?” he said, referring to two other antivirus companies. “He would have known better than others what that meant when the U.S. government says Kaspersky is hostile. Why did he choose that company versus another company, and what did he expect them to do?”

These are questions that may only be answered in court, if Martin doesn’t strike a plea deal.

Martin’s defense attorney, Wyda, declined to comment this week when POLITICO asked why his client contacted Kaspersky.

"So….figure out how we talk. With Yevgeny present," the first Twitter message said.

The revelation about how Martin was caught renews long-standing questions about the NSA's ability to prevent or detect theft of its secrets, even after increasing internal security measures following the 2013 leaks by agency contractor Edward Snowden. Those measures played no role in flagging Martin, according to the sources who spoke with POLITICO, though it's not clear they were in place at the time Martin took material from the agency.

Either way, the NSA was desperate in August 2016 to uncover the identity of Shadow Brokers and determine where they got the stolen tools, but it was only after Kaspersky turned Martin in that he became a suspect.

Like Snowden, Martin had a top secret national security clearance and worked for defense and intelligence contractor Booz Allen Hamilton and other contracting companies since the late 1990s. His work with Booz Allen included jobs at the NSA between 2012 and 2015, and in the Office of the Director of National Intelligence and a Defense Department office, where some of his thefts occurred.

Over the years, he worked on “a number of highly classified, specialized projects, according to court records, and his work for the NSA put him directly in its Tailored Access Operations unit for a time — the unit that created and used the Equation Group tools. However, a former TAO worker has said Martin was simply a front office worker who wasn't involved in spy operations there.

Martin’s downfall unfolded in the following manner, according to the people who spoke with POLITICO.

The first Twitter messages HAL999999999 sent to one of the Kaspersky researchers began as if they were already engaged in an ongoing conversation or had previously conversed. "So….figure out how we talk. With Yevgeny present," the message said. Then "Shelf life, three weeks."

He sent the messages on August 13, 2016, but they sat unread for three days. That’s because the researcher didn’t follow the HAL account, so the private messages went to a request folder. The researcher was on vacation and saw the messages three days later, after Shadow Brokers had made headlines and published batches of NSA tools.

The sender's Twitter handle was not familiar to the Kaspersky recipient, and the account had only 104 followers. But the profile picture showed a silhouette illustration of a man sitting in a chair, his back to the viewer, and a CD-ROM with the word TAO2 on it, using the acronym of the NSA's Tailored Access Operations. The larger background picture on the profile page showed various guns and military vehicles in silhouette.

The Kaspersky researcher asked the sender, in a reply message, if he had an email address and PGP encryption key they could use to communicate. But instead of responding, the sender blocked the researcher's account.

"Same dilemma as last 10 min of latest Bourne," the message said.

Two days later, the same account sent three private messages to a different Kaspersky researcher.

"Still considering it..," the first message said. When the researcher asked, "What are you considering?" the sender replied: "Understanding of what we are all fighting for … and that goes beyond you and me. Same dilemma as last 10 min of latest Bourne." Four minutes later he sent the final message: "Actually, this is probably more accurate" and included a link to a YouTube video showing the finale of the film "Inception."

The Bourne comment appears to reference a Jason Bourne film about a former CIA assassin on the run from the agency, which was released in U.S. theaters two weeks before the Twitter user contacted Kaspersky. It and the "Inception" film deal with the difficulties of distinguishing truth and reality from deception and illusion.

The Kaspersky researcher didn't respond to the Twitter sender after this. Instead, he and colleagues conducted some online sleuthing and were able to easily unmask the sender's identity.

A Google search on the Twitter handle found someone using the same Hal999999999 username on a personal ad seeking female sex partners. The anonymous ad, on a site for people interested in bondage and sadomasochism, included a real picture of Martin and identified him as a 6-foot-4-inch 50-year-old male living in Annapolis, Md. A different search led them to a LinkedIn profile for Hal Martin, described as a researcher in Annapolis Junction and "technical advisor and investigator on offensive cyber issues." The LinkedIn profile didn't mention the NSA, but said Martin worked as a consultant or contractor “for various cyber related initiatives” across the Defense Department and intelligence community.

Armed with this information, on August 22 a Kaspersky employee contacted an NSA worker he'd recently met at a conference and sent him the evidence, suggesting the agency might want to investigate Martin. The FBI obtained the warrant for Martin’s Twitter account on the 25th, and he was arrested two days later following the search of his home.

The FBI declined to comment on this new information, as did the U.S. Attorney’s office handling the case.

Tait told POLITICO that any legitimate security researchers in Kaspersky’s position would notify the government if a potential leaker contacted them.

"These researchers seem to have taken the view that they know how to work out how the NSA does hacking through legitimate means; they don't need leakers inside the NSA to do their job, and it probably doesn't help them to be seen as actively antagonistic to the U.S,” Tait said. “It undermines their ability to claim they're a legitimate threat intelligence organization.”

But Kaspersky’s efforts apparently earned the company little regard in the government.

Under growing scrutiny

Months after Martin was formally charged, the government's campaign against the company, which had been percolating in the background throughout 2016, also went public.

Although Kaspersky has worked with U.S. law enforcement and security firms for years to track hackers, the company's relationship with the government began to grow tense around 2012 as it exposed a series of covert NSA spy kits and hacking operations after finding the previously unknown spy software on customers’ machines. The company has exposed more U.S. spy operations than any other cybersecurity firm in the last six years, and has in turn become a hacking target of spy agencies itself for its success in exposing not only NSA operations but those of Israel, the United Kingdom and France.

One of its most significant revelations occurred in February 2015 when the company announced discovery of a suite of sophisticated spy programs it dubbed the Equation Group tools — long before the Shadow Brokers began leaking tools from the same group in 2016.

Kaspersky discovered the tools on computers in the Middle East in 2014, and its antivirus software later detected them on a machine in the U.S. sometime in 2014. Kaspersky believed the machine had been infected with Equation Group surveillance software, but in fact it was the home computer of an NSA employee named Nghia Hoang Pho, who had improperly taken home classified documents and NSA code he was helping develop that were related to the Equation Group toolset.

Kaspersky’s software uploaded the material from Pho’s computer to the company’s servers, as part of a standard procedure antivirus programs use to analyze previously undiscovered malicious code. Kaspersky has insisted that once it realized the collection wasn’t malware, CEO Eugene Kaspersky ordered his researchers to destroy the files.

But the collection of files helped fuel U.S. allegations that Kaspersky itself poses a security threat. That’s because, unknown to Kaspersky at the time, Israel had hacked the company’s network in 2014, and in 2015 quietly told U.S. officials that it saw Russian intelligence operatives siphon the tools from Pho's machine with Kaspersky's cooperation or knowledge, using its antivirus software. The public only learned about this allegation in 2017 when anonymous sources leaked it to reporters. But no evidence backing this claim has ever been made public, and nobody has explained how the Israelis knew the extraction was not just part of standard infection analysis and cleanup.

Sometime in 2015, the FBI began investigating Kaspersky’s relationship with the Russian government, and by 2016, the bureau was urging U.S. companies privately to cut business ties with the firm. Then in February 2017, the month Martin was indicted, DHS sent a secret report to government agencies saying Kaspersky’s software posed a national security risk. News of the report was leaked to the media along with a revelation that the FBI was investigating the company.

Seven months later, DHS issued a directive banning Kaspersky software from civilian government computers because “the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.” The ban led consumer giant Best Buy to announce it would no longer install Kaspersky antivirus software on computers it sells.

Kaspersky has long denied it has cooperated with Russian intelligence in any capacity to obtain U.S. secrets. And the U.S. government has never publicly indicated that it has any evidence to support suspicions that it has helped the Russian government use its software to spy on Kaspersky customers.

In any case, the timing of these events is notable: It’s not clear whether Kaspersky knew about the FBI investigation or the Israeli allegations when the company turned Martin in to the NSA in 2016. Such knowledge could have made the company wonder if Martin’s communication was a test.

Baker told POLITICO that Kaspersky’s role in Martin’s arrest wasn’t out of character for the company, which he doubts has ever actively aided Russian intelligence and has always wanted to be an accepted part of the cybersecurity fraternity.

“[The company] recognized that it had a problem, given its origin and location [in Russia], and so where it could be helpful to the U.S. government and show that it was not a hostile force it wouldn't have surprised me that it would do something that was meant to be … a goodwill gesture toward the U.S. government,” he said.

Although he doesn’t think the government’s subsequent treatment of the company was wrong, “it is pretty ironic,” he said. “And I'm sure the people at Kaspersky are feeling as though they did the right thing and it did them no good."