Written by Chris Bing

The U.S. government’s counterintelligence investigation into the so-called Shadow Brokers group is currently focused on a former U.S. intelligence community insider, multiple people familiar with the matter told CyberScoop.

Sources tell CyberScoop that former NSA employees have been contacted by investigators in the probe to discover how a bevy of elite computer hacking tools fell into the Shadow Brokers’ possession.

Those sources asked for anonymity due to the sensitive nature of this investigation.

While investigators believe that a former insider is involved, the expansive probe also spans other possibilities, including the threat of a current intelligence community employee being connected to the mysterious group.

The investigatory effort is being led by a combination of professionals from the FBI, National Counterintelligence and Security Center (NCSC), and NSA’s internal policing group known as Q Group, among other offices.

It’s not clear if the former insider was once a contractor or in-house employee of the secretive agency. Two people familiar with the matter said the investigation “goes beyond” Harold Martin, the former Booz Allen Hamilton contractor who is currently facing charges for taking troves of classified material outside a secure environment.

The NSA did not respond to multiple requests for comment.

The Shadow Brokers are an enigmatic group that has been publishing classified documents and the code for computer exploits once used by the agency. As the exploits have been released, they have been co-opted into worldwide attacks, including the WannaCry ransomware attack in May.

Security experts have theorized over the last year that the Shadow Brokers are hackers who broke into a faulty NSA attack server to steal tools and other secretive information. This remains a possibility, but it does not explain why the group was able to publish an internal powerpoint presentation, which would not be stored on such a system, former U.S. intelligence officials tell CyberScoop.

Others have claimed the operation carries certain hallmarks indicative of a nation state, like Russia, who are conceivably trying to discredit or damage the U.S. intelligence community by sharing — and therefore burning — certain cyber espionage capabilities.

After nearly a year in the limelight, the Shadow Brokers’ behavior has changed somewhat in recent months. Although many of the group’s messages appear relatively similar, the manner in which they are sharing classified information has shifted.

On Thursday, the Shadow Brokers advertised, once again, a subscription service where they would share additional NSA hacking tools with those who are willing to pay thousands of dollars for access.

Rep. Will Hurd, R-Texas, said in a recent phone interview with CyberScoop, that “understanding what’s happened” is a “serious priority” for the intelligence community and House Intelligence Committee, for which he is a member of. Hurd is one of the only lawmakers to publicly comment on the group. Congress has largely chosen to remain silent on the issue, which now spans almost a year of leaks and other involuntary disclosures of classified information.