Exclusive: How a Russian firm helped catch an alleged NSA data thiefhttps://www.politico.com/story/2019/01/09/russia-kaspersky-lab-nsa-cybersecurity-1089131
HighlightsThe 2016 arrest of a former National Security Agency contractor charged with a massive theft of classified data began with an unlikely source: a tip from a Russian cybersecurity firm that the U.S. government has called a threat to the country.
Moscow-based Kaspersky Lab turned Harold T. Martin III in to the NSA after receiving strange Twitter messages in 2016 from an account linked to him, according to two people with knowledge of the investigation. They spoke with POLITICO on condition of anonymity because they’re not authorized to discuss the case.
Although Kaspersky has worked with U.S. law enforcement and security firms for years to track hackers, the company's relationship with the government began to grow tense around 2012 as it exposed a series of covert NSA spy kits and hacking operations after finding the previously unknown spy software on customers’ machines. The company has exposed more U.S. spy operations than any other cybersecurity firm in the last six years, and has in turn become a hacking target of spy agencies itself for its success in exposing not only NSA operations but those of Israel, the United Kingdom and France.
But the collection of files helped fuel U.S. allegations that Kaspersky itself poses a security threat. That’s because, unknown to Kaspersky at the time, Israel had hacked the company’s network in 2014, and in 2015 quietly told U.S. officials that it saw Russian intelligence operatives siphon the tools from Pho's machine with Kaspersky's cooperation or knowledge, using its antivirus software. The public only learned about this allegation in 2017 when anonymous sources leaked it to reporters. But no evidence backing this claim has ever been made public, and nobody has explained how the Israelis knew the extraction was not just part of standard infection analysis and cleanup.
[Regarding Harold Martin's Twitter account]
The Kaspersky researcher didn't respond to the Twitter sender after this. Instead, he and colleagues conducted some online sleuthing and were able to easily unmask the sender's identity.
A Google search on the Twitter handle found someone using the same Hal999999999 username on a personal ad seeking female sex partners...A different search led them to a LinkedIn profile for Hal Martin, described as a researcher in Annapolis Junction and "technical advisor and investigator on offensive cyber issues." The LinkedIn profile didn't mention the NSA, but said Martin worked as a consultant or contractor “for various cyber related initiatives” across the Defense Department and intelligence community.