Twitter Only Had SMS 2FA When Hal Martin’s Twitter Account DMed Kaspersky

In a post late last month, I suggested that the genesis of FBI’s interest in Hal Martin may have stemmed from a panicked misunderstanding of DMs Martin sent.

What appears to have happened is that the FBI totally misunderstood what it was looking at (assuming, as the context seems to suggest, that this is a DM, it would be an account they were already monitoring closely), and panicked, thinking they had to stop Martin before he dropped more NSA files.

Kim Zetter provides the back story — or at least part of one. The FBI didn’t find the DMs on their own. Amazingly, Kaspersky Lab, which the government has spent much of the last four years demonizing, alerted NSA to them.

As Zetter describes, the DMs were cryptic, seemingly breaking in mid-conversation. The second set of DMs referenced the closing scenes of both the 2016 version of Jason Bourne and Inception.

The case unfolded after someone who U.S. prosecutors believe was Martin used an anonymous Twitter account with the name “HAL999999999” to send five cryptic, private messages to two researchers at the Moscow-based security firm. The messages, which POLITICO has obtained, are brief, and the communication ended altogether as abruptly as it began. After each researcher responded to the confusing messages, HAL999999999 blocked their Twitter accounts, preventing them from sending further communication, according to sources.

The first message sent on Aug. 13, 2016, asked for him to arrange a conversation with “Yevgeny” — presumably Kaspersky Lab CEO Eugene Kaspersky, whose given name is Yevgeny Kaspersky. The message didn’t indicate the reason for the conversation or the topic, but a second message following right afterward said, “Shelf life, three weeks,” suggesting the request, or the reason for it, would be relevant for a limited time.

The timing was remarkable — the two messages arrived just 30 minutes before an anonymous group known as Shadow Brokers began dumping classified NSA tools online and announced an auction to sell more of the agency’s stolen code for the price of $1 million Bitcoin. Shadow Brokers, which is believed to be connected to Russian intelligence, said it had stolen the material from an NSA hacking unit that the cybersecurity community has dubbed the Equation Group.

[snip]

The sender’s Twitter handle was not familiar to the Kaspersky recipient, and the account had only 104 followers. But the profile picture showed a silhouette illustration of a man sitting in a chair, his back to the viewer, and a CD-ROM with the word TAO2 on it, using the acronym of the NSA’s Tailored Access Operations. The larger background picture on the profile page showed various guns and military vehicles in silhouette.

The Kaspersky researcher asked the sender, in a reply message, if he had an email address and PGP encryption key they could use to communicate. But instead of responding, the sender blocked the researcher’s account.

Two days later, the same account sent three private messages to a different Kaspersky researcher.

“Still considering it..,” the first message said. When the researcher asked, “What are you considering?” the sender replied: “Understanding of what we are all fighting for … and that goes beyond you and me. Same dilemma as last 10 min of latest Bourne.” Four minutes later he sent the final message: “Actually, this is probably more accurate” and included a link to a YouTube video showing the finale of the film “Inception.”

As it is, it’s an important story. As Zetter lays out, it makes it clear the NSA didn’t — couldn’t — find Martin on its own, and the government kept beating up Kaspersky even after they helped find Martin.

But, especially given the allusions to the two movies, I wonder whether these DMs actually came from Martin at all. There’s good reason to wonder whether they actually come from Shadow Brokers directly.

Certainly, that’d be technically doable, even though court filings suggest Martin had far better operational security than your average target. It would take another 16 months before Twitter offered Authenticator 2 factor authorization. For anyone with the profile of Shadow Brokers, it would be child’s play to break SMS 2FA, assuming Martin used it.

Moreover, the message of the two allusions fits solidly within both the practice of cultural allusions as well as the themes employed by Shadow Brokers made over the course of the operation, allusions that have gotten far too little notice.

Finally, that Kaspersky would get DMs from someone hijacking Martin’s account would be consistent with other parts of the operation. From start to finish, Shadow Brokers used Kaspersky as a foil, just like it used Jake Williams. With Kaspersky, Shadow Brokers repeatedly provided reason to think that the security company had a role in the leak. In both cases, the government clearly chased the chum Shadow Brokers threw out, hunting innocent people as suspects, rather than looking more closely at what the evidence really suggested. And (as Zetter lays out), Martin would be a second case where Kaspersky was implicated in the identification of such chum, the other being Nghia Pho (the example of whom might explain why the government responded to Kaspersky’s help in 2016 with such suspicion).

Mind you, there’s nothing in the public record — not Martin’s letter asking for fully rendered versions of his social media so he could prove the context, and not Richard Bennett’s opinion ruling the warrants based off Kaspersky’s tip were reasonable, even if the premise behind them proved wrong — that suggests Martin is contesting that he sent those DMs. That said, virtually the entire case is sealed, so we wouldn’t know (and the government really wouldn’t want us to know if it were the case).

As Zetter also lays out, Martin had a BDSM profile that might have elicited attention from hostile entities looking for such chum.

A Google search on the Twitter handle found someone using the same Hal999999999 username on a personal ad seeking female sex partners. The anonymous ad, on a site for people interested in bondage and sado-masochism, included a real picture of Martin and identified him as a 6-foot-4-inch 50-year-old male living in Annapolis, Md. A different search led them to a LinkedIn profile for Hal Martin, described as a researcher in Annapolis Junction and “technical advisor and investigator on offensive cyber issues.” The LinkedIn profile didn’t mention the NSA, but said Martin worked as a consultant or contractor “for various cyber related initiatives” across the Defense Department and intelligence community.

And when Kaspersky’s researchers responded to Martin’s DM, he blocked their accounts, suggesting he treated the communications unfavorably (or, if someone had taken over the account, they wanted to limit any back-and-forth, though Martin would presumably have noted that).

After each researcher responded to the confusing messages, HAL999999999 blocked their Twitter accounts, preventing them from sending further communication, according to sources.

Martin’s attorneys claim he has a mental illness that leads him to horde things, which is the excuse they give for his theft of so many government files. That’s different than suggesting he’d send strangers out-of-context DMs that, at the very least, might make him lose his clearance.

So I’d like to suggest it’s possible that Martin didn’t send those DMs.

image_print
11 replies
  1. greengiant says:

    Re-up and double up that not only government actors but all the way down to two bit crooks and media can use web stalking and doing the Nix, buy your internet click history and content for pennies, ( might as well add location data heh heh),, for doing blackmail and other targeting. Should pay attention to all reports of dark marketing, deregistration, and forcing provisional ballots to disenfranchise voters.

  2. General Sternwood says:

    To hoard is to hide and accumulate things like baseball cards or Roger Stone obfuscations. A horde is a crowd of people, or zombies, or Russian oligarchs.

  3. Kevin says:

    My other thought when reading that story was that Martin could have been in communication with TSB thinking he was talking to someone at Kaspersky. Then messaged the real Kaspersky on Twitter. Lots of holes, not least of which is that the government would likely be gunning for more time if he were an intentional source.

  4. earlofhuntingdon says:

    Trump’s lies are getting more angry, more obvious, and more persistent. I suppose that means his earwig is working better and that Steve Miller is working overtime.

    Trump’s press conferences are nothing more than lying campaign rallies. We know this because he just accused the Democrats of using talks to reopen the USG as a campaign stunt.

    His notion of “negotiating” is that everyone allows him to pontificate and then gives him what he wants. Then he walks away and says he never wanted “that,”, he wants “this” and a whole lot more.

      • P J Evans says:

        The judge in that case would have some justification for ordering a 30-day in-patient evaluation – and after that probably remand him to an institution where the doors lock from the outside.

    • Lulymay says:

      I don’t know you folks down south of me can even think your world is normal these days.  I find him getting creepier and creepier every time he utters more of his (what can I say?) balderdash!

  5. MattyG says:

    Rudi’s talking line will evolve with evidence disclosures per usual: “no campaign data was shared with the Russians, but if any was, it wasn’t illegal”, etc. etc.

    For myself I was predicting DT wouldn’t last the term (born optimist). After Charlotesville I couldn’t see him lasting 6 moths (he did), and after Helsinki I was sure even GOPers would lower the boom pronto given the other allegations (they didn’t). The new round of leaks puts DT in the command role of Russian collaboration – he simply *can’t* last another 2 years.

  6. Trip says:

    Marissa J. Lang‏Verified account @Marissa_Jae

    Hundreds of federal workers, contractors and supporters spilling into the street in front of the AFL-CIO building, just down the road from the White House. They’re chanting, “we want our pay!” #ShutdownProtest #DC
    Mitch McConnell is getting blamed as much as Trump at this #ShutdownProtest. Chants now of “do your job!” as Jeffrey David Cox, national president of the American Federation of Government Employees, AFL-CIO, speaks. #DC
    https://twitter.com/Marissa_Jae/status/1083410234494857218/video/1

    TSA Employees Protest Government Shutdown Outside Atlanta Airport
    https://www.newsweek.com/government-shutdown-2019-updates-tsa-officers-protest-outside-atlanta-airport-1287289

Comments are closed.