Russia is targeting "military digital" contractors

Hal Martin isn't the only one who takes work home with him...

A couple of days ago I suggested the “Vault 7” material posted by Wikileaks may have in fact been obtained from Hal Martin’s unauthorised exploit stash.

Now I think we’re dealing with something a little more, ahem, “comprehensive”.

For those who are unfamiliar, Hal Martin was an intelligence contractor working for Booz Allen Hamilton who, as it turned out, was also performing “unauthorised offsite backups” of some of NSA’s most sensitive material. He was arrested by the FBI last August.

The thinking is the data he took home included the Tailored Access Operations (TAO) implants and exploits disclosed by a group called “Shadow Brokers”, who were likely a front for Russian intelligence.

Martin’s “backups” were discovered when Shadow Brokers started auctioning the NSA implants on the Internet. The assumption we’re working under here is investigators took a look at some logs pertaining to the Shadow Brokers files and saw Martin had accessed the lot. From there, they no doubt would have done a full audit of his network activities.

Cue arrest.

He’d hoarded an incredible volume of material relating to CNE over his 23 years of intelligence contracting. Thanks to a recent court appearance, we also know that he had access to CIA files as well as NSA files. (Also NRO, DoD etc etc.)

Was Hal Martin the source of the Shadow Brokers files? Well, maybe, but he’s been charged with mishandling information, not working in cahoots with a foreign intelligence service.

That leads us to a tantalising theory: Hal Martin hoarded all these documents, and at some point an enterprising Russian CNE type took a poke around his home network and found them there. After all, he held a top clearance and did work for Tailored Access Operations as a contractor. That’s a home network I’d take a look at if I worked for an FIS, that’s for sure.

Flash forward to this week, and it’s the Wikileaks Vault 7 dump that has everyone talking. Again, everyone’s talking about contractors. In a media release, Wikileaks says the CIA “lost control” of the material, and it was being circulated among “contractors” who then provided the material to Assange and his buddies.

There are more than a couple of curiosities in all of this: CIA insiders have been quoted in recent reports as saying they already knew this material was “out there,” yet other reports claim the FBI is investigating the leak. But these two narratives bump into each other. How could CIA know, months in advance, about the specifics of what was leaked, but not know who leaked them? Have they and their NSA cousins been popping a few shells on a laptop at a certain Latin American embassy? Could they see the material arrive, but not tell where it came from?

Or does it mean that the FBI found this stuff on Hal Martin’s network when they kicked his door in and worked under the assumption that it was in Russian hands? But, if Martin was the source, why investigate?

So there’s obviously a piece missing, and I think I might have it. What if this is bigger than just Hal Martin?

It’s not widely known, but Russia has been collecting the personal information of “cyber” contractors with high clearances – like Martin – via human intelligence operations for at least several years. Counterintelligence officers know about this.

So let’s run another theory up the flagpole, that being:

  1. Russian intelligence services have realised intelligence contractors aren’t required to take their opsec and counter-intelligence training as seriously as their “on staff” counterparts.

  2. They have collected as much information on these contractors as possible via passive and active campaigns.

  3. They have then used that information to either directly compromise the contractors, or, more likely, their home networks. People have been taking stuff home they shouldn’t have.

  4. For whatever reason, Russia decided to burn its own campaign last year. That led to the Shadow Brokers fiasco.

  5. After weathering some opsec disasters related to the DNC and Podesta hacks, they decided to just dump the rest of the material on Wikileaks, knowing that Assange would do his job and launder the documents for them.

So it’s all just a theory, but it’s one worth floating: Russian intelligence services have owned the home networks of as many cleared contractors as possible, waiting for them to bring material home that they shouldn’t. If that’s what they’ve done you’ve got to hand it to them, it’s definitely lateral thinking. What a pipeline of information!

If we see some leaked memos from the likes of Booz and Raytheon in coming weeks suggesting that hey, really, taking your work home with you is a really fucking bad idea, we’ll know there’s something to this.

It’s just a theory, but let’s see.