Russian Spies Used Kaspersky Anti-V To Hack NSA

NSA Headquarters, Fort Meade, Maryland

Hackers backed by the Russian government apparently stole highly classified cyber secrets in 2015 after an NSA contractor placed the information on his home computer.

Hackers accessed the data because the home computer of the targeted NSA contractor was running Kaspersky software.

Secrets stolen in the hack included information on penetrating foreign computer networks and protecting against cyberattacks. Hackers were able to access the data because the contractor was running antivirus software from Moscow-based Kaspersky Lab.

The information stolen in the breach, considered one of the most significant in recent years, could give the Russian government tips on how to make its networks more secure. The theft occurred in 2015 but wasn't discovered until spring of 2016

The revelation comes amid heightened concerns in Washington that hackers working for the Russian government penetrated US computer networks and tapped social media platforms to meddle with the US 2016 election. Government investigators are examining whether the Russian government may have attempted to influence the electorate, and whether President Donald Trump or anyone working for him was knowingly involved. Trump has repeatedly denied involvement.

Background

Russian government spies extracted NSA exploits from a US government contractor's home PC using Kaspersky Lab software, anonymous sources have claimed.

The clumsy snoop broke regulations by taking the classified code, documentation and other materials home to work on using his personal computer, which was running Kaspersky's antivirus, sources told the Wall Street Journal. It is alleged Kremlin hackers exploited the security package in one way or another to identify those sensitive files and exfiltrate them. In effect, it means the Russian government has copies of the NSA's tools used to exploit vulnerabilities in computer systems and equipment to spy on other nations and targets. It also means Russia can turn the cyber-weapons on American corporations, government agencies and other networks, and steal secrets.

The theft, reported on 5th October, is said to have occurred in 2015, but apparently wasn't discovered until earlier this year. The allegedly stolen NSA code and dossiers sound an awful lot like the Shadow Brokers archive of stolen agency spyware. The brokers' pilfered exploits dates back to 2013, though. And this case is not thought to be related to the former Booz Allen Hamilton contractor Harold Thomas Martin III who stashed classified NSA materials at his home to study. Martin was indicted in February and faces prison time for removing top-secret files from his employer's workplace, if convicted. He denies any wrongdoing.
"Whether the information is credible or not, NSA's policy is never to comment on affiliate or personnel matters," an NSA spokesperson said.

Like almost all security software, Kaspersky's software scans files on computers to look for anything matching known malware, or programs that behave in a way that looks like malicious code. 

It may be that the antivirus package sent the contractor's NSA code back to a cloud service to inspect, which set off internal alarms and attracted the attention of Russian spies, or the product was tampered with to open a backdoor to the PC, or the software was remotely exploited to gain access.

The Wall Street Journal sources do not say if Kaspersky was actively involved in helping hack the contractor's computer, nor whether President Putin's spies exploited vulnerabilities in the security software to silently swipe the exposed documents. There are a lot of exploitable holes in antivirus packages for hackers to abuse.

It is also possible, under Russian law, the Kremlin instructed staff within Kaspersky to hijack the mark's computer and extract its contents. The software maker is denying any wrongdoing

“Kaspersky Lab has not been provided any evidence substantiating the company’s involvement in the alleged incident reported by the Wall Street Journal on October 5, 2017, and it is unfortunate that news coverage of unproven claims, continue to perpetuate accusations about the company," the Moscow-based biz told The Register in a statement.
“As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight.
“Kaspersky Lab products adhere to the cybersecurity industry’s strict standards and have similar levels of access and privileges to the systems they protect as any other popular security vendor in the US and around the world.”

Kaspersky’s Response

The organisation's founder Eugene Kaspersky, was more blunt, tweeting the following before today's revelations hit the 'net:
"New conspiracy theory, anon sources media story coming. Note we make no apologies for being aggressive in the battle against cyber-threats."

Kaspersky has repeatedly offered its source code to government officials to review since allegations that it was working with Russian intelligence surfaced a year or so ago. No evidence has ever been made public about such claims. That didn’t stop the US government banning Kaspersky code from federal computers last month. 

In a piece published on Kaspersky’s website Eugene said…

"Another sensationalist media story was released today stating among other things that Kaspersky Lab helps one intelligence agency to get their hands on sensitive data from another intelligence agency through the home computer of a contractor. Another accusation from the article is that we are very “aggressive” in our methods of hunting for new malware. The first statement sounds like the script of a C movie, and again, disclosed by anonymous sources (what a surprise). I can hardly comment on it besides the official statement. However, I couldn’t agree more with the second claim about being aggressive in our hunt for malware. We absolutely and aggressively detect and clean malware infections no matter the source and we have been proudly doing it for 20 years. This is the reason why we consistently get top ratings in independent, third party malware detection tests. We make no apologies for being aggressive in the battle against malware and cybercriminals, you shouldn’t accept any less. Period."

US Response

"It's a lot harder to beat your opponent when they're reading your playbook, and it's even worse when someone on your team gives it to them. If these reports are true, Russia has pulled that off," said Republican Senator Ben Sasse, who is on the Senate Armed Services committee.
"The men and women of the US Intelligence Community are patriots; but, the NSA needs to get its head out of the sand and solve its contractor problem. Russia is a clear adversary in cyberspace and we can't afford these self-inflicted injuries."

Matthew Hickey, cofounder of British security shop Hacker House, told The Register that Kaspersky could well be blameless and the security software was simply doing its job.

The Russian software maker has been detecting NSA malware since 2014, and this could be where the connection lies.

The antivirus may have identified powerful NSA exploit code samples on the home PC, and flagged them up to Kaspersky's customers, possibly all the way to the FSB, Russia's security services. 

Kaspersky also provides real-time analysis to the FSB, meaning the software may have automatically tipped off the Kremlin to the presence of the highly guarded Western attack code. "It's likely that the Kaspersky detection of NSA tools was somehow responsible for FSB targeting the contractor's home computer, but it doesn't mean the company was complicit," Hickey said "Kaspersky have detected many of the NSA tools being used in the wild, the FSB would surely know that, and target the company for that reason alone. The Kaspersky statement holds no punches and makes it clear they don't cooperate with governments. I'm inclined to believe them, their software is top grade at detection of new threats, and is notoriously difficult to bypass."

Hickey pointed out that the alternative is that Kaspersky deliberately back-doored its own software, and handed over the keys to Putin’s snoops. This would have the effect of putting billions of dollars of business at risk to do a favor for Russian intelligence. 

US Democrat Senator Jeanne Shaheen, one of Kaspersky's most vocal critics in Congress, has few doubts on the matter, though. In a strongly worded statement, she condemned the company and called for the Trump administration to declassify and release the evidence it has in this case.
"The strong ties between Kaspersky and the Kremlin are extremely alarming and have been well documented for some time," she said today. "It's astounding and deeply concerning that the Russian government continues to have this tool at their disposal to harm the United States." 

The Washington Post says the contractor was a US citizen born in Vietnam, and worked for the NSA's ace hacking team, Tailored Access Operations. He was working to replace the exploits compromised by the Snowden leaks, was fired in 2015, and is now under a federal investigation.

The Register:               Eugene Kasperky:          CNet:          Wall Street Journal


You Might Also Read:

Careless: NSA Hacking Tools Theft Due To Operative's 'Mistake':

Secret Arrest Of A National Security Agency Contractor:

FBI Wants To Ditch Kaspersky:

UK National Cyber Security Centre Has Not Certified Kaspersky:

 

« Making It Big in Cybersecurity
N.Korea Will Target UK Financial Services »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Council on Foreign Relations (CFR)

Council on Foreign Relations (CFR)

CFR is dedicated to better understanding the world and the foreign policy choices facing the USA and other countries. Cyber security is covered within the CFR topic areas.

Cloud Security Alliance (CSA)

Cloud Security Alliance (CSA)

The CSA is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing

Cyber Security Academy - University of Southampton

Cyber Security Academy - University of Southampton

An industry/University partnership established to advance cyber security through world class research, teaching excellence, industrial expertise and training capacity.

BGD E-GOV CIRT

BGD E-GOV CIRT

BGD e-GOV CIRT's mission is to support government efforts to develop ICT programs by establishing incident management capabilities within Bangladesh.

VNT Software

VNT Software

VNT's vision is to change the way complex IT problems are resolved by predicting business disruptions before they occur.

Waratek

Waratek

Waratek is a pioneer in the next generation of application security solutions known as Runtime Application Self-Protection or RASP.

European Cyber Competence Network

European Cyber Competence Network

The purpose of the European Cyber Competence Network is to retain and develop the cybersecurity technological and industrial capacities of the EU necessary to secure its Digital Single Market.

Nasuni

Nasuni

The Nasuni File Data Platform offers the protection, detection, and recovery of file shares from ransomware attacks or random disasters within minutes.

CertNexus

CertNexus

CertNexus is a vendor-neutral certification body, providing emerging technology certifications and micro-credentials for business, data, developer, IT, and security professionals.

TrafficGuard

TrafficGuard

TrafficGuard is an award-winning digital ad verification and fraud prevention platform.

ThreatER

ThreatER

ThreateER (formerly ThreatBlockr / Bandura Cyber) is a cybersecurity platform that provides active network defense by automating the discovery, enforcement, and analysis of cyber threats at scale.

Multidisciplinary Institute for Cybersecurity and Cyber Resilience (IMC2)

Multidisciplinary Institute for Cybersecurity and Cyber Resilience (IMC2)

IMC2 brings together resources to carry out ambitious, innovative and multidisciplinary projects in the field of cybersecurity and cyber resilience.

Raito

Raito

Raito's unique solution integrates with the data development process and lets data teams monitor, manage, and automate data security across the data stack.

Early Game Ventures (EGV)

Early Game Ventures (EGV)

Early Game Ventures invests in startups that jumpstart new industries in the emerging markets of Europe.

Price Forbes

Price Forbes

Building on more than 100 years of specialist insurance broking, Price Forbes partner with clients around the world who are looking to understand and balance today’s risk and plan for the future.

SoConnect

SoConnect

SoConnect provides safe, secured, and taken care of IT, with infrastructure built around you and your business.