Ride the Lightning

Was Kaspersky Labs Used to Hack the NSA?

October 11, 2017

Kaspersky Labs was tarred and feathered in a Wall Street Journal story which cited unnamed sources and claimed that Russian hackers used a Kaspersky Labs antivirus product to steal hacking tools from the National Security Agency (NSA).

As SC Media reported on October 5^th, the WSJ said the Russians targeted a U.S. government contractor that was using the Kaspersky product employed it to identify documents being held on the contractor's system. The hack reportedly took place in 2015 and was only discovered this spring.

Kaspersky Labs' CEO Eugene Kaspersky immediately took to Twitter to refute the claim, saying in one tweet, "We aggressively protect our users and we're proud of it."

In a company blog addressing the story, he said, "With big power comes big responsibility. We never betray the trust that our users put into our hands. If we would do that a single time that would be immediately spotted by the industry and our business would be done."

In September the U.S. Department of Homeland Security banned the use of any Kaspersky product on a government computer citing concern over ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian network.

Kaspersky said that even if there were a few unethical people at his firm they would be countered by the "dozens" of internal technological and organizational barriers in place that would mitigate the situation, along with all the other employees, some of whom would be bound to see such nefarious moves and take action.

Why, oh why, can't the NSA figure out its contractor problems? Snowden sure sounded the alarm on this issue quite a while ago.

Update: I have just seen a New York Times article addressing this story (thank Dave Ries). It appears that the U.S. was tipped off by Israeli intelligence sources, who advised us that the Russian operation stole classified documents from a NSA employee who had improperly stored them on his home computer, on which Kaspersky’s antivirus software was installed. What additional American secrets the Russian hackers may have gleaned from multiple agencies, by turning the Kaspersky software into a sort of Google search for sensitive information, is not yet publicly known.

Like other security software, Kaspersky Lab’s products require access to everything stored on a computer in order to scour it for malware or other dangers. Its popular antivirus software scans for signatures of malware, then removes or neutralizes it before sending a report back to Kaspersky. That procedure, routine for such software, provided a perfect tool for Russian intelligence to exploit to survey the contents of computers and retrieve whatever they found of interest.

Kaspersky Lab denied any knowledge of, or involvement in, the Russian hacking. “Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage efforts,” the company said in a statement Tuesday afternoon. Kaspersky Lab also said it “respectfully requests any relevant, verifiable information that would enable the company to begin an investigation at the earliest opportunity.”

“Antivirus is the ultimate back door,” said Blake Darché, a former NSA operator and co-founder of Area 1 Security. “It provides consistent, reliable and remote access that can be used for any purpose, from launching a destructive attack to conducting espionage on thousands or even millions of users.”

The article notes that it is unclear whether Kaspersky Labs or its employees were complicit in the hacking. Russian hackers may have exploited the software without the company's cooperation or knowledge. But experts on Russia say that under President Vladimir V. Putin, a former K.G.B. officer, businesses asked for assistance by Russian spy agencies may feel they have no choice but to give it. To refuse might well invite hostile action from the government against the business or its leaders. Mr. Kaspersky, who attended an intelligence institute and served in Russia’s Ministry of Defense, would understand the cost of refusing a Kremlin request.

Kaspersky did not discover the Israeli intrusion into its systems until mid-2015, when a Kaspersky engineer testing a new detection tool noticed unusual activity in the company’s network. The company investigated and detailed its findings in June 2015 in a public report. Among the targets Kaspersky uncovered were hotels and conference venues used for closed-door meetings by members of the United Nations Security Council to negotiate the terms of the Iran nuclear deal — negotiations from which Israel was excluded.

Kaspersky’s researchers noted that attackers had gotten deep into the company’s computers and evaded detection for months. Investigators later discovered that the Israeli hackers had implanted multiple back doors into Kaspersky’s systems, employing sophisticated tools to steal passwords, take screenshots, and scoop up e-mails and documents.

So . . . everyone is hacking everyone. What else is new? This remains a developing story, that's for sure.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson