A report in The Wall Street Journal says that hackers working for the Russian government stole sensitive documents from a NSA contractor’s home computer. The story goes on to say the contractor was targeted after the files were discovered by Kaspersky’s Anti-Virus software, somewhat explaining the U.S. government’s push to ban Kaspersky on its systems.
“The theft, which hasn’t been disclosed, is considered by experts to be one of the most significant security breaches in recent years. It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S. The incident occurred in 2015 but wasn’t discovered until spring of last year, said the people familiar with the matter,” the WSJ reported.
If the story proves to be true, the bigger picture is that the NSA suffered a third data breach of its hacking tools.
As to how Kaspersky ties into this data breach, the WSJ report says U.S. investigators believe the unnamed contractor’s use of Kaspersky Anti-Virus (KAV) alerted the Russian hackers to the presence of the files.
“Experts said the software, in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA. But how the antivirus system made that determination is unclear, such as whether Kaspersky technicians programed the software to look for specific parameters that indicated NSA material. Also unclear is whether Kaspersky employees alerted the Russian government to the finding,” the WSJ reported.
One of the major unanswered questions in this story is what caused KAV to hit on these files?
If the files were related to Equation Group, then it should come as no surprise that Kaspersky’s software scanned for known files and flagged them for further analysis. All anti-virus vendors do this, including those developed in the U.S.
In 2015, Kaspersky disclosed a nation-state level attack on their network (Duqu 2.0), and said the attackers were focused on their work related to APTs and nation-state attacks, including Equation Group and Regin. Considering the timeline, this suggests that Duqu 2.0 was some sort of retaliation for the compromise of the contractor’s system – but that’s just speculation.
The other big question: How did the Russian hackers get information from KAV?
Well, there are no solid answers to that million-dollar question.
The idea that Russian intelligence compromised Kaspersky’s network in an effort to leverage their install-base isn’t as far-fetched as it sounds. No one, not even Kaspersky, can thwart nation-state actors forever. Eventually, they will get what they’re after. However, there isn’t any proof such a scenario happened.
Did Kaspersky willingly hand over access to the Russian government? Again, while unlikely, there is no proof either way and Kaspersky denies any such cooperation with intelligence services.
In briefings with the private sector, urging them to dump Kaspersky products from their network, the FBI wouldn’t get into much detail other than to essentially say, “Kaspersky, bad. Anything else, good.” and leave it at that.
While it isn’t clear what initially triggered the U.S. government’s investigation into Kaspersky, Thursday’s WSJ report certainly feels like a better explanation. They feel the software was used as a tool to compromise a NSA contractor.
Another interesting question stemming from the WSJ report centers on the hackers. What is the evidence that points to them working with or for the Russian government? If the usage of Kaspersky’s software is the only link, that’s a bit flimsy.
Kaspersky is a software company, they’re not immune from exploitable flaws.
In 2015, Kaspersky worked with Tavis Ormandy to address a number of software flaws, “which could result in a complete compromise of any Kaspersky Antivirus user.”
Is it possible one of those flaws, prior to being patched, led to outsiders compromising the software and the contractor’s files? Maybe, but that would be speculation.
Again, the larger story is the third data breach of NSA hacking tools. This incident started with a contractor taking sensitive information home. Leaving Kaspersky completely out of the picture, this was never a good idea and placed that data at extreme risk.
Should enterprise managers consider today’s story when selecting an anti-virus vendor? If Russia is part of your threat model, then perhaps Kaspersky isn’t the best choice.
At the same time, there is a reason Kaspersky has a reputation before being aggressive and hard to avoid in the malware world. They’re good at what they do.
However, risks should be weighed individually. What doesn’t work for one organization might be fine for another.
In this reporter’s opinion, it feels as if someone hacked Kaspersky’s product and was able to access files that were being flagged for analysis. If this is the case, then the NSA’s third data breach is the fault of an unknown contractor who took files home and a group of criminals who hacked a security vendor.
If Russian intelligence was responsible, then Kaspersky could be nothing more than a pawn in a political chess match. If anything, the WSJ shows just how hard it is for the NSA to control their tools and contractors.
The bad blood between Russia and the U.S. has placed Kaspersky in a crossfire, and today’s story won’t do them any favors.
After this story was published, Salted Hash was made aware of statements from Eugene Kaspersky on his blog.
“While protecting our customers, we do – as any other cybersecurity vendors – check the health of a computer. It works like an X-ray: the security solution can see almost everything in order to identify problems, but it cannot attribute what it sees to a particular user,” Kaspersky said in his post addressing the WSJ report.
“In the wake of the last article I want to emphasize: if our technologies detect anything suspicious and this object is identified as malware, in a matter of minutes ALL our clients no matter who and where they are, will receive protection from this threat.”
As for the notion that his company product was hacked:
“Now if we assume, that what is reported is true: that Russian hackers exploited a weakness in our products installed on a PC of one of our users, and respected government agencies concerned of national security knew about that, why didn’t they report it to us? We patch the most severe bugs in a matter of hours, so why not make the world a bit more secure by reporting the vulnerability to us? I can’t imagine an ethical justification for not doing so.”