NSA and Kaspersky Ensnarled by Russian Web

NSA seal

U.S. companies got a disturbing preview of just how Russia might be able to steal their secrets, with news that Kaspersky Lab anti-virus software was allegedly used to hack an unsuspecting NSA contractor.

Russian state-sponsored hackers reportedly stole critical details on how the U.S. conducts cyber espionage and defends against cyber operations directed at its classified networks, when they hacked the computer of the contractor who had uploaded highly classified documents onto a home computer, according to The Wall Street Journal.

While denying Kaspersky’s involvement in the 2015 incident, company CEO Eugene Kaspersky says there is the possibility that Russian intelligence services hacked Kaspersky’s software to essentially piggyback off their privileged access for espionage purposes, tweeting “we’re very concerned about possible breach of our products.”

Citing anonymous sources, The Wall Street Journal said the theft of the information, “is considered by experts to be one of the most significant security breaches in recent years,” and “offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S.”

The incident shows the layers of vulnerability the government faces, via its federal employees and contractors who sometimes violate rules on handling classified information by taking work home. But the potential risk is even greater for private companies who are now scrambling to assess their exposure. Kaspersky has some 400 million users worldwide, with the U.S. and western Europe making up some $374 million, or 60 percent, of the company’s $633 million in sales last year.

Kaspersky Lab released a statement on its website slamming the accusation as “unproven claims,” and said “Kaspersky Lab has not been provided any evidence substantiating the company’s involvement in the alleged incident reported by the Wall Street Journal.”

“Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight,” the statement said.

The disclosure could help explain why last month, the Department of Homeland Security (DHS) issued a binding directive compelling all federal civilian departments and agencies to identify and develop a plan to end use of all Moscow-based Kaspersky products from their computer systems.

“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” DHS said in a written statement.

“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

The incident is a “wake-up call” for private industry, said Michael Sulmeyer, Director of the Cybersecurity Project at Harvard’s Belfer Center. Former British signals intelligence chief Robert Hannigan agreed, noting a particular risk to the financial sector. “They will be urgently asking questions, because Kaspersky is widely used across many sectors,” said Hannigan, the former Director of the UK’s Government Communications Headquarters (GCHQ).

What’s more, many of these customers might not even know they are running the company’s software, as it’s embedded in everything from firewalls to telecommunications equipment.

Anti-virus software scans for signatures of malicious software, known as malware, and removes or neutralizes it, and sends a report of what it has done back to the anti-virus company, in this case, Kaspersky, according to Cipher Brief expert Rick Ledgett, who was the Deputy Director at the NSA during the time of the breach.

But it can also do more than simply look for malware. “It could scan for documents that say ‘proprietary’ or ‘confidential’ or ‘secret’ or any other term of interest, and send them back to the company,” Ledgett said. It could also place malware on a machine because of the frequent updates that are inherent in anti-virus software. These programs, by their very nature, have permission to “write” software onto a computer.

Fears have existed for years that the Kaspersky software could provide a backdoor for Russian intelligence to monitor employees and contractors of the federal government. But considering that some of the material stolen reportedly included the code of NSA offensive cyber capabilities – malware – it is possible that Kaspersky’s automated scan flagged the malicious code simply by doing the job it was designed to do.

The Wall Street Journal reported that it is unclear “whether Kaspersky employees alerted the Russian government to the finding.” How Russian intelligence became aware of the unsecured material and then exploited it is a key question in determining Kaspersky’s culpability.

So how did the alleged cyber theft happen? “Speculation on tradecraft has ranged from ‘man in the middle’ attacks to ‘backdoor’ exploits with or without Kaspersky cooperation,” said Rhea Siers, the former Deputy Associate Director for Policy at the NSA and a Cipher Brief expert. “It is also possible that the Russians were targeting certain individuals with intelligence connections, such as employees of the NSA, and maybe more incisively than some realize,” she said.

Scenario 1: Kaspersky Hacked Without Its Knowledge

Kaspersky’s own CEO raised the possibility via Twitter that his company had been used as a backdoor by Russian intelligence.

“Seriously: we’re very concerned about possible breach of our products. If anon sources from WSJ article want to investigate let’s do it ASAP,” Kaspersky tweeted last week.

The Vault7 documents released by WikiLeaks and cyber tools published by the Shadow Brokers alleged the CIA and NSA have themselves breached the products of Kaspersky and other anti-virus companies, implying the targeting of such systems could very well be common practice among intelligence agencies.

But experts find it hard to believe that an entity – even the Russian government – could breach and remain on Kaspersky’s systems for the length of time necessary to commit extensive cyber espionage, at least without the company’s knowledge.

“I give low probability that somebody on an enduring basis hacked Kaspersky and is using them to essentially prosecute an engine for surveillance,” says Chris Inglis, Cipher Brief expert and former Deputy Director of the NSA.

Scenario 2: Kaspersky a Willing Partner

There is also the possibility that Kaspersky directly cooperates with Russian security services. How such a direct relationship between Kaspersky and Russian intelligence would likely work, should it be the case, is through a form of “backdoor” access that allows the FSB to monitor Kaspersky’s traffic and filter through what would be content of interest.

But this is unlikely. “The idea that Kaspersky would use that trusted position that they and a few other security companies occupy to conduct routine surveillance across a broad swath of end-users is hard to imagine,” Inglis told The Cipher Brief. “First, that is egregious. And second, it is hard to do – it is a pretty comprehensive set of activities to be mindful of.”

Nevertheless, the FBI has been investigating whether Kaspersky products contain backdoors that could allow Russian intelligence agencies into any computers or networks on which they are running.

Scenario 3: Kaspersky Traffic is Picked Up By Russian Signals Intelligence

Given data localization laws and that Russia seeks to monitor all internet traffic within the country, it may be possible that Russian security services are able to follow Kaspersky’s operations without its knowledge or consent. This could be accomplished by observing all unencrypted internet traffic transiting the Russian internet’s backbone rather than a feed enabled directly through Kaspersky’s systems.

“The more likely scenario is that Russian intelligence has some sort of automated monitoring of the traffic that comes back to Kaspersky,” says James Lewis, Cipher Brief expert and a Senior Vice President and Program Director at the Center for Strategic and International Studies (CSIS).

Scenario 4: Kaspersky Falls Victim to an Insider Threat

The access Kaspersky could enable for Russian intelligence is not likely a clearly written company policy – or necessarily one requiring the compliance of all its employees. It is possible that the FSB, Russia’s primary intelligence service, has recruited insiders within the company, especially since many of the company’s employees have worked within the Russian security services themselves. The question would be, says Inglis: “is this an insider gone rogue who has used that privilege – for whatever reason – to either meet a mandate from the government or make a little money on the side?”

Scenario 5: Kremlin Forces Kaspersky

At the same time, the authoritarian political environment in Russia means that the FSB would not have to go through the subtle process of recruiting insiders within Kaspersky. Rather, what the Kremlin says goes, according to Steve Hall, a former member of the CIA’s Senior Intelligence Service.

“The FSB would have no need to have a spy inside of Kaspersky,” says Hall. “Bottom line is that it’s almost unimportant how they’re doing it – what’s important is that the FSB can do whatever they want because Eugene Kaspersky and that entire company is based in Russia and nobody wants the FSB knocking on grandma’s or mom’s door and saying, ‘your son isn’t being as cooperative as we want him to be.’”

Hannigan agrees. “It’s simply inconceivable that a Russian company would say ‘no’ to an approach by the FSB: it would be reckless to refuse,” says the former GCHQ chief. “So, this is not so much about cyber but about authoritarian state control and corruption.”

Next Steps

The main takeaway is that the countries in which tech service companies reside matters when it comes to cybersecurity.

“The problem isn’t really Kaspersky, it’s the nature of the Russian state and how its agencies operate,” says Hannigan. “They see the Russian private sector as an extension of their power. Unless that changes, which is unlikely, Russian companies with access to Western data and networks are going to struggle to be trusted.”

And why has Kaspersky only been banned from federal networks just last month? “The world was very different 10 years ago, and the U.S. and Russia could cooperate – they weren’t as hostile,” says Lewis. “But what has changed in the last few years is that Russia has turned into an active opponent of the United States. And that is why the risk factor of using Kaspersky has gone way up.”

The challenge for Kaspersky, or other Russian tech companies feeling the pressure of the Kremlin and its security services, will be regaining the trust of Western governments and private industry.

“You can’t escape it by saying ‘you can look at my code,’” said Inglis. “This isn’t about the code, it’s about what the humans are doing. They do have privileged access to all these systems on a global basis. The question is to what end do they use that privileged access?”

Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.

Editor’s Note: This story has been updated to stress that Kaspersky denies involvement in the alleged theft, and to note The Wall Street Journal sources’s were anonymous.