Kaspersky Software Suspected in Theft of NSA Data

Kaspersky Lab
Photo: Ernesto S. Ruscio/Getty

Russian state-sponsored hackers reportedly stole details in 2015 on how the U.S. spies on foreign intelligence targets through cyber espionage, as well as how it defends against cyber operations directed at its classified networks. According to the Wall Street Journal, the material was taken from a NSA contractor’s private computer after the hackers identified highly classified documents through the individual’s use of Kaspersky Lab’s antivirus software.

“The theft, which hasn’t been disclosed, is considered by experts to be one of the most significant security breaches in recent years,” the Wall Street Journal wrote. “It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S.”

Kaspersky Lab released a statement on its website referring to the accusation as “unproven claims,”  and said “Kaspersky Lab has not been provided any evidence substantiating the company’s involvement in the alleged incident reported by the Wall Street Journal.” The statement went on to say, “Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight.”

Last month, the Department of Homeland Security (DHS) issued a binding directive compelling all federal civilian departments and agencies to identify and develop a plan to end any use of and remove any Moscow-based Kaspersky products from their computer systems.

“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the DHS asserted in a written statement. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

“It’s important to note that the Kaspersky ban is based on solid evidence,” Rick Ledgett, the former Deputy Director of the NSA told The Cipher Brief at the time of the ban. “It won’t be shared publicly because of the sources and methods involved, so that leaves room for Kaspersky and apologists to say there’s no basis. That’s not true.” Ledgett declined to comment on Kaspersky’s involvement in the NSA breach.

While the just disclosed NSA security breach occurred on a private computer – not a federal network – the instance shows the vulnerability federal employees and contractors could face by using the Moscow-based antivirus. Kaspersky has some 400 million users worldwide, half of which might not even know they are running the company’s software – it is embedded in everything from firewalls to telecommunications equipment. The U.S. and western Europe make up some $374 million, or 60 percent, of the company’s $633 million in sales last year.

Fears have existed for years that the software could provide a backdoor for Russian intelligence to monitor employees and contractors of the federal government.

The Wall Street Journal report noted that how the antivirus was able to detect NSA classified material on the contractor’s computer is unclear. For instance, did Kaspersky technicians program the software to indicate NSA material? But considering that some of the material stolen reportedly included the code of NSA offensive cyber capabilities – malware – it is possible that Kaspersky’s automated scan was able to flag the malicious code as it is designed to do.

Speaking to The Cipher Brief last month, Ledgett, who was second in command at the NSA at the time of the breach, said “[Antivirus] software scans for signatures of malicious software, known as malware, and removes or neutralizes it, and sends a report of what it has done back to the A/V company, in this case, Kaspersky. It can also send samples of interesting/unusual malware back to the company.”

“Instead of scanning for malware, it could scan for documents that say ‘proprietary’ or ‘confidential’ or ‘secret’ or any other term of interest, and send them back to the company,” Ledgett said. “Another way the A/V could be used is to implant nefarious software into computers. Because A/V programs need to be updated frequently with new signatures and criteria for scanning for malware, they have permission to “write” software to the customers’ computers. Again, this could be used for nefarious purposes like implanting a computer with software that would exploit or even destroy it.”

The Wall Street Journal also reported that it is unclear “whether Kaspersky employees alerted the Russian government to the finding.”

But as Steve Hall, a former member of the CIA’ Senior Intelligence Service, told The Cipher Brief last month, any company with holdings in Russia are at the will of Russian President Vladimir Putin and his security services. “So whether or not there are any actual provable ties between Kaspersky and the Russian government is almost irrelevant,” says Hall. “The most important part is that Kaspersky is under the complete influence of Vladimir Putin.”

While the concern is that Kaspersky is directly cooperating with Russian intelligence, there is also the possibility that Russian intelligence has hacked the products of an unwitting Kaspersky to essentially piggyback off their privileged access for espionage purposes. WikiLeaks in the release of its Vault7 documents and leaks by the Shadow Brokers revealed that the CIA and NSA breach the products of Kaspersky and other antivirus products, indicating the targeting of such systems could very well be common practice among intelligence agencies.

Perhaps not coincidentally, the breach occurred the same year that Kaspersky published extensive reports on the cyber espionage capabilities of a group they called the Equation Group – long thought to be the hacking arm of the NSA.

In August 2016, the FBI arrested Harold Martin, a former NSA contractor working for Booz Allen Hamilton at the time, for allegedly bringing terabytes of classified NSA documents back to his private residence. He was charged with “willful retention of national defense information,” to which he pleaded not guilty.

While the timeline appears to align with the arrest of Martin, there is no confirmation that he was the victim of the Kaspersky-linked incident referenced by the Wall Street Journal. The investigation into Martin was prompted by the public disclosures of NSA cyber tools by the group the Shadow Brokers – which is thought by some to be an online moniker connected to the Russian government. So far, there has been no evidence publicly revealed confirming that the cyber tools stolen by Shadow Brokers were taken from Martin’s trove of NSA data he allegedly kept at home.

Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.


Share your point of view

Your comment will be posted pending moderator approval. No ad hominem attacks will be posted. Your email address will not be published. Required fields are marked *

One Reply to “Kaspersky Software Suspected in Theft of NSA Data”
  1. Prior to retiring, I spent a career in IT and INFOSEC and held a GSEC cert as part of that career. For most of my career, I worked as a contractor with a number of US Government national security clients.

    Kaspersky’s explanation is plausible. Check out the user agreement you clicked through on the security software you use. You will find, very most likely, that you were asked to grant permission for the software vendor to upload suspicious files for analysis on their servers. This is a normal part of just about all such software. I have used a variety of products over the last 25 years, e.g. Norton, Panda, ESET, among others, and each one behaves the same way. I don’t know any off hand that don’t do this, but I also have not made a full survey of all such products so I cannot justifiably say that they all do this.

    Kaspersky’s report details a perfectly ordinary sequence of events. They did, in fact, detect attack software on the machine. They also detail, much to my personal distress, finding text files and textual documentation which included classification markings. If true, and I think it likely is, why were those files on a machine connected to the Internet. Anyway, had, for example, Norton’s product been running instead of Kaspersky’s, the file would have ended up on Norton’s servers. It’s how this stuff works.

    The big deal in this story is not that the antivirus software detected the software, all competent security software should find it. Rather, the big deal is that the software, and especially the human readable documentation, were present on an inappropriately configured machine in the first place. It is possible, if not particularly easy, to set up a machine to host attack software and still have protections from outside attack software remain in place. Clearly this was not done.

    That said, while the majority of the content of Kaspersky’s report is likely true, I don’t buy the bit about them not sharing with the Russian government. Were I him, I would have shared it with them. As a patriot, I would want to help my national government protect its infrastructure and integrity. And, while I might lie about it for public consumption, I certainly would not actually be embarrassed to have done so.