Kaspersky Software Suspected in Theft of NSA Data

Russian state-sponsored hackers reportedly stole details in 2015 on how the U.S. spies on foreign intelligence targets through cyber espionage, as well as how it defends against cyber operations directed at its classified networks. According to the Wall Street Journal, the material was taken from a NSA contractor’s private computer after the hackers identified highly classified documents through the individual’s use of Kaspersky Lab’s antivirus software.

“The theft, which hasn’t been disclosed, is considered by experts to be one of the most significant security breaches in recent years,” the Wall Street Journal wrote. “It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S.”

Kaspersky Lab released a statement on its website referring to the accusation as “unproven claims,”  and said “Kaspersky Lab has not been provided any evidence substantiating the company’s involvement in the alleged incident reported by the Wall Street Journal.” The statement went on to say, “Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight.”

Last month, the Department of Homeland Security (DHS) issued a binding directive compelling all federal civilian departments and agencies to identify and develop a plan to end any use of and remove any Moscow-based Kaspersky products from their computer systems.

“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the DHS asserted in a written statement. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

“It’s important to note that the Kaspersky ban is based on solid evidence,” Rick Ledgett, the former Deputy Director of the NSA told The Cipher Brief at the time of the ban. “It won’t be shared publicly because of the sources and methods involved, so that leaves room for Kaspersky and apologists to say there’s no basis. That’s not true.” Ledgett declined to comment on Kaspersky’s involvement in the NSA breach.

While the just disclosed NSA security breach occurred on a private computer – not a federal network – the instance shows the vulnerability federal employees and contractors could face by using the Moscow-based antivirus. Kaspersky has some 400 million users worldwide, half of which might not even know they are running the company’s software – it is embedded in everything from firewalls to telecommunications equipment. The U.S. and western Europe make up some $374 million, or 60 percent, of the company’s $633 million in sales last year.

Fears have existed for years that the software could provide a backdoor for Russian intelligence to monitor employees and contractors of the federal government.

The Wall Street Journal report noted that how the antivirus was able to detect NSA classified material on the contractor’s computer is unclear. For instance, did Kaspersky technicians program the software to indicate NSA material? But considering that some of the material stolen reportedly included the code of NSA offensive cyber capabilities – malware – it is possible that Kaspersky’s automated scan was able to flag the malicious code as it is designed to do.

Speaking to The Cipher Brief last month, Ledgett, who was second in command at the NSA at the time of the breach, said “[Antivirus] software scans for signatures of malicious software, known as malware, and removes or neutralizes it, and sends a report of what it has done back to the A/V company, in this case, Kaspersky. It can also send samples of interesting/unusual malware back to the company.”

“Instead of scanning for malware, it could scan for documents that say ‘proprietary’ or ‘confidential’ or ‘secret’ or any other term of interest, and send them back to the company,” Ledgett said. “Another way the A/V could be used is to implant nefarious software into computers. Because A/V programs need to be updated frequently with new signatures and criteria for scanning for malware, they have permission to “write” software to the customers’ computers. Again, this could be used for nefarious purposes like implanting a computer with software that would exploit or even destroy it.”

The Wall Street Journal also reported that it is unclear “whether Kaspersky employees alerted the Russian government to the finding.”

But as Steve Hall, a former member of the CIA’ Senior Intelligence Service, told The Cipher Brief last month, any company with holdings in Russia are at the will of Russian President Vladimir Putin and his security services. “So whether or not there are any actual provable ties between Kaspersky and the Russian government is almost irrelevant,” says Hall. “The most important part is that Kaspersky is under the complete influence of Vladimir Putin.”

While the concern is that Kaspersky is directly cooperating with Russian intelligence, there is also the possibility that Russian intelligence has hacked the products of an unwitting Kaspersky to essentially piggyback off their privileged access for espionage purposes. WikiLeaks in the release of its Vault7 documents and leaks by the Shadow Brokers revealed that the CIA and NSA breach the products of Kaspersky and other antivirus products, indicating the targeting of such systems could very well be common practice among intelligence agencies.

Perhaps not coincidentally, the breach occurred the same year that Kaspersky published extensive reports on the cyber espionage capabilities of a group they called the Equation Group – long thought to be the hacking arm of the NSA.

In August 2016, the FBI arrested Harold Martin, a former NSA contractor working for Booz Allen Hamilton at the time, for allegedly bringing terabytes of classified NSA documents back to his private residence. He was charged with “willful retention of national defense information,” to which he pleaded not guilty.

While the timeline appears to align with the arrest of Martin, there is no confirmation that he was the victim of the Kaspersky-linked incident referenced by the Wall Street Journal. The investigation into Martin was prompted by the public disclosures of NSA cyber tools by the group the Shadow Brokers – which is thought by some to be an online moniker connected to the Russian government. So far, there has been no evidence publicly revealed confirming that the cyber tools stolen by Shadow Brokers were taken from Martin’s trove of NSA data he allegedly kept at home.

Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.