Security Experts:

Russian Hackers Exploited Kaspersky Software to Steal NSA Exploits: Report

Still No Smoking Gun as Russian Hackers Reportedly Exploited Kaspersky Software to Steal NSA Exploits From NSA Contractor's Home Computer

A new report in the Wall Street Journal (WSJ) purports to provide the first evidence that directly ties Russian security firm Kaspersky Lab to the Russian government.

The report states, "Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.

"The hackers appear to have targeted the contractor after identifying the files through the contractor's use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said."

The problem with the report is that it offers no evidence and comes from anonymous, unnamed sources: allowing Eugene Kaspersky to immediately respond, "The first statement sounds like the script of a C movie, and again -- disclosed by anonymous sources (what a surprise)."

Without specific evidence, the WSJ describes several known facts and assumes a relationship. It is told that an unnamed NSA contractor removed sensitive data from the NSA and stored it on his home computer. That contractor had Kaspersky Lab software installed at home. The Kaspersky Lab software scanned all the new files (it's what antivirus does) collecting unknown files for deeper analysis. Russian government hackers then targeted the contractor and stole the NSA documents.

There is a gap in this chain of events -- between Kaspersky automatically scanning the files and the Russian government hacking the contractor. The reported implication, strenuously denied by Kaspersky Lab, is that the company informed the Russian government of the presence of NSA files on this contractor's computer.

The reality is, based on all public data so far, any direct link between Kaspersky Lab and the Russian government remains speculation only. Now it could be that the US intelligence community has additional evidence that it is not disclosing; but this report from the WSJ is no evidence-based smoking gun.

There is an alternative scenario (which like direct Kaspersky involvement, is purely conjecture). It is highly likely that Russian intelligence would be aware of individual NSA contractors. Given that two contractors are already known to have leaked NSA documents (Edward Snowden and Harold Martin), it would be tempting to target the home computers of known contractors. It is possible that Russian hackers were already present on the contractor's computer when he brought home the NSA files. In this scenario, Kaspersky's involvement is limited to the coincidence of being the antivirus of choice by the contractor.

A second alternative is that Kaspersky Lab software has been unknowingly compromised by the Russian government. This gains some credence from the recent compromise of Avast's CCleaner, allegedly by the Chinese government (Avast is another antivirus company). The CCleaner incident, however, was rapidly detected and quickly solved. 

Kaspersky has admitted that its own corporate network has been compromised in the past. In the Spring of 2016, Kaspersky Lab detected an intrusion of its internal systems while testing a prototype of technology designed to detect advanced persistent threats. 

At the time, Eugene Kaspersky explained that one reason it was hacked could be that the spies were interested in the inner workings of the company. "We obviously have our share of technological secrets as we’re a competitive business, but I can’t think of anything really top secret," Kaspersky said. "Maybe the idea was to steal our technologies, source code, know-how and ideas to support the attackers’ own software development," he added.

The WSJ report provides only ambiguous indications of how the Russian hackers got the data off the contractor's computer. It includes the statement, "The breach is the first known incident in which Kaspersky software is believed to have been exploited by Russian hackers to conduct espionage against the U.S. government."

This could be interpreted as the supposed collusion between Kaspersky and the Russian government; or that the hackers exploited a vulnerability in the software itself. Assuming the latter, Kaspersky responded, "Now if we assume, that what is reported is true: that Russian hackers exploited a weakness in our products installed on a PC of one of our users, and respected government agencies concerned of national security knew about that, why didn't they report it to us?... I can't imagine an ethical justification for not doing so."

Kaspersky has addressed several remotely exploitable vulnerabilities in its products over the years, along with just about every other AV vendor, making a possible scenario that Kaspersky's software was exploited by the Russian hackers, without any knowledge or cooperation of Kaspersky Lab. 

The WSJ report does, however, provoke further considerations. The first is how can the U.S. government allow insiders to walk out (literally or figuratively) with such highly sensitive data: Bradey Manning, Edward Snowden, Martin, and now +1. If the NSA cannot control the insider threat, what hope is there for any commercial organization?

The second question is whether this breach is the source of the Shadow Brokers trove of NSA exploits. There has been conjecture in the past that Martin was the source -- but the WSJ report specifically comments, Martin "allegedly removed massive amounts of classified information from the agency's headquarters and kept it at his home, but wasn't thought to have shared the data." The implication is that Martin is not the source of the Shadow Brokers' data.

Is this new breach the source? The timing fits. The incident apparently occurred in 2015, but the NSA only became aware in spring of 2016. That's exactly the time that Shadow Brokers made their first announcements and started leaking NSA exploits that fit the WSJ's description of "details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S."

As soon as the NSA was aware of the loss of its exploits, their value to the Russian government would diminish -- and the most damaging action would be to make them public.

The reality is that all of this is conjecture. The DHS has banned the use of Kaspersky software by any government agency, stating, "The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security." It talks about risk, not about proof. 

Concern over the risk is understandable and proper, and keeping Kaspersky software out of government would be reasonable. However, the U.S. government has chosen to take a very public stance -- without proof -- against the Russian company.

This adds fuel to Kaspersky's own suspicions. In a statement emailed to SecurityWeek, it said, "As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight."

Evidence of that geopolitical fight is all around us, from U.S. Cyber Command attacking  the North Korean Spy agency and Putin's response to double Pyongyang's internet access; to Russia's interference in the 2016 American presidential election and its use of the Ukraine and Baltic areas to test cyber capabilities.

*Additional reporting by Mike Lennon

Related: The Increasing Effect of Geopolitics on Cybersecurity 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.