Hackers working for Russia gained access to the home computer of an NSA employee in 2015, pilfering highly classified material and spying code that was apparently detected by Kaspersky Lab’s anti-virus software.
The bombshell report from the Wall Street Journal, quickly followed up by the Washington Post, has put further pressure on Kaspersky Lab, the well-known security company the U.S. government has accused of collaborating with the Russian government.
But many questions and details about the incident remain unanswered. Here’s a roundup of the issues in play.
Another Contractor Leak
The questions around Kaspersky Lab’s role in the latest leak cloud an astounding, basic fact: Yet another contractor has taken some of the NSA’s most sensitive secrets home from work, a strict violation of rules around handling classified information.
The Washington Post reports that the NSA employee is a U.S. citizen born in Vietnam. The man, who was removed from his job in 2015, worked for the NSA’s Tailored Access Operations group, which specializes in offensive cyber operations. He is not believed to have taken the material for espionage purposes, and his name has not been made public.
The NSA tightened its security after Booz Allen Hamilton contractor Edward Snowden leaked highly classified material to the media in May 2013. Snowden, now living in Moscow, contended that spy agencies were violating Americans’ U.S. constitutional protections by collecting sensitive information en masse without proper warrants.
The Post reports that the NSA employee took the sensitive material home in order to, ironically, work on new hacking tools to replace ones revealed by Snowden.
There are two other recent incidents of intelligence community employees mishandling classified information. In August 2016, a former U.S. Navy officer and a long-time government contractor, Harold T. Martin III, was accused of collecting an enormous stash of classified information over a 20-year period (see NSA Contractor’s Alleged Theft ‘Breathtaking’).
Martin isn’t believed to be a spy. The documents were from the NSA, the Central Intelligence Agency, the U.S. Cyber Command and the National Reconnaissance Office.
There was also a third leak earlier this year. Reality Leigh Winner, a contractor with Pluribus International Corp., was arrested in June. She is accused of removing a top-secret NSA document that described Russian efforts to compromise the U.S. election and passing it to the media. The document was first covered by The Intercept (see US Contractor Arrested in Leak of NSA Top-Secret File).
The Shadow Brokers
Strangely absent from both the Wall Street Journal and the Washington Post reports is any mention of the Shadow Brokers, the mysterious group that began leaking NSA code and tools in August 2016 (see Mystery Surrounds Breach of NSA-Like Spying Toolset).
Just two weeks before Martin’s arrest, the Shadow Brokers released a sampling of a batch of suspected NSA tools. The group, which offered the full selection of tools in a bizarre auction and subsequent ones, claimed the tools came from the Equation Group, Kaspersky Lab’s code name for a group widely believed to be the NSA.
Many security experts suspect that the Shadow Brokers could be nation-state actors or perhaps a rogue NSA insider. As the U.S. government has continued to investigate, the group has periodically published posts online and publicly released more malicious code.
In fact, the largest ransomware outbreak ever was fuelled by a Shadow Brokers leak. In April, the group released an exploit nicknamed EternalBlue, which exploited a vulnerability in Microsoft’s server message block (SMB 1.0) file-sharing function.
The exploit was incorporated into WannaCry, the ransomware worm that infected and crippled more than 300,000 Windows computers worldwide in May. Both U.S. and U.K intelligence agencies reportedly suspect WannaCry was created by hackers associated with the North Korean government.
Question: Kaspersky Lab’s Role
The Wall Street Journal’s report cites anonymous sources saying they believe Kaspersky Lab’s software may have tipped off hackers to the presence of secret files on the NSA employee’s home computer. The belief, whether founded or not, couldn’t come at a worse time for the Russian security vendor, whose wares continue to earn plaudits from third-party testing firms and many users.
The Department of Homeland Security on Sept. 13 banned all U.S. government agencies from using Kaspersky Lab’s security software. The ban comes after U.S. officials, speaking with media outlets on background, have continued to contend that the company has ties to Russian intelligence agencies and may act as a cyber espionage partner.
But the U.S. government has never released any evidence that Russia and Kaspersky Lab cooperate in an inappropriate manner, or evidence that the company may have been coerced by the Russian government. Questions have also been raised about whether the U.S. government’s accusations may have been embellished, particularly against the backdrop of belated U.S. government probes into Russia’s meddling in the November 2016 U.S. presidential election.
That lack of evidence has left Kaspersky Lab co-founder and CEO Eugene Kaspersky fuming. On Thursday, he reiterated that the company “does not have inappropriate ties to any government, including Russia, and it is unfortunate that news coverage of unproven claims continue to perpetrate accusations about the company.”
Anti-Virus: Deep System Access
One key question is how hackers might have figured out that sensitive files were on a home computer that happened to be used by an NSA employee. The Wall Street Journal reports that U.S. investigators suspect the hackers were tipped off somehow by Kaspersky’s software.
The report says it’s “unclear” whether Kaspersky engineers had programmed its software to intentionally look for secret material and “whether Kaspersky employees alerted the Russian government to the finding” on the contractor’s computer.
But some computer security analysts dismissed such suggestions as unfounded conspiracy theories, saying they ignore the technical reality of how modern anti-virus applications function, as well as the types of data those applications collect and how such information gets broadly shared.
All anti-virus programs have deep access to a computer’s operating system and nearly all files. This access is needed to ensure that all potentially malicious files can be inspected, and if necessary, quarantined. Many anti-virus applications will send a copy of the suspect file back to the vendor for further analysis.
Many security vendors consult with each other about whether a given file is malicious, and they may also share files with third-party malware scanning services such as Google’s VirusTotal. VirusTotal checks the file against dozens of other security products, and the vendor that submitted the file can use those opinions to decide whether to quarantine the file.
Kaspersky, like many security vendors, makes it clear in its end-user license agreement that it may collect copies of suspected files, which is supposed to be done anonymously, and share them with others for further analysis.
When the NSA employee allegedly took the agency’s top-secret spying code home and copied it to his personal computer, there’s a good chance that the anti-virus application running on his computer – in this case built by Kaspersky Lab – flagged it as being suspicious and sent copies back to Kaspersky Lab for analysis. What is unclear, however, is if one or more intelligence agencies may have also been monitoring that reporting pipe, watching for PCs that might contain information of intelligence value that they could obtain by directly hacking into a system of interest.
Caught in the Middle?
If that scenario is indeed what has occurred, it’s not Kaspersky’s fault if it detected NSA toolkits, writes Jonathan Nichols, an independent cybersecurity consultant based in Washington. The NSA employee should have realized that malicious code copied onto his machine would be detected and then shared with anti-virus researchers for further analysis.
“As a general rule, I advise people not to install viruses they don’t want taken on machines protected by AV,” Nichols writes on Twitter.
Most anti-virus vendors can copy any file from their users, writes Tavis Ormandy, a researcher with Google’s Project Zero, a team that uncovers high-stakes software flaws. Kaspersky’s software may have had YARA rules, which are definitions of types of malicious code to search for, that would have collected exploits of the type on the NSA employee’s computer, he writes.
It’s also not unexpected that sophisticated malware or exploits detected would be quickly shared with government agencies. The U.S. government works closely with domestic security companies to be able to react quickly to emerging threats. Such cooperation is critical to defending against zero-day software vulnerabilities, which remain one of the most potent ways to reliably access a system.
But sharing malware samples is supposed to be anonymous. In theory, it shouldn’t be possible to identify the computer from where a particular piece of code came. How Russian-backed hackers were allegedly able to figure out the computer where the NSA tools originated remains a mystery.
Also unknown is how the hackers then targeted the computer to collect the sensitive material. Kaspersky Lab’s software, however, could have been the weak point. Ormandy of Project Zero, for example, has found dozens of serious software vulnerabilities in security software applications, including products built by Kaspersky Lab (see Google Security Researcher Pops Microsoft’s AV Defenses).
If Kaspersky’s product was the Achilles heel for the NSA analyst’s home computer, expect suspicion to center on whether attackers exploited an innocent coding mistake in the security product, or whether there was a backdoor intended to help the Russian government.
Kaspersky Lab has continued to deny doing anything of the sort, and security experts have said that doing so would have been a suicide move for the business. But against the current backdrop of broad suspicions in the United States toward anything connected to Russia, even if Kaspersky Lab has acted with only the most professional intentions, it may be facing an uphill battle for its reputation, at least in the United States.