Hackers Grab More NSA Exploits, Possibly With Assistance Of Russian Antivirus Developer

from the three-strikes-program-in-effect dept

Yet another NSA breach is being reported -- this one linked to Russian antivirus developer, Kaspersky Lab. The Wall Street Journal broke the news, detailing the apparent exfiltration of NSA exploits via Kaspersky antivirus software by Russian hackers (likely paywall).

Given the US government's recent decision to ban the use of Kaspersky AV software, one might assume Kaspersky itself acted maliciously. But the details in the story -- along with analysis from other journalists and researchers -- suggests the AV software may have done nothing more than its job.

The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.

The theft, which hasn’t been disclosed, is considered by experts to be one of the most significant security breaches in recent years. It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S.

The incident occurred in 2015 but wasn’t discovered until spring of last year, said the people familiar with the matter.

The stolen material included details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S., these people said.

A few interesting details stand out:

First, the discovery of files via antivirus software was made easier by the way Kaspersky AV operates.

It’s basically the equivalent of digital dumpster diving,” said Blake Darché, a former NSA employee who worked in the agency’s elite hacking group that targets foreign computer systems.

Kaspersky is “aggressive” in its methods of hunting for malware, Mr. Darché said, “in that they will make copies of files on a computer, anything that they think is interesting.” He said the product’s user license agreement, which few customers probably read, allows this.

The combined guesswork of the Wall Street Journal's sources suggest snippets of NSA malware code were discovered on a contractor's personal computer. Kaspersky AV has been banned from use inside the NSA for years, but nothing prevents NSA contractors from installing it on their home computers. In this case, a contractor had files on their personal computer that never should have left the NSA. (Well… at least not in this fashion. Taking sensitive files off grounds can be a criminal offense. Deploying these files to compromise computers and devices around the world, however, is just the daily work of the NSA's Tailored Access Operations.)

The unanswered question appears to be how state-sponsored Russian hackers determined which computer to target. Some suspect Kaspersky employees informed the Russian government of their discovery, but the Journal article offers no clarifying statements.

As Marcy Wheeler points out, the NSA could have made this bad situation worse by "hacking back."

[N]one of the rest of the report explains how Kaspersky could have learned so much about NSA’s tools.

We now may have our answer: initial discovery of NSA tools led to further discovery using its AV tools to do precisely what they’re supposed to. If some NSA contractor delivered all that up to Kaspersky, it would explain the breadth of Kaspersky’s knowledge.

It would also explain why NSA would counter-hack Kaspersky using Duqu 2.0, which led to Kaspersky learning more about NSA’s tools.

The Wall Street Journal says the identity of the contractor whose laptop was compromised is still unknown. Not so fast, says Washington Post's Ellen Nakashima, who's been following these developments for a few years now.

The employee involved was a Vietnamese national who had worked at Tailored Access Operations, the elite hacking division of the NSA that develops tools to penetrate computers overseas to gather foreign intelligence, said the individuals, who spoke on condition of anonymity to discuss an ongoing case. He was removed from the job in 2015, but was not thought to have taken the materials for malicious purposes such as handing them to a foreign spy agency, they said.

One NSA figure who may not survive this third major breech is its boss, Mike Rogers. His head was on the chopping block for breaches under his command back when Obama was still in office. A third major breach of NSA security may be a breach too far.

In a few short years, the NSA has gone from "No Such Agency" to the world's best unofficial source of malware. It's something to keep in mind every time the agency pitches an expansion of surveillance powers. It can't keep an eye on its own backyard because it's too busy staring into everyone else's.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: exploits, leaks, malware, nsa, russia
Companies: kaspersky lab


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 6 Oct 2017 @ 3:41am

    Kaspersky is “aggressive” in its methods of hunting for malware, Mr. Darché said, “in that they will make copies of files on a computer, anything that they think is interesting.” He said the product’s user license agreement, which few customers probably read, allows this.

    In other words, to help use keep you data private, you will share it with us, and lose you privacy.

    link to this | view in thread ]

  2. identicon
    Johny Loco, 6 Oct 2017 @ 4:33am

    And the point is:

    One of the most distributed antiviruses, AVAST, has been purchased by U.S. entity, possibly tied to NSA and CIA. Kettle calls the pot black.

    link to this | view in thread ]

  3. icon
    Peter (profile), 6 Oct 2017 @ 4:40am

    Not so different, then:

    [The NSA] is “aggressive” in its methods [...], “in that they will make copies of files on a computer, anything that they think is interesting.”

    A small but significant difference: The NSA's hunting and gathering expeditions are not sanctioned by license agreements. They are illegal, even criminal in most parts of the world!

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 6 Oct 2017 @ 4:53am

    Re: Not so different, then:

    They have gathered so much interesting data now though, that they are literally calling the shots in the government.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 6 Oct 2017 @ 5:01am

    Is it me or is it TOO EASY to take NSA's data and tools home with you if you work for the NSA...?

    It makes me wonder how many others can do this. Tens? Hundreds? Thousands?

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 6 Oct 2017 @ 6:20am

    Another breach and they still claim backdooring encryption is good?

    "Now comes the part where we throw our heads back and laugh, ready? HAHAHAHAHAHAHAHAHA!!"

    link to this | view in thread ]

  7. identicon
    asdf, 6 Oct 2017 @ 7:03am

    Re: And the point is:

    Without speculation, we know what companies never responded when asked if they ignore state-sponsored malware. We also know Symantec admitted to ignoring FBI malware in the past.

    https://www.schneier.com/blog/archives/2013/12/how_antivirus_c.html

    (Ctrl+F "jones" to see the other references)

    link to this | view in thread ]

  8. identicon
    Joel Coehoorn, 6 Oct 2017 @ 7:31am

    Par for the Course for AV

    This is how antivirus operators work now. The scanners detect something unusual, and it automatically uploads a sample for analysis. In the age of 0-day and rapidly emerging exploits, this is what they're _supposed_ to do.

    And, of course, `sample0` for any given malware needs personal, hand-on attention from the researchers at the AV company. If an agency like the KGB manages to turn a researcher, or compromise a researcher's PC, then it's easy to see what happened here (though I'd lean to the former, as this kind of analysis happens in clean rooms where a hack would be hard to accomplish). Or maybe Kaspersky just has a policy of sharing new malware samples (regardless of origin) with government security offices, and maybe not even just the Russians. Do you think US companies like McAfee or Symantec wouldn't do the same with our government?

    link to this | view in thread ]

  9. identicon
    Jason, 6 Oct 2017 @ 8:01am

    typo

    One NSA figure who may not survive this third major breech is its boss, Mike Rogers.

    I know this was just a typo (breach is used correctly elsewhere) but it's also somewhat amusing considering the definition of breech.

    link to this | view in thread ]

  10. identicon
    Jason, 6 Oct 2017 @ 8:04am

    Re: typo

    And then I messed up the copy/pasting... I guess I deserve that.

    breech

    link to this | view in thread ]

  11. identicon
    Christenson, 6 Oct 2017 @ 8:10am

    WSJ and Libel Question

    Ars Technica says the WSJ, reported, on the basis of undisclosed (but clearly US government) sources that this hack was due to Kaspersky being a Russian agent of some sort.

    I'm curious how that type of reporting would not give rise to liability for libel, assuming Kaspersky cared to take WSJ to court.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 6 Oct 2017 @ 9:36am

    Like Farscape

    This Kaspersky thing must be a descendant of the evil force shown in Farscape. No matter how much force you put in, it just keeps growing. The NSA learned it the hard way...

    link to this | view in thread ]

  13. identicon
    Jason, 6 Oct 2017 @ 10:20am

    Re: Like Farscape

    The flax, if memory serves.

    Or like the aceton assimilators in an episode of ST:TNG.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 6 Oct 2017 @ 10:26am

    Re:

    In Soviet Russia, antivirus scans you

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 6 Oct 2017 @ 1:03pm

    Re: WSJ and Libel Question

    WSJ is Newscorp. Does anything else really need to be said?

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 6 Oct 2017 @ 7:52pm

    Re: Re: Like Farscape

    Oh.. I thought it was a reference to Maldis (or however he was spelt). Fed off your anger. Flax was the invisible let dragnet the pirates owned.

    link to this | view in thread ]

  17. identicon
    Melissa Virus, 6 Oct 2017 @ 11:02pm

    RE: NSA and Russia

    Seems our National Security Agency has stronger ties to Russia than the media can Fake news Trump with.

    So NSA is Russian Hackers file a FOIA and wait a few weeks and then take NSA information on cyber hacking and cyber spying we Americans have been the guinea pigs of.
    Is it still a crime of hacking or is it FOIA procedure.
    seems inconsistent to have your cake and eat it too. Yet NSA you still can't hold it together.
    Makes NSA a bigger cyber terrorist threat than any group of hackers. Selling classified and top secret cyber NSA ware to foreign countries is still a crime when you sold your own asses for free all thanks to hackers. who stole NSA cyber secret hacking tools and auctioned them off to the highest bidder. Who insisted on remaining ANONYMOUS ha ha Hackers and their IRONY vs NSA and their Hypocrisy. Good luck with hat Russian hackers

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 7 Oct 2017 @ 6:35pm

    Re: Re: WSJ and Libel Question

    exactly. rupert murdoch just happened to be on hand to report.

    link to this | view in thread ]

  19. identicon
    Crazy Glue, 9 Oct 2017 @ 4:36am

    Mr Internet Drivers License

    o Kasper needs a cup o v0dsky + stfu. The bbs days were a more innocent time, no way to dial home. Punt to the local fidonet for update downloads on zmodem.

    dsz port 1 speed 57600 dt
    ATH
    OK
    ATDT 555-1212
    CONNECT
    Login:

    and still the win 10 ppl wonder why we don't upgrade.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 10 Oct 2017 @ 5:06pm

    Re:

    *"which probably no one read" is more fitting.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.