Hackers Grab More NSA Exploits, Possibly With Assistance Of Russian Antivirus Developer
from the three-strikes-program-in-effect dept
Yet another NSA breach is being reported -- this one linked to Russian antivirus developer, Kaspersky Lab. The Wall Street Journal broke the news, detailing the apparent exfiltration of NSA exploits via Kaspersky antivirus software by Russian hackers (likely paywall).
Given the US government's recent decision to ban the use of Kaspersky AV software, one might assume Kaspersky itself acted maliciously. But the details in the story -- along with analysis from other journalists and researchers -- suggests the AV software may have done nothing more than its job.
The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.
The theft, which hasn’t been disclosed, is considered by experts to be one of the most significant security breaches in recent years. It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S.
The incident occurred in 2015 but wasn’t discovered until spring of last year, said the people familiar with the matter.
The stolen material included details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S., these people said.
A few interesting details stand out:
First, the discovery of files via antivirus software was made easier by the way Kaspersky AV operates.
It’s basically the equivalent of digital dumpster diving,” said Blake Darché, a former NSA employee who worked in the agency’s elite hacking group that targets foreign computer systems.
Kaspersky is “aggressive” in its methods of hunting for malware, Mr. Darché said, “in that they will make copies of files on a computer, anything that they think is interesting.” He said the product’s user license agreement, which few customers probably read, allows this.
The combined guesswork of the Wall Street Journal's sources suggest snippets of NSA malware code were discovered on a contractor's personal computer. Kaspersky AV has been banned from use inside the NSA for years, but nothing prevents NSA contractors from installing it on their home computers. In this case, a contractor had files on their personal computer that never should have left the NSA. (Well… at least not in this fashion. Taking sensitive files off grounds can be a criminal offense. Deploying these files to compromise computers and devices around the world, however, is just the daily work of the NSA's Tailored Access Operations.)
The unanswered question appears to be how state-sponsored Russian hackers determined which computer to target. Some suspect Kaspersky employees informed the Russian government of their discovery, but the Journal article offers no clarifying statements.
As Marcy Wheeler points out, the NSA could have made this bad situation worse by "hacking back."
[N]one of the rest of the report explains how Kaspersky could have learned so much about NSA’s tools.
We now may have our answer: initial discovery of NSA tools led to further discovery using its AV tools to do precisely what they’re supposed to. If some NSA contractor delivered all that up to Kaspersky, it would explain the breadth of Kaspersky’s knowledge.
It would also explain why NSA would counter-hack Kaspersky using Duqu 2.0, which led to Kaspersky learning more about NSA’s tools.
The Wall Street Journal says the identity of the contractor whose laptop was compromised is still unknown. Not so fast, says Washington Post's Ellen Nakashima, who's been following these developments for a few years now.
The employee involved was a Vietnamese national who had worked at Tailored Access Operations, the elite hacking division of the NSA that develops tools to penetrate computers overseas to gather foreign intelligence, said the individuals, who spoke on condition of anonymity to discuss an ongoing case. He was removed from the job in 2015, but was not thought to have taken the materials for malicious purposes such as handing them to a foreign spy agency, they said.
One NSA figure who may not survive this third major breech is its boss, Mike Rogers. His head was on the chopping block for breaches under his command back when Obama was still in office. A third major breach of NSA security may be a breach too far.
In a few short years, the NSA has gone from "No Such Agency" to the world's best unofficial source of malware. It's something to keep in mind every time the agency pitches an expansion of surveillance powers. It can't keep an eye on its own backyard because it's too busy staring into everyone else's.
Filed Under: exploits, leaks, malware, nsa, russia
Companies: kaspersky lab