The Wall Street Journal just published an incendiary article that says hackers working for the Russian government stole confidential material from an NSA contractor’s home computer. The hackers did so, according to the WSJ, after identifying files though the contractor’s use of antivirus software from Moscow-based Kaspersky Lab.
The report may well be true, but, for now, there’s no way to independently confirm it. The report is based on unnamed people the publication says had knowledge of the matter, and it provides no evidence to support its claim. What’s more, the lack of detail leaves open the possibility that, even if Kaspersky’s AV did help Russia home in on the highly sensitive code and documents, the disclosure was the inadvertent result of a software bug and that no one from Kaspersky Lab cooperated with the attackers in any way. Also lost in the focus on Kaspersky Lab is the startling revelation that yet another NSA insider managed to sneak classified material outside of the NSA’s network and put it on an unsecured computer. More of this analysis will follow.
First, here’s a summary of what the WSJ reported.
The unnamed contractor removed the material from the NSA and stored it on a home computer that ran a version of Kaspersky AV. The material, according to the unnamed sources, included “details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying, and how it defends networks inside the US.” Sometime in 2015, the material was stolen by Russia-sponsored hackers who “appear to have targeted the contractor after identifying the files through the contractor’s use” of the Kaspersky AV. The breach was discovered in the first three months of 2016.
The post continued:
US investigators believe the contractor’s use of the software alerted Russian hackers to the presence of files that may have been taken from the NSA, according to people with knowledge of the investigation. Experts said the software, in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA.
But how the antivirus system made that determination is unclear, such as whether Kaspersky technicians programed the software to look for specific parameters that indicated NSA material. Also unclear is whether Kaspersky employees alerted the Russian government to the finding.
Investigators did determine that, armed with the knowledge that Kaspersky’s software provided of what files were suspected on the contractor’s computer, hackers working for Russia homed in on the machine and obtained a large amount of information, according to the people familiar with the matter.
The report comes as concerns mount inside the US about Russian hacking in general and more specifically about whether Kaspersky Lab has ever, or might in the future, play a role in supporting such hacks. Rumors have swirled for years that, because of Kaspersky Labs’ nationality and the early training founder Eugene Kaspersky received from the Russian government, the company was a Russian proxy that provided, or at least could provide when asked, that country’s government with assistance in breaking into the computers of Russian adversaries.
As early as August, according to Cyber Scoop, the FBI quietly briefed private-sector companies on the threat it believed Kaspersky products and services posed. In early September, electronics retailer Best Buy stopped selling Kaspersky software and offered free removals and credits toward competing packages. Last month, the suspicions reached a new high when the US Department of Homeland Security took the unprecedented step of directing all US agencies to stop using Kaspersky products and services.
The US government has never provided hard evidence for the private briefings or the DHS directive. Dave Aitel, a former NSA hacker who is now CEO of penetration-testing firm Immunity, said the allegations aired on Thursday’s WSJ post are a plausible explanation.
“That’s exactly the kind of behavior that would cause the US government to do what they’re doing,” he told Ars. “There’s only one really big thing, which is they think [Kaspersky] is operating as an agent for a foreign government, most likely wittingly.”
Not so fast
The counter argument to what Aitel and plenty of people in security and national security circles are saying is that the extraordinary allegations are based solely on anonymous sources and aren’t backed up with any hard evidence. What’s more, the anonymous sources never say that anyone from Kaspersky Lab aided or cooperated with the hackers. The latter point leaves open the possibility that the hole left open by Kaspersky AV was unintentional by its developers and was exploited by Russian hackers without any help from the company.
In September 2015, Google Project Zero researcher Tavis Ormandy said his cursory examination of Kaspersky AV exposed multiple vulnerabilities that made it possible for attackers to remotely execute malicious code on computers that ran the software. If the hackers had knowledge the NSA contractor was using the Kaspersky AV, it’s at least feasible they exploited those vulnerabilities or similar ones to identify the sensitive materials and possibly also steal them.
Kaspersky has since patched the vulnerabilities. Over the years, Ormandy has discovered equally severe code-execution vulnerabilities in AV software from a host of Kaspersky competitors.
The WSJ article tacitly suggests this alternate theory is not the case. It cites a former NSA hacker speculating that the names and fingerprints of the sensitive files were indexed in a scan performed by the Kaspersky software and then uploaded to the company’s cloud environment so they can be compared against a master list of known malware. “You’re basically surrendering your right to privacy by using Kaspersky software,” the former NSA employee, Blake Darché, told the publication.
The unspoken implication is that, once the Kaspersky service indexed the NSA material, company officials privately notified Russian spies so they could target the contractor’s computer. But a possible answer is that the Kaspersky network was compromised, allowing the attackers responsible to pin point the location of the files on the contractor’s computer. After all, Kaspersky Lab has already disclosed that from mid 2014 to the first quarter of 2015, its network was compromised by highly sophisticated malware that has the hallmarks of nation-sponsored attackers. Aitel of Immunity, however, continued to agree with the theory Kaspersky knowingly aided Russia, although he admitted that at this point there’s no public proof it’s correct.
“It’s not something where someone exploited Kaspersky software,” he said. “If that’s what it was, it wouldn’t be in The Wall Street Journal.” Referring to the term for tapping phone and Internet connections for information of interest, he added: “I don’t think it was signals intelligence by the Russian government. They clearly got it from a Kaspersky machine. That seems a lot more likely.”
Remember Equation Group?
The theory is made more plausible by the fact that, by 2015, Kaspersky Lab had detailed knowledge of some of the NSA’s most elite hacking tools and methods. Company researchers had acquired this knowledge after doing exhaustive research into a group it dubbed the Equation Group. As Ars reported in February of that year, the hacking team was clearly tied to the NSA—if not a part of it—by its advanced access to zero-day exploits that would later be used in the Stuxnet worm that reportedly was developed jointly by the NSA and its counterparts in Israel.
In an e-mailed statement, Kaspersky officials wrote:
Kaspersky Lab has not been provided any evidence substantiating the company’s involvement in the alleged incident reported by the Wall Street Journal on October 5, 2017, and it is unfortunate that news coverage of unproven claims continue to perpetuate accusations about the company.
As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight.
We make no apologies for being aggressive in the battle against malware and cybercriminals. The company actively detects and mitigates malware infections, regardless of the source, and we have been proudly doing so for 20 years, which has led to continuous top ratings in independent malware detection tests. It’s also important to note that Kaspersky Lab products adhere to the cybersecurity industry’s strict standards and have similar levels of access and privileges to the systems they protect as any other popular security vendor in the US and around the world.
The takeaway is that, as the Kaspersky Lab statement notes, the WSJ‘s explosive allegations aren’t substantiated with any evidence and, further, they’re based on anonymous sources. That means, at the moment, there’s no way journalists can independently verify the claims. What’s more, the article as written leaves open the possibility that the role Kaspersky AV played in the breach was caused by the same sort of critical vulnerability found in virtually all AV software.
That said, if the allegations are true, they’re sure to fuel the already growing concern of Russian hacking, which US intelligence agencies say has attempted to influence the US presidential election and widen political and cultural divides on social media. Additionally, if the allegations prove true, it’s almost certainly the end of Kaspersky Lab as it has come to be known over the past decade.
What shouldn’t go overlooked in Thursday’s report is that this is the third known instance in the past four years of an NSA breach resulting from insider access to classified materials. The best known case is whistleblower Edward Snowden, who was able to trawl through NSA networks collecting documents for an extended period of time before turning them over to reporters. In 2016, a separate NSA contractor, Harold T. Martin III, was arrested after he sneaked 50 terabytes of confidential material out of the NSA and stored it at his home in Glen Burnie, Maryland. The trove comprises as much as 75 percent of the exploits belonging to the Tailored Access Operations, the elite hacking NSA unit that develops and deploys some of the world’s most sophisticated software exploits.
In May, The New York Times reported that an NSA employee was arrested in 2015 on insider leak suspicions but was never identified. It’s not immediately clear if this insider is different than the one mentioned in Thursday’s WSJ article. In a report published after Ars went live with this post, The Washington Post said the person who took the NSA material and stored it on his home computer was an NSA employee who worked for the Tailored Access Operations. The WaPo went on to say the insider was the same one who came under suspicion in 2015.
Adding further urgency is the series of highly damaging leaks made over the past 14 months by a mysterious group calling itself the Shadow Brokers. The trove has included some of the NSA’s most potent software exploits and documents detailing past attacks. Whether the leaked Shadow Brokers material was the result of an insider theft or a hack by outsiders remains unknown.
Thursday’s report means that yet another trusted insider was able to sneak documents and code outside of the NSA and not only store them on an Internet-connected computer, but also one that was running AV software. Whatever role Kaspersky Lab played in the hack, the series of breathtaking security blunders made by the NSA and its workers should remain front and center in this reporting.
Post updated to add WaPo reporting.